Trojaner-Board
Seite 2 von 6 1 2 34 Letzte »
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Infiziert? (https://www.trojaner-board.de/75270-infiziert.html)

der_gizmo 15.07.2009 22:04
Das kam bei GMER heraus:

Code:
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-15 23:00:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT      BAFA977E                                                                                                                                        ZwCreateKey
SSDT      BAFA9774                                                                                                                                        ZwCreateThread
SSDT      BAFA9783                                                                                                                                        ZwDeleteKey
SSDT      BAFA978D                                                                                                                                        ZwDeleteValueKey
SSDT      sprs.sys                                                                                                                                        ZwEnumerateKey [0xBA6C6CA2]
SSDT      sprs.sys                                                                                                                                        ZwEnumerateValueKey [0xBA6C7030]
SSDT      BAFA9792                                                                                                                                        ZwLoadKey
SSDT      sprs.sys                                                                                                                                        ZwOpenKey [0xBA6A80C0]
SSDT      BAFA9760                                                                                                                                        ZwOpenProcess
SSDT      BAFA9765                                                                                                                                        ZwOpenThread
SSDT      sprs.sys                                                                                                                                        ZwQueryKey [0xBA6C7108]
SSDT      sprs.sys                                                                                                                                        ZwQueryValueKey [0xBA6C6F88]
SSDT      BAFA979C                                                                                                                                        ZwReplaceKey
SSDT      BAFA9797                                                                                                                                        ZwRestoreKey
SSDT      BAFA9788                                                                                                                                        ZwSetValueKey
SSDT      BAFA976F                                                                                                                                        ZwTerminateProcess

INT 0x62  ?                                                                                                                                              8A613BF8
INT 0x63  ?                                                                                                                                              8A613BF8
INT 0x63  ?                                                                                                                                              8A613BF8
INT 0x63  ?                                                                                                                                              8A306BF8
INT 0x73  ?                                                                                                                                              8A5A5BF8
INT 0x73  ?                                                                                                                                              8A5A5BF8
INT 0x83  ?                                                                                                                                              8A306BF8
INT 0xA4  ?                                                                                                                                              8A306BF8
INT 0xB4  ?                                                                                                                                              8A306BF8

Code      8A0B8FD8                                                                                                                                        ZwFlushInstructionCache
Code      8A0B8E26                                                                                                                                        IofCallDriver
Code      88A32386                                                                                                                                        IofCompleteRequest
Code      8A0B90B5                                                                                                                                        ZwSaveKey
Code      8A0B918D                                                                                                                                        ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text    ntkrnlpa.exe!IofCallDriver                                                                                                                      804EF1A6 5 Bytes  JMP 8A0B8E2B
.text    ntkrnlpa.exe!IofCompleteRequest                                                                                                                804EF236 5 Bytes  JMP 88A3238B
.text    ntkrnlpa.exe!ZwSaveKey                                                                                                                          80500D68 5 Bytes  JMP 8A0B90BA
.text    ntkrnlpa.exe!ZwSaveKeyEx                                                                                                                        80500D7C 5 Bytes  JMP 8A0B9192
PAGE      ntkrnlpa.exe!ZwFlushInstructionCache                                                                                                            805B6812 5 Bytes  JMP 8A0B8FDC
?        sprs.sys                                                                                                                                        Das System kann die angegebene Datei nicht finden. !
.text    USBPORT.SYS!DllUnload                                                                                                                          B9A388AC 5 Bytes  JMP 8A3061D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT      atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                              [BA6A9040] sprs.sys
IAT      atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                                      [BA6A913C] sprs.sys
IAT      atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                                            [BA6A90BE] sprs.sys
IAT      atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                                    [BA6A97FC] sprs.sys
IAT      atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                                            [BA6A96D2] sprs.sys

---- Devices - GMER 1.0.15 ----

Device    \FileSystem\Ntfs \Ntfs                                                                                                                          8A5A11F8
Device    \Driver\NetBT \Device\NetBT_Tcpip_{2833BB1A-0A93-49A6-A6B6-03EA4ACA14FF}                                                                        8A37B500
Device    \Driver\usbuhci \Device\USBPDO-0                                                                                                                8A304500
Device    \Driver\usbuhci \Device\USBPDO-1                                                                                                                8A304500
Device    \Driver\usbuhci \Device\USBPDO-2                                                                                                                8A304500
Device    \Driver\usbuhci \Device\USBPDO-3                                                                                                                8A304500
Device    \Driver\NetBT \Device\NetBT_Tcpip_{3ABE492C-1F38-465D-BD23-F6074506C18A}                                                                        8A37B500
Device    \Driver\usbehci \Device\USBPDO-4                                                                                                                8A323500
Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                          8A5A31F8
Device    \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                          8A5A31F8
Device    \Driver\Cdrom \Device\CdRom1                                                                                                                    8A258430
Device    \Driver\usbstor \Device\00000080                                                                                                                8A0CC1F8
Device    \Driver\usbstor \Device\00000081                                                                                                                8A0CC1F8
Device    \Driver\usbstor \Device\00000082                                                                                                                8A0CC1F8
Device    \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                        8A37B500
Device    \Driver\PCI_PNP8880 \Device\0000004b                                                                                                            sprs.sys
Device    \Driver\NetBT \Device\NetbiosSmb                                                                                                                8A37B500
Device    \Driver\usbuhci \Device\USBFDO-0                                                                                                                8A304500
Device    \Driver\usbuhci \Device\USBFDO-1                                                                                                                8A304500
Device    \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                              89F78500
Device    \Driver\usbstor \Device\0000007b                                                                                                                8A0CC1F8
Device    \Driver\usbuhci \Device\USBFDO-2                                                                                                                8A304500
Device    \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                    89F78500
Device    \Driver\usbuhci \Device\USBFDO-3                                                                                                                8A304500
Device    \Driver\usbehci \Device\USBFDO-4                                                                                                                8A323500
Device    \Driver\Ftdisk \Device\FtControl                                                                                                                8A5A31F8
Device    \Driver\usbstor \Device\0000007f                                                                                                                8A0CC1F8
Device    \Driver\sptd \Device\2065586380                                                                                                                sprs.sys
Device    \Driver\agvko7uw \Device\Scsi\agvko7uw1Port5Path0Target0Lun0                                                                                    8A2401F8
Device    \Driver\agvko7uw \Device\Scsi\agvko7uw1                                                                                                        8A2401F8
Device    \Driver\JRAID \Device\Scsi\JRAID1                                                                                                              8A5A21F8
Device    \FileSystem\Cdfs \Cdfs                                                                                                                          8A0CB1F8

---- Registry - GMER 1.0.15 ----

Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}                               
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}@oaekjkbfbepihimmfanddhhpkpmmmg  0x64 0x61 0x64 0x69 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}@oailjhhlcmlbmnhbkmoclnfonplpan  0x6A 0x61 0x64 0x69 ...
Reg      HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}@nacipnbaldjcfbiifafcoeinhgmo    0x6A 0x61 0x64 0x69 ...

---- Disk sectors - GMER 1.0.15 ----

Disk      \Device\Harddisk0\DR0                                                                                                                          sector 01: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 02: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 03: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 04: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 05: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 06: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 07: rootkit-like behavior; copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 08: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 09: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 10: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 11: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 12: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 13: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 14: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 15: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 16: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 17: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 18: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 19: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 20: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 21: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 22: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 23: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 24: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 25: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 26: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 27: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 28: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 29: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 30: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 31: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 32: rootkit-like behavior; copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 33: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 34: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 35: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 36: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 37: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 38: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 39: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 40: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 41: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 42: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 43: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 44: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 45: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 46: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 47: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 48: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 49: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 50: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 51: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 52: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 53: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 54: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 55: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 56: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 57: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 58: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 59: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 60: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 61: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 62: copy of MBR
Disk      \Device\Harddisk0\DR0                                                                                                                          sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

john.doe 15.07.2009 22:10
Dann schau mal, mit wem du es zu tun hast => ThreatExpert Report: Packed.Win32.Tdss.w, Trojan.Win32.Alureon..

Rootkitscan mit RootRepeal
  • Gehe hierhin, scrolle runter und downloade RootRepeal.zip.
  • Entpacke die Datei auf Deinen Desktop.
  • Doppelklicke die RootRepeal.exe, um den Scanner zu starten.
  • Klicke auf den Reiter Report und dann auf den Button Scan.
  • Mache einen Haken bei den folgenden Elementen und klicke Ok.
    .
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    .
  • Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.
  • Wähle C:\ und klicke wieder Ok.
  • Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.
  • Wenn der Suchlauf beendet ist, klicke auf Save Report.
  • Speichere das Logfile als RootRepeal.txt auf dem Desktop.
  • Kopiere den Inhalt hier in den Thread.

ciao, andreas

Edit: Poste bitte auch noch den ersten Teil von Info.txt, ich brauche deine Softwareliste.

der_gizmo 15.07.2009 22:18
Info Teil 1.1:

Code:
======Uninstall list======

-->"C:\Programme\Creative\Sound Blaster X-Fi\Program\SETUP.EXE" /S /U /W /L:GER
-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0B095086-7205-4D48-90DF-DCD16613C6D4}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{0E5AA361-4B16-4282-B639-9E5B2B6A2EC8}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{103BCDA0-E063-46AC-8028-64E78722ABA7}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{32903944-19A2-418C-901D-4BBAF4C55ABA}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{4D8AA0B4-E890-4BF7-A9D1-8E63027E76D3}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{6BF90A01-FA3F-42B9-A071-7D744409967E}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{84F573D3-0F71-4768-978A-D35310E3FBA6}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{B8DA9EB2-DBEF-4F0A-B90A-45B77D9E65B2}\setup.exe" -l0x7  /remove
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x7
-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{CB99E420-8071-48F9-9567-4A53BE7569C4}\setup.exe" -l0x7  /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->msiexec /qb /x {C86E7C99-E4AD-79C7-375B-1AEF9A91EC2B}
Acrobat.com-->MsiExec.exe /I{C86E7C99-E4AD-79C7-375B-1AEF9A91EC2B}
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe After Effects CS4 Presets-->MsiExec.exe /I{44E240EC-2224-4078-A88B-2CEE0D3016EF}
Adobe After Effects CS4 Third Party Content-->MsiExec.exe /I{67A9747A-E1F5-4E9A-81CC-12B5D5B81B6E}
Adobe After Effects CS4-->MsiExec.exe /I{45EC816C-0771-4C14-AE6D-72D1B578F4C8}
Adobe AIR-->c:\Programme\Gemeinsame Dateien\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}
Adobe Anchor Service CS4-->MsiExec.exe /I{1618734A-3957-4ADD-8199-F973763109A8}
Adobe Asset Services CS4-->MsiExec.exe /I{B9F4561A-924D-4510-A85A-BB0960C338CB}
Adobe Bridge CS4-->MsiExec.exe /I{83877DB1-8B77-45BC-AB43-2BAC22E093E0}
Adobe CMaps CS4-->MsiExec.exe /I{94D398EB-D2FD-4FD1-B8C4-592635E8A191}
Adobe Color - Photoshop Specific CS4-->MsiExec.exe /I{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}
Adobe Color EU Extra Settings CS4-->MsiExec.exe /I{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}
Adobe Color JA Extra Settings CS4-->MsiExec.exe /I{0D6013AB-A0C7-41DC-973C-E93129C9A29F}
Adobe Color NA Recommended Settings CS4-->MsiExec.exe /I{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}
Adobe Color Video Profiles AE CS4-->MsiExec.exe /I{B15381DD-FF97-4FCD-A881-ED4DB0975500}
Adobe Color Video Profiles CS CS4-->MsiExec.exe /I{63C24A08-70F3-4C8E-B9FB-9F21A903801D}
Adobe Contribute CS4-->MsiExec.exe /I{A6EC82A0-1414-475D-8AFD-469089F3080D}
Adobe Creative Suite 4 Master Collection-->C:\Programme\Gemeinsame Dateien\Adobe\Installers\b2d6abde968e6f277ddbfd501383e02\Setup.exe --uninstall=1
Adobe Creative Suite 4 Master Collection-->MsiExec.exe /I{61D6891E-E822-4448-9F9A-0AAAAEB6AF6C}
Adobe CS4 American English Speech Analysis Models-->MsiExec.exe /I{297190A1-4B0D-4CD6-8B9F-3907F15C3FD8}
Adobe CSI CS4-->MsiExec.exe /I{0F723FC1-7606-4867-866C-CE80AD292DAF}
Adobe Default Language CS4-->MsiExec.exe /I{C52E3EC1-048C-45E1-8D53-10B0C6509683}
Adobe Device Central CS4-->MsiExec.exe /I{67F0E67A-8E93-4C2C-B29D-47C48262738A}
Adobe Dreamweaver CS4-->MsiExec.exe /I{30C8AA56-4088-426F-91D1-0EDFD3A25678}
Adobe Drive CS4-->MsiExec.exe /I{16E16F01-2E2D-4248-A42F-76261C147B6C}
Adobe Dynamiclink Support-->MsiExec.exe /I{60DB5894-B5A1-4B62-B0F3-669A22C0EE5D}
Adobe Encore CS4 Codecs-->MsiExec.exe /I{FB2A5FCC-B81B-48C2-A009-7804694D83E9}
Adobe Encore CS4-->MsiExec.exe /I{5EAD5443-7194-46CC-A055-428E6ABB1BAF}
Adobe ExtendScript Toolkit CS4-->MsiExec.exe /I{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}
Adobe Extension Manager CS4-->MsiExec.exe /I{054EFA56-2AC1-48F4-A883-0AB89874B972}
Adobe Fireworks CS4-->MsiExec.exe /I{428FDF9F-E010-4C4C-A8BB-156960AFCA1C}
Adobe Flash CS4 Extension - Flash Lite STI en-->MsiExec.exe /I{793D1D88-6141-43DE-BE58-59BCE31B4090}
Adobe Flash CS4 STI-en-->MsiExec.exe /I{2168245A-B5AD-40D8-A641-48E3E070B5B6}
Adobe Flash CS4-->MsiExec.exe /I{F6E99614-F042-4459-82B7-8B38B2601356}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->MsiExec.exe /X{03DEEAD2-F3B7-45BF-9006-A25D015F00D2}
Adobe Fonts All-->MsiExec.exe /I{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}
Adobe Illustrator CS4-->MsiExec.exe /I{87532CAB-7932-4F84-8937-823337622807}
Adobe InDesign CS4 Application Feature Set Files (Roman)-->MsiExec.exe /I{2BAF2B96-7560-48B4-87D4-10178DDBE217}
Adobe InDesign CS4 Common Base Files-->MsiExec.exe /I{7CC7BDD5-6F10-4724-96A1-EAC7D9F2831C}
Adobe InDesign CS4 Icon Handler-->MsiExec.exe /I{1E04CB54-AF4E-4AC3-B4B7-C0A160BE57F1}
Adobe InDesign CS4-->MsiExec.exe /I{1DCA3EAA-6EB5-4563-A970-EA14D75037BA}
Adobe Linguistics CS4-->MsiExec.exe /I{931AB7EA-3656-4BB7-864D-022B09E3DD67}
Adobe Media Encoder CS4 Additional Exporter-->MsiExec.exe /I{BE9CEAAA-F069-4331-BF2F-8D350F6504F4}
Adobe Media Encoder CS4 Dolby-->MsiExec.exe /I{EE353798-E875-42E0-B58D-7E6696182EA8}
Adobe Media Encoder CS4 Exporter-->MsiExec.exe /I{561968FD-56A1-49FD-9ED0-F55482C7C5BC}
Adobe Media Encoder CS4 Importer-->MsiExec.exe /I{8186FF34-D389-4B7E-9A2F-C197585BCFBD}
Adobe Media Encoder CS4-->MsiExec.exe /I{DEB90B8E-0DCB-48CE-B90E-8842A2BD643E}
Adobe Media Player-->msiexec /qb /x {39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe Media Player-->MsiExec.exe /I{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}
Adobe MotionPicture Color Files CS4-->MsiExec.exe /I{B05DE7B7-0B40-4411-BD4B-222CAE2D8F15}
Adobe OnLocation CS4-->MsiExec.exe /I{7406DF60-016D-476B-A2C7-55D997592047}
Adobe Output Module-->MsiExec.exe /I{BB4E33EC-8181-4685-96F7-8554293DEC6A}
Adobe PDF Library Files CS4-->MsiExec.exe /I{F93C84A6-0DC6-42AF-89FA-776F7C377353}
Adobe Photoshop CS4 Support-->MsiExec.exe /I{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}
Adobe Photoshop CS4-->MsiExec.exe /I{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}
Adobe Premiere Pro CS4 Functional Content-->MsiExec.exe /I{B169BC97-B8AA-4ACA-9CF2-9D0FF5BABDF7}
Adobe Premiere Pro CS4 Third Party Content-->MsiExec.exe /I{C938BE91-3BB5-4B84-9EF6-88F0505D0038}
Adobe Premiere Pro CS4-->MsiExec.exe /I{D499F8DE-3F31-4900-9157-61061613704B}
Adobe Reader 9.1 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A91000000001}
Adobe Search for Help-->MsiExec.exe /I{F0E64E2E-3A60-40D8-A55D-92F6831875DA}
Adobe Service Manager Extension-->MsiExec.exe /I{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}
Adobe Setup-->MsiExec.exe /I{E8EE9410-8AC4-4F43-A626-DDECA75C79F3}
Adobe SGM CS4-->MsiExec.exe /I{15BF7AAF-846C-4A6D-80E1-5D1FC7FB461B}
Adobe SING CS4-->MsiExec.exe /I{4A52555C-032A-4083-BDD9-6A85ABFB39A8}
Adobe Soundbooth CS4 Codecs-->MsiExec.exe /I{52232EF4-CC12-4C21-ABCF-ADB79618302D}
Adobe Soundbooth CS4-->MsiExec.exe /I{14F70205-1940-4000-88C7-BE799A6B2CAD}
Adobe Type Support CS4-->MsiExec.exe /I{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}
Adobe Update Manager CS4-->MsiExec.exe /I{05308C4E-7285-4066-BAE3-6B50DA6ED755}
Adobe Version Cue CS4 Server-->MsiExec.exe /I{1B7C06E1-4888-47A6-992A-0990B9683486}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}
Adobe XMP Panels CS4-->MsiExec.exe /I{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}
Adobe® Photoshop® Album Starter Edition 3.0-->MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}

der_gizmo 15.07.2009 22:20
Info Teil 1.2

Code:
AdobeColorCommonSetCMYK-->MsiExec.exe /I{68243FF8-83CA-466B-B2B8-9F99DA5479C4}
AdobeColorCommonSetRGB-->MsiExec.exe /I{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}
Age of Empires III-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{A8CF5C37-8EC5-4C33-BB4A-87F468B77D45}
AirPlus G-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{0EA44599-1E9D-4517-A088-9588A9FAB211} /l1031
ANIO Service-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Ask Toolbar-->rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
Audacity 1.2.6-->"C:\Programme\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Programme\Avira\AntiVir Desktop\setup.exe /REMOVE
BitComet FLV Converter 1.0-->C:\Programme\BitComet FLV Converter\uninst.exe
Camera RAW Plug-In for EPSON Creativity Suite-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{93EA9C3E-BDFD-4309-A605-9B5BBC0CCEFD}\SETUP.EXE" -l0x7 UNINST
CD Audio Reader Filter (remove only)-->"C:\Programme\CD Audio Reader Filter\uninstall.exe"
CDBurnerXP-->"C:\Programme\CDBurnerXP\unins000.exe"
CodecInstaller 2.10.2-->C:\Programme\JockerSoft\CodecInstaller\uninst.exe
Connect-->MsiExec.exe /I{B29AD377-CC12-490A-A480-1452337C618D}
Creative MediaSource-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}\SETUP.EXE" -l0x7  /remove
Creative-Systeminformationen-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x7  /remove
DAEMON Tools Toolbar-->C:\Programme\DAEMON Tools Toolbar\uninst.exe
DC-Bass Source 1.1.1-->"C:\Programme\DSP-worx\DC-Bass Source\Uninstall.exe"
DirectVobSub (remove only)-->"C:\Programme\DirectVobSub\uninstall.exe"
Disc2Phone-->MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
DScaler 5 Mpeg Decoders-->"C:\Programme\DScaler5\unins000.exe"
EPSON Attach To Email-->C:\Programme\Gemeinsame Dateien\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{3D78F2A2-C893-4ABD-B5FE-AD7011837755}\SETUP.EXE" -l0x7 UNINST
EPSON File Manager-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}\Setup.exe" -l0x7 UNINST
EPSON Print CD-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{FF477885-5EA8-40D0-ADF3-D4C1B86FAEA4}\SETUP.EXE" -l0x7 -SYSTEM
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x7 -u
EPSON Stylus Photo R285_290 Handbuch-->C:\Programme\EPSON\TPMANUAL\ESPR285_290\DEU\USE_G\DOCUNINS.EXE
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x7 -anything
EPSON-Drucker-Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EVGA Display Driver-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\setup.exe" -l0x7  -removeonly
ffdshow [rev 1685] [2007-12-06]-->"C:\Programme\ffdshow\unins000.exe"
Firebird SQL Server - MAGIX Edition-->C:\Programme\MAGIX\Common\Database\unwise.exe
Free YouTube to iPod Converter version 3.1-->"C:\Programme\DVDVideoSoft\Free YouTube to iPod Converter\unins000.exe"
Free YouTube to Mp3 Converter version 3.1-->"C:\Programme\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
FrostWire 4.17.2-->C:\Programme\FrostWire\Uninstall.exe
FUSSBALL MANAGER 09-->C:\Programme\EA SPORTS\FUSSBALL MANAGER 09\eauninstall.exe
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer-->regsvr32 /u /s "c:\programme\google\googletoolbar1.dll"
Gorilla 2-->C:\Programme\Gorilla 2\uninstall.exe
Haali Media Splitter-->"C:\Programme\Haali\MatroskaSplitter\uninstall.exe"
Hamachi 1.0.3.0-->C:\Programme\Hamachi\uninstall.exe
Heroes of Might and Magic V-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{20071984-5EB1-4881-8EDB-082532ACEC6D}\setup.exe" -l0x7
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Programme\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Hotfix für Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
ICQ Toolbar-->C:\Programme\ICQ6Toolbar\ICQUnToolbar.exe
ICQ6.5-->"C:\Programme\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
Intel(R) PRO Network Connections Drivers-->Prounstl.exe
Jasc Paint Shop Pro 9-->MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
JRAID-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\Setup.exe" -l0x7  -removeonly
kuler-->MsiExec.exe /I{098727E1-775A-4450-B573-3F441F1CA243}
MAGIX Music Maker 14 Producer Edition Trial 13.0.2.1 (US)-->C:\Programme\MAGIX\MusicMaker14PE_Download_version\unwise.exe
MAGIX Screenshare 4.3.6.1987 (US)-->C:\Programme\MAGIX\PCVisit\unwise.exe
Malwarebytes' Anti-Malware-->"C:\Programme\Malwarebytes' Anti-Malware\unins000.exe"
Media Go-->MsiExec.exe /X{C9C13822-A638-4331-99A3-4498A5901693}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - DEU-->MsiExec.exe /I{9309DD7E-EBFE-3C95-8B47-30D3A012F606}
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - DEU-->MsiExec.exe /I{A1071AEB-B0EF-3F5F-BC84-83A270EBE496}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5 Language Pack - DEU-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack - deu\setup.exe
Microsoft .NET Framework 3.5 Language Pack - deu-->MsiExec.exe /I{1545207E-C6F3-31D7-9918-BDBB65075FBF}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft .NET Framework 4 Client Profile Beta 1-->C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\SetupCache\Microsoft .NET Framework 4 Client Profile Beta 1\Setup.exe /repair /x86
Microsoft .NET Framework 4 Client Profile Beta 1-->MsiExec.exe /X{1DF6A8F6-5048-323F-8758-DA533CE0F07E}
Microsoft .NET Framework 4 Extended Beta 1-->C:\WINDOWS\Microsoft.NET\Framework\v4.0.20506\SetupCache\Microsoft .NET Framework 4 Extended Beta 1\Setup.exe /repair /x86
Microsoft .NET Framework 4 Extended Beta 1-->MsiExec.exe /X{19BD09BF-3BBD-3663-A5ED-50B6B2B07E45}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2010  Beta 1 x86 Redistributable - 10.0.20506-->MsiExec.exe /X{FC92E32F-6AD6-38E7-AC11-83B639CEACD8}
MONOGRAM AMR Splitter/Decoder (remove only)-->"C:\Programme\MONOGRAM AMR SplitterDecoder\uninstall.exe"
Mozilla Firefox (3.0.11)-->C:\Programme\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}
OpenOffice.org Installer 1.0-->MsiExec.exe /X{E728E952-DD4F-4BCD-A5C8-40FBFEFF91FE}
OpenSource Flash Video Splitter (remove only)-->"C:\Programme\OpenSource Flash Video Splitter\uninstall.exe"
OTiCardReader -->C:\Programme\CardReader2.0\AdvDrvIns.exe -u "C:\Programme\CardReader2.0"
PartyPoker-->"C:\Programme\PartyGaming\PartyPoker\Uninstall.exe" "C:\Programme\PartyGaming\PartyPoker\install.log"
PDF Settings CS4-->MsiExec.exe /I{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}
Photoshop Camera Raw-->MsiExec.exe /I{CC75AB5C-2110-4A7F-AF52-708680D22FE8}
Pixel Bender Toolkit-->MsiExec.exe /I{43509E18-076E-40FE-AF38-CA5ED400A5A9}
QIP 8080 Jeak-Edition-->C:\Programme\QIP\uninstall.exe
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Real Alternative 1.9.0-->"C:\Programme\Real Alternative\unins000.exe"
RealMedia (remove only)-->"C:\Programme\RealMedia\uninstall.exe"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x7  -removeonly
Rise Of Legends-->C:\PROGRA~1\GEMEIN~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{CADDE354-C78C-46CB-A006-E2B178EFC271}
SHOUTcast Source (remove only)-->"C:\Programme\SHOUTcast Source\uninstall.exe"
Sicherheitsupdate für Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Sicherheitsupdate für Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Sicherheitsupdate für Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Songbird 0.7.0 (20080819)-->"C:\Programme\Songbird\Songbird-Uninstall.exe"
Sony Ericsson PC Suite 5.007.01-->"C:\Programme\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\ISAdmin.exe" -runfromtemp -l0x0009 -removeonly
Sony Ericsson PC Suite-->MsiExec.exe /I{FE6397C1-CECA-4EC3-B064-42AED7676898}
Sound Blaster X-Fi-->RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{18F11181-EA1A-42AE-AF89-4867C7F7A6FA}\SETUP.EXE" -l0x7  /remove
Suite Shared Configuration CS4-->MsiExec.exe /I{842B4B72-9E8F-4962-B3C1-1C422A5C4434}
TeamSpeak 2 RC2-->C:\Programme\Teamspeak2_RC2\unins000.exe
Text-To-Speech-Runtime-->MsiExec.exe /X{7B3F0113-E63C-4D6D-AF19-111A3165CCA2}
Uninstall 1.0.0.1-->"C:\Programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe"
Update für Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update für Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update für Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update für Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Vuze-->C:\Programme\Vuze\uninstall.exe
Winamp-->"C:\Programme\Winamp\UninstWA.exe"
Windows Media Format 11 runtime-->"C:\Programme\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR-->C:\Programme\WinRAR\uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
Zoom Player (remove only)-->"C:\Programme\Zoom Player\uninstall.exe"

der_gizmo 15.07.2009 22:27
HIer kamen mehrere Fehlermeldungen, zum einen diese hier:

Could not read the boot sector. Try adjusting the Disk Acces Level in the OPtions dialog.
Diese kam mehrfach.
Desweiteren kam noch eine weitere, nach der der Scan beendet war. Ich wieß nun nicht, ob der Scan aufgrund dieser Fehlermeldung (den Inhalt kann ich leider nicht wiedergeben, da ich zunächst annahm, es wäre wieder die obige Fehelermeldung.) beendet wurde, oder, ob er schon abgeschlossen war.

Das Ergebnis lautet wiefolgt:

Code:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:                        2009/07/15 23:22
Program Version:                Version 1.3.2.0
Windows Version:                Windows XP SP3
==================================================

Drivers
-------------------
Name: aujasnkj.sys
Image Path: C:\DOKUME~1\kwam\LOKALE~1\Temp\aujasnkj.sys
Address: 0xAB366000        Size: 81664        File Visible: No        Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2FEA000        Size: 98304        File Visible: No        Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADC6000        Size: 8192        File Visible: No        Signed: -
Status: -

Name: ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
Address: 0xB325D000        Size: 192512        File Visible: -        Signed: -
Status: Hidden from the Windows API!

Name: PCI_PNP8880
Image Path: \Driver\PCI_PNP8880
Address: 0x00000000        Size: 0        File Visible: No        Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB39A000        Size: 49152        File Visible: No        Signed: -
Status: -

Name: sprs.sys
Image Path: sprs.sys
Address: 0xBA6A7000        Size: 1048576        File Visible: No        Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000        Size: 0        File Visible: No        Signed: -
Status: -

SSDT
-------------------
#: 041        Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xbafa977e

#: 053        Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbafa9774

#: 063        Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xbafa9783

#: 065        Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xbafa978d

#: 071        Function Name: NtEnumerateKey
Status: Hooked by "sprs.sys" at address 0xba6c6ca2

#: 073        Function Name: NtEnumerateValueKey
Status: Hooked by "sprs.sys" at address 0xba6c7030

#: 098        Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xbafa9792

#: 119        Function Name: NtOpenKey
Status: Hooked by "sprs.sys" at address 0xba6a80c0

#: 122        Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbafa9760

#: 128        Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbafa9765

#: 160        Function Name: NtQueryKey
Status: Hooked by "sprs.sys" at address 0xba6c7108

#: 177        Function Name: NtQueryValueKey
Status: Hooked by "sprs.sys" at address 0xba6c6f88

#: 193        Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xbafa979c

#: 204        Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xbafa9797

#: 247        Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xbafa9788

#: 257        Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbafa976f

Stealth Objects
-------------------
Object: Hidden Module [Name: ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll]
Process: svchost.exe (PID: 1060)        Address: 0x10000000        Address: 57344

Object: Hidden Module [Name: ESQULjwoaypplxqliosrhdgapirxxdnowqyin.dll]
Process: firefox.exe (PID: 3016)        Address: 0x10000000        Address: 241664

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System        Address: 0x8a258430        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System        Address: 0x8a0cc1f8        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System        Address: 0x8a304500        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System        Address: 0x8a304500        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a304500        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a304500        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System        Address: 0x8a304500        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a304500        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System        Address: 0x8a304500        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System        Address: 0x8a37b500        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System        Address: 0x8a37b500        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a37b500        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a37b500        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a37b500        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System        Address: 0x8a37b500        Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_CREATE]
Process: System        Address: 0x8a2401f8        Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_CLOSE]
Process: System        Address: 0x8a2401f8        Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a2401f8        Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a2401f8        Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_POWER]
Process: System        Address: 0x8a2401f8        Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a2401f8        Address: 121

Object: Hidden Code [Driver: agvko7uwЅ敓Ёఈ浍浓訍Ā, IRP_MJ_PNP]
Process: System        Address: 0x8a2401f8        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System        Address: 0x8a323500        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System        Address: 0x8a323500        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a323500        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a323500        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System        Address: 0x8a323500        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a323500        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System        Address: 0x8a323500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System        Address: 0x89f78500        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_CREATE]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_CLOSE]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_READ]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a0cb1f8        Address: 121

Object: Hidden Code [Driver: Cdfsȅఈ灐畳ꅰ爠, IRP_MJ_PNP]
Process: System        Address: 0x8a0cb1f8        Address: 121

==EOF==

john.doe 15.07.2009 22:47
Zitat:
ob er schon abgeschlossen war.
EOF=End of file => abgeschlossen.

Jetzt haben wir ihn, endlich :), wieder ein Neuer. :(

1.) Kontrolliere bitte folgendes:
Start => Ausführen => devmgmt.msc eingeben und [Enter] drücken
Ansicht => Ausgeblendete Geräte anzeigen => Nicht-PNP-Treiber
Ist dort etwas zu sehen, dass mit ESQUL anfängt?

2.) Anleitung Avenger (by swandog46)

Lade dir das Tool Hopsassa und speichere es auf dem Desktop:
  • Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"
Code:
Drivers to delete:
aujasnkj.sys
ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
gusvc
GMSIPCI
agvko7uw

Registry keys to delete:
HKLM\SYSTEM\ControlSet001\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
HKLM\SYSTEM\ControlSet002\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
HKLM\SYSTEM\ControlSet003\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
HKLM\SYSTEM\ControlSet004\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys

Files to delete:
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe
C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
C:\WINDOWS\system32\drivers\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll
C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll
http://saved.im/mzi3ndg3nta0/aven.jpg
  • Schliesse nun alle Programme und Browser-Fenster
  • Um den Avenger zu starten klicke auf -> Execute
  • Dann bestätigen mit "Yes" das der Rechner neu startet
  • Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt
  • Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

3.) Poste ein neues Rootrepeal-Log.

der_gizmo 15.07.2009 23:06
Nein, nichts zu sehen. Gutes oder schlechtes Zeichen?

Wenn ich zum Avenger navigieren will, meldet AntiVir:
Achtung Fund!
C:\Avenger\b.exe
Ist das Trojanische Pferd TR/Dldr.Zlob.LL

der_gizmo 15.07.2009 23:08
Code:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "ESQULserv.sys" found!
ImagePath:  \systemroot\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
Start Type:  1 (System)

Rootkit scan completed.


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\aujasnkj.sys" not found!
Deletion of driver "aujasnkj.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of driver "ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Driver "gusvc" deleted successfully.
Driver "GMSIPCI" deleted successfully.

Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\agvko7uw" not found!
Deletion of driver "agvko7uw" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet001\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet001\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet002\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet003\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet003\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet004\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet004\Services\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\tasks\AppleSoftwareUpdate.job" deleted successfully.
File "C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job" deleted successfully.
File "C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job" deleted successfully.
File "C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe" deleted successfully.
File "C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" deleted successfully.

Error:  file "C:\WINDOWS\system32\drivers\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" not found!
Deletion of file "C:\WINDOWS\system32\drivers\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

john.doe 15.07.2009 23:12
Code:
Gutes oder schlechtes Zeichen?
Schlecht, die ließen sich früher dort ganz einfach austricksen. Mittlerweile zeigt selbst Gmer nichts mehr an. Es wird immer schwieriger die zu finden.

Hast du mit Avenger schon gelöscht? Falls ja,

1.) Deaktiviere den Wächter von Avira.

2.) Im Ordner Avenger sollte eine backup.zip sein. Falls nicht, dann packe den kompletten Avengerordner mit Rar oder Zip, lade die Datei bei einem Filehoster hoch (z.B. www.materialordner.de) und schicke mir den Link als Private Nachricht.

3.) Aktiviere den Wächter von Avira.

ciao, andreas

der_gizmo 15.07.2009 23:15
Nein, ich hab noch nichts gemacht (Wüsste auch nicht, wie ich das anstell^^).

Ich warte momentan darauf, dass RootRepeal fertig wird, dauert dieses Mal bedeutend länger als vorhin.

john.doe 15.07.2009 23:21
Ich habe einen Fehler gemacht, neues Skript für Avenger.
Code:
Drivers to delete:
ESQULserv.sys

Registry keys to delete:
HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys
HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys
HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys
HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys

Files to delete:
C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe
C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys
C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll
Bitte sofort nach dem Log von Rootrepeal ausführen.

ciao, andreas

der_gizmo 15.07.2009 23:28
Code:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:                        2009/07/16 00:17
Program Version:                Version 1.3.2.0
Windows Version:                Windows XP SP3
==================================================

Drivers
-------------------
Name: dpqo.sys
Image Path: dpqo.sys
Address: 0xBA8A8000        Size: 61440        File Visible: No        Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB2D93000        Size: 98304        File Visible: No        Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE0E000        Size: 8192        File Visible: No        Signed: -
Status: -

Name: PCI_PNP8976
Image Path: \Driver\PCI_PNP8976
Address: 0x00000000        Size: 0        File Visible: No        Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBAAA8000        Size: 49152        File Visible: No        Signed: -
Status: -

Name: spaa.sys
Image Path: spaa.sys
Address: 0xBA6A7000        Size: 1048576        File Visible: No        Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000        Size: 0        File Visible: No        Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\dokumente und einstellungen\kwam\lokale einstellungen\anwendungsdaten\mozilla\firefox\profiles\rf06ey9t.default\cache\c2857b96d01
Status: Size mismatch (API: 34238, Raw: 36661)

SSDT
-------------------
#: 041        Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xbaf9a60e

#: 053        Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbaf9a604

#: 063        Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xbaf9a613

#: 065        Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xbaf9a61d

#: 071        Function Name: NtEnumerateKey
Status: Hooked by "spaa.sys" at address 0xba6c6ca2

#: 073        Function Name: NtEnumerateValueKey
Status: Hooked by "spaa.sys" at address 0xba6c7030

#: 098        Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xbaf9a622

#: 119        Function Name: NtOpenKey
Status: Hooked by "spaa.sys" at address 0xba6a80c0

#: 122        Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbaf9a5f0

#: 128        Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbaf9a5f5

#: 160        Function Name: NtQueryKey
Status: Hooked by "spaa.sys" at address 0xba6c7108

#: 177        Function Name: NtQueryValueKey
Status: Hooked by "spaa.sys" at address 0xba6c6f88

#: 193        Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xbaf9a62c

#: 204        Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xbaf9a627

#: 247        Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xbaf9a618

#: 257        Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbaf9a5ff

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System        Address: 0x8a5a11f8        Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_CREATE]
Process: System        Address: 0x8a2741f8        Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_CLOSE]
Process: System        Address: 0x8a2741f8        Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a2741f8        Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a2741f8        Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_POWER]
Process: System        Address: 0x8a2741f8        Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a2741f8        Address: 121

Object: Hidden Code [Driver: a26nmpe8ࠅఈ浍浓着註C, IRP_MJ_PNP]
Process: System        Address: 0x8a2741f8        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System        Address: 0x8a2b7400        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System        Address: 0x8a5a21f8        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System        Address: 0x8a0e7310        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System        Address: 0x8a33d1f8        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System        Address: 0x8a33d1f8        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a33d1f8        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a33d1f8        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System        Address: 0x8a33d1f8        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a33d1f8        Address: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System        Address: 0x8a33d1f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System        Address: 0x8a5a31f8        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System        Address: 0x882121f8        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System        Address: 0x882121f8        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x882121f8        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x882121f8        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System        Address: 0x882121f8        Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System        Address: 0x882121f8        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System        Address: 0x8a30f1f8        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System        Address: 0x8a30f1f8        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a30f1f8        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a30f1f8        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System        Address: 0x8a30f1f8        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a30f1f8        Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System        Address: 0x8a30f1f8        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System        Address: 0x899c3500        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_CREATE]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_CLOSE]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_READ]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a0b92b8        Address: 121

Object: Hidden Code [Driver: Cdfsȅః杇獬ί, IRP_MJ_PNP]
Process: System        Address: 0x8a0b92b8        Address: 121

Hidden Services
-------------------
Service Name: ESQULserv.sys
Image PathC:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys

==EOF==
wird gemacht :)

der_gizmo 15.07.2009 23:35
Code:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "ESQULserv.sys" deleted successfully.

Error:  registry key "HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet001\Services\ESQULserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet002\Services\ESQULserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\ESQULserv.sys" deleted successfully.

Error:  registry key "HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet004\Services\ESQULserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job" not found!
Deletion of file "C:\WINDOWS\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job" not found!
Deletion of file "C:\WINDOWS\tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe" not found!
Deletion of file "C:\DOKUME~1\kwam\LOKALE~1\Temp\b.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\ESQULfilmctpitjlkdnwynadxrykqgxtfhmto.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" not found!
Deletion of file "C:\WINDOWS\system32\ESQULcrlbgpsvaxtvndqqnxxoquvgvupxtvyk.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

john.doe 15.07.2009 23:42
Jetzt arbeite bitte das ab => http://www.trojaner-board.de/448377-post24.html

Die Programme sollten jetzt wieder alle laufen. Kannst mit ComboFix anfangen, danach Malwarebytes.

ciao, andreas

der_gizmo 16.07.2009 00:03
Also, ComboFix lief nun prima :)
Hier der Report:

Code:
ComboFix 09-07-14.08 - kwam 16.07.2009  0:53.1.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.49.1031.18.2046.1510 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\kwam\Desktop\combo-fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\windows\system32\ESQULjwoaypplxqliosrhdgapirxxdnowqyin.dll
c:\windows\system32\ic32.dll
c:\windows\system32\msxml71.dll
c:\windows\system32\wk32.dll

.
(((((((((((((((((((((((  Dateien erstellt von 2009-06-15 bis 2009-07-15  ))))))))))))))))))))))))))))))
.

2009-07-15 22:29 . 2009-07-15 22:29        574        ----a-w-        C:\cleanup.bat
2009-07-15 22:29 . 2009-07-15 22:29        135168        ----a-w-        C:\zip.exe
2009-07-15 20:13 . 2009-07-15 20:13        --------        d-----w-        c:\programme\CCleaner
2009-07-15 17:40 . 2009-07-15 17:40        --------        d-----w-        C:\rsit
2009-07-15 13:15 . 2009-07-13 11:36        38160        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 13:15 . 2009-07-15 13:15        --------        d-----w-        c:\programme\Malwarebytes' Anti-Malware
2009-07-15 13:15 . 2009-07-15 13:15        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-07-15 13:15 . 2009-07-13 11:36        19096        ----a-w-        c:\windows\system32\drivers\mbam.sys
2009-07-14 20:35 . 2009-07-15 17:41        --------        d-----w-        c:\programme\Trend Micro
2009-07-14 18:45 . 2009-07-14 18:45        69632        ----a-w-        c:\windows\system32\drivers\geyekrvtjiqjml.sys
2009-07-14 18:38 . 2009-07-14 18:38        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\MAGIX
2009-07-14 18:23 . 2001-05-11 11:18        420240        ----a-w-        c:\windows\system32\mpg4c32.dll
2009-07-14 18:23 . 2001-05-16 15:54        309616        ----a-w-        c:\windows\system32\wmv8dmod.dll
2009-07-14 18:21 . 2007-04-27 08:43        120200        ----a-w-        c:\windows\system32\DLLDEV32i.dll
2009-07-14 18:21 . 2009-07-14 18:22        --------        d-----w-        c:\windows\system32\MAGIX
2009-07-14 18:21 . 2008-04-15 14:14        700416        ----a-w-        c:\windows\system32\mgxoschk.dll
2009-07-14 17:27 . 2009-07-14 17:27        --------        d-----w-        c:\programme\Audacity
2009-07-09 21:09 . 2009-07-09 21:09        --------        d-----w-        c:\dokumente und einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Apple
2009-07-07 16:30 . 2009-07-08 14:16        96104        ----a-w-        c:\windows\system32\drivers\avipbb.sys
2009-07-07 16:30 . 2009-07-08 14:16        55640        ----a-w-        c:\windows\system32\drivers\avgntflt.sys
2009-07-07 16:30 . 2009-02-13 09:29        22360        ----a-w-        c:\windows\system32\drivers\avgntmgr.sys
2009-07-07 16:30 . 2009-02-13 09:17        45416        ----a-w-        c:\windows\system32\drivers\avgntdd.sys
2009-07-07 16:30 . 2009-07-07 16:30        --------        d-----w-        c:\programme\Avira
2009-07-07 16:30 . 2009-07-07 16:30        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-07-06 20:52 . 2009-07-06 20:52        --------        d-----w-        c:\dokumente und einstellungen\kwam\Library
2009-07-06 20:52 . 2009-07-06 20:52        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\com.adobe.ExMan
2009-07-02 19:11 . 2009-07-02 19:11        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\Apple Computer
2009-06-22 13:26 . 2009-06-22 13:26        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\BVRP Software
2009-06-22 13:15 . 2009-06-22 13:15        --------        d-----w-        c:\dokumente und einstellungen\kwam\Lokale Einstellungen\Anwendungsdaten\Sony
2009-06-22 13:12 . 2009-06-22 13:12        --------        d-----w-        c:\programme\Gemeinsame Dateien\Sony Shared
2009-06-22 13:11 . 2009-06-22 13:11        --------        d-----w-        c:\programme\Sony
2009-06-22 13:09 . 2009-06-22 13:09        --------        d-----w-        c:\programme\Gemeinsame Dateien\Apple
2009-06-22 13:09 . 2009-06-22 13:09        --------        d-----w-        c:\programme\QuickTime
2009-06-22 13:09 . 2009-06-22 13:09        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer
2009-06-22 13:08 . 2009-06-22 13:08        --------        d-----w-        c:\dokumente und einstellungen\kwam\Lokale Einstellungen\Anwendungsdaten\Apple
2009-06-22 13:08 . 2009-06-22 13:08        --------        d-----w-        c:\programme\Apple Software Update
2009-06-22 13:08 . 2009-06-22 13:08        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple
2009-06-22 13:08 . 2009-06-22 13:08        --------        d-----w-        c:\dokumente und einstellungen\kwam\Lokale Einstellungen\Anwendungsdaten\Apple Computer
2009-06-22 13:08 . 2009-06-22 13:28        --------        d-----w-        c:\windows\system32\drivers\UMDF
2009-06-22 13:05 . 2009-06-22 13:05        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\Sony

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 19:51 . 2009-03-03 19:47        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\Winamp
2009-07-15 13:40 . 2008-10-23 15:51        42360        ----a-w-        c:\dokumente und einstellungen\kwam\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-07-14 20:06 . 2008-10-23 15:52        --------        d-----w-        c:\programme\Warcraft III
2009-07-14 18:22 . 2009-07-14 18:21        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\MAGIX
2009-07-14 18:21 . 2008-12-23 22:40        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\Azureus
2009-07-10 19:15 . 2008-10-24 20:20        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\FrostWire
2009-07-10 18:10 . 2008-10-25 00:11        --------        d-----w-        c:\programme\Microsoft Games
2009-07-10 14:06 . 2008-12-23 16:31        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\Skype
2009-07-10 14:01 . 2008-12-23 16:32        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\skypePM
2009-07-02 19:16 . 2009-03-08 20:51        --------        d-----w-        c:\programme\Gemeinsame Dateien\DVDVideoSoft
2009-07-02 19:16 . 2009-03-08 20:51        --------        d-----w-        c:\programme\DVDVideoSoft
2009-06-22 13:22 . 2009-06-22 13:22        148736        ----a-w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\hpe146.dll
2009-06-22 13:22 . 2009-06-22 13:22        148736        ----a-w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\hpe146.dll
2009-06-22 13:22 . 2008-10-24 20:01        --------        d-----w-        c:\programme\Sony Ericsson
2009-06-22 13:22 . 2008-10-22 17:32        --------        d--h--w-        c:\programme\InstallShield Installation Information
2009-06-11 17:33 . 2009-06-11 17:33        --------        d-sh--w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\System Restore
2009-06-11 01:41 . 2009-06-11 01:41        --------        d-----w-        c:\dokumente und einstellungen\kwam\Anwendungsdaten\Canneverbe_Limited
2009-06-11 01:41 . 2009-06-11 01:41        --------        d-----w-        c:\programme\CDBurnerXP
2009-06-05 23:05 . 2008-10-31 16:23        --------        d-----w-        c:\programme\Gemeinsame Dateien\Adobe
2009-06-05 18:05 . 2009-06-05 18:05        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\FLEXnet
2009-06-05 17:41 . 2009-06-05 17:41        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\ALM
2009-06-05 17:15 . 2009-06-05 17:15        --------        d-----w-        c:\programme\Adobe Media Player
2009-06-05 17:13 . 2009-06-05 17:13        --------        d-----w-        c:\programme\Gemeinsame Dateien\Adobe AIR
2009-06-05 17:07 . 2009-06-05 17:07        --------        d-----w-        c:\programme\Gemeinsame Dateien\Macrovision Shared
2009-06-05 16:56 . 2006-02-28 12:00        96862        ----a-w-        c:\windows\system32\perfc007.dat
2009-06-05 16:56 . 2006-02-28 12:00        505988        ----a-w-        c:\windows\system32\perfh007.dat
2009-06-05 16:56 . 2009-06-05 16:56        64312        ----a-w-        c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2009-06-05 16:55 . 2009-06-05 16:55        --------        d-----w-        c:\programme\MSBuild
2009-06-04 22:58 . 2009-06-04 22:58        --------        d-----w-        c:\programme\Reference Assemblies
2009-05-07 15:32 . 2006-02-28 12:00        348160        ----a-w-        c:\windows\system32\localspl.dll
2009-05-06 09:29 . 2009-05-06 09:29        17744        ----a-w-        c:\windows\system32\aspnet_counters.dll
2009-05-06 07:08 . 2009-05-06 07:08        70456        ----a-w-        c:\windows\system32\dxva2.dll
2009-05-06 07:08 . 2009-05-06 07:08        489800        ----a-w-        c:\windows\system32\evr.dll
2009-05-06 07:08 . 2009-05-06 07:08        13120        ----a-w-        c:\windows\system32\mscorier.dll
2009-05-06 07:08 . 2009-05-06 07:08        103304        ----a-w-        c:\windows\system32\PresentationCFFRasterizerNative_v0400.dll
2009-05-06 06:13 . 2009-05-06 06:13        76648        ----a-w-        c:\windows\system32\PresentationHostProxy.dll
2009-05-06 06:13 . 2009-05-06 06:13        404320        ----a-w-        c:\windows\system32\PresentationHost.exe
2009-05-06 06:13 . 2009-05-06 06:13        291152        ----a-w-        c:\windows\system32\mscoree.dll
2009-05-06 06:13 . 2009-05-06 06:13        158048        ----a-w-        c:\windows\system32\UIAutomationCore.dll
2009-05-06 06:13 . 2009-05-06 06:13        14160        ----a-w-        c:\windows\system32\netfxperf.dll
2009-05-06 06:13 . 2009-05-06 06:13        1083720        ----a-w-        c:\windows\system32\dfshim.dll
2009-04-29 04:33 . 2006-02-28 12:00        672256        ----a-w-        c:\windows\system32\wininet.dll
2009-04-29 04:33 . 2006-02-28 12:00        81920        ----a-w-        c:\windows\system32\ieencode.dll
2009-04-19 19:46 . 2006-02-28 12:00        1847296        ----a-w-        c:\windows\system32\win32k.sys
2009-06-12 17:33 . 2008-10-24 17:38        134648        ----a-w-        c:\programme\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Creative Detector"="c:\programme\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"Sony Ericsson PC Suite"="c:\programme\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-02-16 405504]
"ICQ"="c:\programme\ICQ6.5\ICQ.exe" [2009-03-01 172792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-13 7606272]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"D-Link AirPlus G"="c:\programme\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 1519616]
"ANIWZCS2Service"="c:\programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-04-20 385024]
"Sony Ericsson PC Suite"="c:\programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-27 593920]
"WinampAgent"="c:\programme\Winamp\winampa.exe" [2009-02-25 37888]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AdobeCS4ServiceManager"="c:\programme\Gemeinsame Dateien\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="c:\programme\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\programme\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2008-09-06 413696]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-13 1519616]
"NvMediaCenter"="NvMCTray.dll" - c:\windows\system32\nvmctray.dll [2006-05-13 86016]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-08-07 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2005-08-07 18944]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-04 16206848]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-04-24 1448960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\FrostWire\\FrostWire.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\ICQ6.5\\ICQ.exe"=
"c:\\Programme\\Vuze\\Azureus.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Dokumente und Einstellungen\\kwam\\Desktop\\dud\\Age Of Empires 2 & The Conquerors Expansion -\\age2_x1.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programme\\Gemeinsame Dateien\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Programme\\Gemeinsame Dateien\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [07.07.2009 18:30 108289]
R2 ICQ Service;ICQ Service;c:\programme\ICQ6Toolbar\ICQ Service.exe [08.12.2008 20:23 222456]
R3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [22.06.2009 15:22 86696]
R3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [22.06.2009 15:22 15016]
R3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [22.06.2009 15:22 114472]
R3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [22.06.2009 15:22 108328]
R3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [22.06.2009 15:22 26024]
R3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [22.06.2009 15:22 104616]
R3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [22.06.2009 15:22 109736]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [15.08.2008 05:46 284016]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe [06.05.2009 09:08 104272]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\MAGIX\Common\Database\bin\fbserver.exe --> c:\programme\MAGIX\Common\Database\bin\fbserver.exe [?]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.ask.com/?o=101677&l=dis
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: An vorhandene PDF-Datei anfügen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
FF - ProfilePath - c:\dokumente und einstellungen\kwam\Anwendungsdaten\Mozilla\Firefox\Profiles\rf06ey9t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.yodl.de/href.php?hrefname=FF-splug_google&q=
FF - prefs.js: browser.startup.homepage - www.google.de/ig
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\programme\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\NPAskSBr.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\DotNetAssistantExtension\

---- FIREFOX Richtlinien ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 00:59
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-602162358-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4253CC67-8266-6CC7-E300-0AFF8DB0ABBD}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaekjkbfbepihimmfanddhhpkpmmmg"=hex:64,61,64,69,70,62,61,63,00,85
"oailjhhlcmlbmnhbkmoclnfonplpan"=hex:6a,61,64,69,70,62,6f,63,6c,70,62,6a,6b,69,
  6a,6e,6c,61,69,6a,00,0f
"nacipnbaldjcfbiifafcoeinhgmo"=hex:6a,61,64,69,70,62,6f,63,6c,70,62,6a,6b,69,
  6a,6e,6c,61,69,6a,00,02
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\programme\Gemeinsame Dateien\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Zeit der Fertigstellung: 2009-07-15  1:01
ComboFix-quarantined-files.txt  2009-07-15 23:01

Vor Suchlauf: 8 Verzeichnis(se), 134.340.575.232 Bytes frei
Nach Suchlauf: 7 Verzeichnis(se), 134.466.969.600 Bytes frei

221        --- E O F ---        2009-06-23 22:06


Alle Zeitangaben in WEZ +1. Es ist jetzt 22:46 Uhr.
Seite 2 von 6 1 2 34 Letzte »
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131