Trojaner-Board
Seite 1 von 3 1 23
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   WORM/Koobface.cc u.a. gefunden (https://www.trojaner-board.de/79851-worm-koobface-cc-u-a-gefunden.html)

alex1009 29.11.2009 13:20
WORM/Koobface.cc u.a. gefunden
 
Hallo,
ich habe meinen Laptop bei Öffnen eines Links auf Facebook mit Würmern und Viren infiziert. Ich benutze das Avira AntiVirus Programm.
Leider kenne ich mich mit Computern nicht gut aus und bräuchte nun dringend Hilfe.

Die Anwendungen CCleaner, Malwarebytes-Anti-Malware und R S I T habe ich ausgeführt und als Anhang beigefügt.

Wäre super schön, wenn mir jemand helfen könnte!

Viele Grüße
Alexandra

Larusso 29.11.2009 13:45
:hallo:

Eine Bereinigung ist mitunter mit viel Arbeit für Dich verbunden.
  • Bitte arbeite alle Schritte der Reihe nach ab.
  • Sollte es Probleme geben, bitte stoppen und hier so gut es geht beschreiben.
  • Nur Scanns durchführen zu denen Du von einem Helfer aufgefordert wirst.
  • Bitte kein Crossposting ( posten in mehreren Foren).

Hinweis: Ich kann Dir niemals eine Garantie geben, dass ich auch alles finde. Eine Formatierung ist meist der Schnellere und immer der sicherste Weg.
Solltest Du Dich für eine Bereinigung entscheiden, arbeite bitte folgendes ab.

Poste bitte alle Logfiles in Code-Tags.
Klicke antworten --> #
danach [code]text[/code]
So sollte das dann hier aussehen nach dem antworten:
Code:
deine Logfile

Vista und Win7 User
Alle Tools mit Rechtsklick "als Administrator ausführen" starten.


schritt 1

Windows-Explorer öffnen (Windows-Taste + E) und unter => Extras => Ordneroptionen => im Reiter "Ansicht"
  • Dateien und Ordner: Erweiterungen bei bekannten Dateitypen ausblenden deaktivieren
  • Dateien und Ordner: Geschützte Systemdateien ausblenden (empfohlen) deaktivieren
  • Dateien und Ordner: Inhalte von Systemordnern anzeigen aktivieren (bei Vista nicht vorhanden)
  • Versteckte Dateien und Ordner: alle Dateien und Ordner anzeigen aktivieren


schritt 2

CustomScan mit OTL

Falls noch nicht vorhanden, lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
Code:
netsvcs
msconfig
drivers32
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
CREATERESTOREPOINT


schritt 3

Rootkit-Suche

Was sind Rootkits?

Einige Scans auf Dateien, Prozesse u2nd Registryeinträge, die vor den meisten anderen Scannern versteckt werden (durch ein sogenanntes Rootkit). Während dieser Scans soll(en):
  • alle anderen Scanner gegen Viren, Spyware, usw. deaktiviert sein,
  • keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
  • nichts am Rechner getan werden,
  • nach jedem Scan der Rechner neu gestartet werden.
Gmer scannen lassen
  • Lade Dir Gmer von dieser Seite herunter
    (auf den Button Download EXE drücken) und das Programm auf dem Desktop speichern.
  • Gmer ist geeignet für => NT/W2K/XP/VISTA.
  • Alle anderen Programme sollen geschlossen sein.
  • Starte gmer.exe (Programm hat einen willkürlichen Programm-Namen).
  • Vista-User mit Rechtsklick und als Administrator starten.
  • Sollte sich ein Fenster mit folgender Warnung öffnen:
    WARNING !!!
    GMER has found system modification, which might have been caused by ROOTKIT activity.
    Do you want to fully scan your system ?
    Unbedingt auf "No" klicken.
  • Starte den Scan mit "Scan". Mache nichts am Computer während der Scan läuft.
  • Wenn der Scan fertig ist klicke auf "Copy" um das Log in die Zwischenablage zu kopieren. Mit "Ok" wird Gmer beendet.
  • Füge das Log aus der Zwischenablage in Deine Antwort hier ein.
Antiviren-Programm und sonstige Scanner wieder einschalten, bevor Du ins Netz gehst!

Nun das Logfile in Code-Tags posten.


Manche Logs sind sehr lange. Bitte in mehrere Posts aufteilen. Danke

alex1009 29.11.2009 15:00
Hallo Larusso,
ganz lieben Dank schon mal vorab. Hab gleich die ersten Schwierigkeiten, ich komme auf die Ordneroptionen nicht über den Weg den du beschreibst. Ich bin jezt über Systemsteuerung, Darstellung Anpassung, Ordnereinstellungen gegangen, allerdings war mir jetzt nicht ganz klar ob ich die Häkchen lassen soll oder ob ich sie raus tun soll. Ich hab mich für raus bei Erweiterungen bekannter Dateitypen und geschützte Systemdateiern ausblenden entschieden und für Häkchen bei alle Dateien und Ordner anzeigen.
OTL hab ich laufen lassen, allerdings kann ich es nicht einfügen, weil der Text zu lang ist. Was soll ich jetzt tun?

Larusso 29.11.2009 15:04
lass schritt 1 erstmal liegen.

Zitat:
Zitat von larusso
Manche Logs sind sehr lange. Bitte in mehrere Posts aufteilen. Danke

alex1009 29.11.2009 15:05
Code:
OTL logfile created on: 29.11.2009 14:27:29 - Run 1
OTL by OldTimer - Version 3.1.11.2    Folder = C:\Users\Hank\Downloads\OTL
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy
 
1,99 Gb Total Physical Memory | 1,19 Gb Available Physical Memory | 59,60% Memory free
4,00 Gb Paging File | 2,95 Gb Available in Paging File | 73,84% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220,29 Gb Total Space | 99,39 Gb Free Space | 45,12% Space Free | Partition Type: NTFS
Drive D: | 10,00 Gb Total Space | 5,39 Gb Free Space | 53,94% Space Free | Partition Type: NTFS
Drive E: | 1,57 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: HANK-LAPTOP
Current User Name: Hank
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
 
========== Processes (SafeList) ==========
 
PRC - [2009.11.29 14:24:46 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Users\Hank\Downloads\OTL\OTL.exe
PRC - [2009.10.28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Programme\iTunes\iTunesHelper.exe
PRC - [2009.10.28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Programme\iPod\bin\iPodService.exe
PRC - [2009.07.21 13:34:28 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe
PRC - [2009.05.29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Programme\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009.05.27 02:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009.05.21 09:55:32 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Programme\Dell Support Center\bin\sprtcmd.exe
PRC - [2009.05.13 15:48:18 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe
PRC - [2009.04.10 22:27:38 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009.03.02 12:08:43 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008.12.12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Programme\Bonjour\mDNSResponder.exe
PRC - [2008.11.24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008.11.24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008.11.24 01:00:00 | 00,077,312 | ---- | M] (DATEV eG) -- C:\DATEV\PROGRAMM\B0001442\PSNTServ.exe
PRC - [2008.11.20 01:42:00 | 00,141,408 | ---- | M] (DATEV eG) -- C:\DATEV\PROGRAMM\Install\DvInesASDSvc.Exe
PRC - [2008.10.24 14:35:44 | 00,128,296 | ---- | M] () -- C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
PRC - [2008.08.13 17:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Programme\Dell Support Center\bin\sprtsvc.exe
PRC - [2008.03.09 11:20:26 | 00,071,096 | ---- | M] () -- C:\Programme\CDBurnerXP\NMSAccessU.exe
PRC - [2008.01.19 08:38:38 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MSASCui.exe
PRC - [2008.01.19 08:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnetwk.exe
PRC - [2008.01.19 08:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Media Player\wmpnscfg.exe
PRC - [2007.09.07 07:50:02 | 00,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Programme\DellTPad\hidfind.exe
PRC - [2007.09.07 07:49:56 | 00,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Programme\DellTPad\Apoint.exe
PRC - [2007.09.07 07:49:56 | 00,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Programme\DellTPad\ApMsgFwd.exe
PRC - [2007.09.07 07:49:56 | 00,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Programme\DellTPad\ApntEx.exe
PRC - [2007.08.28 06:51:42 | 00,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007.07.25 17:41:42 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007.07.25 17:22:44 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007.03.21 14:00:04 | 00,355,096 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007.03.21 14:00:00 | 00,174,872 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006.08.05 01:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe

alex1009 29.11.2009 15:06
Code:
========== Modules (SafeList) ==========
 
MOD - [2009.11.29 14:24:46 | 00,535,552 | ---- | M] (OldTimer Tools) -- C:\Users\Hank\Downloads\OTL\OTL.exe
MOD - [2009.04.10 22:21:40 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
 
 
========== Win32 Services (SafeList) ==========
 
SRV - File not found --  -- (MyWebSearchService)
SRV - File not found --  -- (AESTFilters)
SRV - [2009.10.28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009.09.25 02:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009.07.21 13:34:28 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009.06.02 10:10:08 | 00,637,952 | ---- | M] (Nokia.) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2009.05.29 12:41:26 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009.05.27 02:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$DATEV_CL_DE01) SQL Server (DATEV_CL_DE01)
SRV - [2009.05.13 15:48:18 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009.02.10 21:17:02 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c98bbc9b0497fd) Google Update Service (gupdate1c98bbc9b0497fd)
SRV - [2008.12.21 18:25:38 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-061008-081103)
SRV - [2008.12.12 11:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008.11.24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008.11.24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008.11.24 22:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008.11.24 01:00:00 | 00,077,312 | ---- | M] (DATEV eG) -- C:\DATEV\PROGRAMM\B0001442\PSNTServ.exe -- (DatevPrintService)
SRV - [2008.11.20 01:42:00 | 00,141,408 | ---- | M] (DATEV eG) -- C:\DATEV\PROGRAMM\INSTALL\DvInesASDSvc.Exe -- (DATEV Update-Service)
SRV - [2008.11.04 00:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008.10.24 14:35:44 | 00,128,296 | ---- | M] () -- C:\Programme\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe -- (AAV UpdateService)
SRV - [2008.09.11 21:10:58 | 00,361,728 | ---- | M] (TuneUp Software GmbH) -- C:\Windows\System32\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2008.08.13 17:32:40 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008.05.29 08:28:54 | 00,028,416 | ---- | M] (TuneUp Software GmbH) -- C:\Windows\System32\uxtuneup.dll -- (UxTuneUp)
SRV - [2008.03.19 11:30:46 | 02,558,464 | ---- | M] (Aladdin Knowledge Systems Ltd.) -- C:\Windows\System32\hasplms.exe -- (hasplms)
SRV - [2008.03.09 11:20:26 | 00,071,096 | ---- | M] () -- C:\Programme\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2008.01.19 08:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007.12.02 19:34:30 | 00,074,384 | R--- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2007.07.25 17:41:42 | 00,647,168 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel(R)
SRV - [2007.07.25 17:22:44 | 00,327,680 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel(R)
SRV - [2007.03.21 14:00:04 | 00,355,096 | ---- | M] (Intel Corporation) -- C:\Programme\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2006.11.02 13:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006.10.26 15:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006.08.05 01:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\URLSearchHook: {26647ca4-a2a7-4eac-8a72-761aa9141de7} - C:\Programme\Freeware_DE\tbFree.dll (Conduit Ltd.)
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/webhp?sourceid=navclient&hl=de&ie=UTF-8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {26647ca4-a2a7-4eac-8a72-761aa9141de7} - C:\Programme\Freeware_DE\tbFree.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
FF - HKLM\software\mozilla\Firefox\Extensions\\bkmrksync@nokia.com: C:\Program Files\Nokia\Nokia PC Suite 7\bkmrksync\ [2009.10.31 17:08:01 | 00,000,000 | ---D | M]
 
 
O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1      localhost
O1 - Hosts: ::1            localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (eBay Toolbar Helper) - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Programme\eBay\eBay Toolbar2\eBayTb.dll (eBay Inc.)
O2 - BHO: (Freeware DE Toolbar) - {26647ca4-a2a7-4eac-8a72-761aa9141de7} - C:\Programme\Freeware_DE\tbFree.dll (Conduit Ltd.)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Programme\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Programme\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Programme\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) -  - No CLSID value found.
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Freeware DE Toolbar) - {26647ca4-a2a7-4eac-8a72-761aa9141de7} - C:\Programme\Freeware_DE\tbFree.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (eBay Toolbar) - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Programme\eBay\eBay Toolbar2\eBayTb.dll (eBay Inc.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Programme\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Freeware DE Toolbar) - {26647CA4-A2A7-4EAC-8A72-761AA9141DE7} - C:\Programme\Freeware_DE\tbFree.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Programme\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe (eBay Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [Skype] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 1
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm ()
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Save YouTube Video as MP3 - C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll (DVSTeam)
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O8 - Extra context menu item: Suche - C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll (eBay Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Programme\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Programme\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Ranges: GD ([http] in Lokales Intranet)
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} https://oas.support.microsoft.com/ActiveX/MSDcode.cab (Microsoft Data Collection Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} http://www.srtest.com/srl_bin/sysreqlab_ind.cab (System Requirements Lab Class)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} http://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab (IGDTester Class)
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab (EPUImageControl Class)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.44.252
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Common Files\microsoft shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006.09.18 22:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) -  File not found
O34 - HKLM BootExecute: (*) -  File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found
 
NetSvcs: UxTuneUp - C:\Windows\System32\uxtuneup.dll (TuneUp Software GmbH)
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008.04.22 20:26:54 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found

alex1009 29.11.2009 15:07
Code:
Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.tscc - C:\Windows\System32\tsccvid.dll (TechSmith Corporation)
OTL cannot create restorepoints on Vista OSs!
 
========== Files/Folders - Created Within 14 Days ==========
 
[2009.11.29 12:21:27 | 00,000,000 | ---D | C] -- C:\Programme\trend micro
[2009.11.29 12:21:26 | 00,000,000 | ---D | C] -- C:\rsit
[2009.11.29 11:53:49 | 00,000,000 | ---D | C] -- C:\Users\Hank\Desktop\Malware
[2009.11.29 09:59:13 | 00,000,000 | ---D | C] -- C:\Users\Hank\AppData\Roaming\Malwarebytes
[2009.11.29 09:59:07 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009.11.29 09:59:05 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009.11.29 09:59:05 | 00,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware
[2009.11.29 09:59:05 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009.11.29 09:46:24 | 00,000,000 | ---D | C] -- C:\Programme\CCleaner
[2009.11.19 20:48:44 | 00,000,000 | ---D | C] -- C:\Programme\Windows Portable Devices
 
========== Files - Modified Within 14 Days ==========
 
[2009.11.29 14:27:09 | 04,456,448 | ---- | M] () -- C:\Users\Hank\ntuser.dat
[2009.11.29 14:22:01 | 00,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009.11.29 14:09:48 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009.11.29 14:09:47 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009.11.29 14:00:02 | 00,000,498 | ---- | M] () -- C:\Windows\tasks\1-Klick-Wartung.job
[2009.11.29 12:57:00 | 00,000,868 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job
[2009.11.29 12:21:19 | 00,781,909 | ---- | M] () -- C:\Users\Hank\Desktop\RSIT.exe
[2009.11.29 11:56:58 | 00,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009.11.29 11:56:43 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009.11.29 11:56:40 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009.11.29 11:56:38 | 21,370,42944 | -HS- | M] () -- C:\hiberfil.sys
[2009.11.29 11:55:24 | 00,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2009.11.29 11:55:07 | 00,524,288 | -HS- | M] () -- C:\Users\Hank\ntuser.dat{24b7e877-803c-11dd-bf0f-001d093f44ce}.TMContainer00000000000000000001.regtrans-ms
[2009.11.29 11:55:07 | 00,065,536 | -HS- | M] () -- C:\Users\Hank\ntuser.dat{24b7e877-803c-11dd-bf0f-001d093f44ce}.TM.blf
[2009.11.29 11:55:01 | 06,291,456 | -H-- | M] () -- C:\Users\Hank\AppData\Local\IconCache.db
[2009.11.29 09:59:10 | 00,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009.11.29 09:46:25 | 00,001,672 | ---- | M] () -- C:\Users\Hank\Desktop\CCleaner.lnk
[2009.11.28 08:52:02 | 00,000,056 | -H-- | M] () -- C:\Windows\System32\ezsidmv.dat
[2009.11.27 16:43:27 | 00,003,808 | ---- | M] () -- C:\Windows\fs1235.dat
[2009.11.21 02:53:34 | 01,593,836 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009.11.21 02:53:34 | 00,685,418 | ---- | M] () -- C:\Windows\System32\perfh007.dat
[2009.11.21 02:53:34 | 00,642,214 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009.11.21 02:53:34 | 00,150,882 | ---- | M] () -- C:\Windows\System32\perfc007.dat
[2009.11.21 02:53:34 | 00,122,762 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009.11.20 20:37:58 | 00,000,575 | ---- | M] () -- C:\Users\Hank\Desktop\2004_08_07 Grillen zu Hause - Verknüpfung.lnk
[2009.11.20 18:00:44 | 00,015,629 | ---- | M] () -- C:\Users\Hank\Reifen.docx
[2009.11.20 15:33:58 | 00,014,543 | ---- | M] () -- C:\Users\Hank\G Chat.docx
[2009.11.20 12:51:57 | 00,001,217 | ---- | M] () -- C:\Users\Hank\Desktop\Free YouTube to MP3 Converter.lnk
[2009.11.20 12:49:01 | 00,001,034 | ---- | M] () -- C:\Users\Hank\Desktop\DVDVideoSoft Free Studio.lnk
[2009.11.20 08:35:26 | 00,011,961 | ---- | M] () -- C:\Users\Hank\Guido.docx
[2009.11.20 05:54:38 | 00,002,631 | ---- | M] () -- C:\Users\Hank\Desktop\Microsoft Office Word 2007.lnk
[2009.11.19 21:22:34 | 00,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2009.11.19 20:48:30 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2009.11.19 20:48:22 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2009.11.15 17:34:07 | 00,014,526 | ---- | M] () -- C:\Windows\System32\TuneUpDefragService_20091115-163405.dmp
 
========== Files Created - No Company Name ==========
 
[2009.11.29 12:20:55 | 00,781,909 | ---- | C] () -- C:\Users\Hank\Desktop\RSIT.exe
[2009.11.29 09:59:10 | 00,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009.11.29 09:46:25 | 00,001,672 | ---- | C] () -- C:\Users\Hank\Desktop\CCleaner.lnk
[2009.11.28 08:52:02 | 00,000,056 | -H-- | C] () -- C:\Windows\System32\ezsidmv.dat
[2009.11.27 16:37:56 | 00,003,808 | ---- | C] () -- C:\Windows\fs1235.dat
[2009.11.20 20:37:58 | 00,000,575 | ---- | C] () -- C:\Users\Hank\Desktop\2004_08_07 Grillen zu Hause - Verknüpfung.lnk
[2009.11.20 18:00:40 | 00,015,629 | ---- | C] () -- C:\Users\Hank\Reifen.docx
[2009.11.20 15:33:57 | 00,014,543 | ---- | C] () -- C:\Users\Hank\G Chat.docx
[2009.11.20 12:51:57 | 00,001,217 | ---- | C] () -- C:\Users\Hank\Desktop\Free YouTube to MP3 Converter.lnk
[2009.11.20 08:33:30 | 00,011,961 | ---- | C] () -- C:\Users\Hank\Guido.docx
[2009.11.19 20:48:30 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2009.11.19 20:48:22 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2009.11.15 17:34:05 | 00,014,526 | ---- | C] () -- C:\Windows\System32\TuneUpDefragService_20091115-163405.dmp
[2009.08.28 21:54:04 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009.04.18 18:09:26 | 01,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2009.04.18 18:09:26 | 01,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2009.04.18 18:09:26 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2009.04.18 18:09:26 | 00,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2009.04.08 13:51:00 | 00,000,021 | ---- | C] () -- C:\Windows\DvInesKurusOleServer003.INI
[2009.02.11 22:00:42 | 00,000,074 | ---- | C] () -- C:\Windows\tm.ini
[2009.01.17 13:18:37 | 00,087,552 | ---- | C] () -- C:\Windows\System32\cpwmon2k.dll
[2008.09.14 13:00:43 | 00,210,944 | ---- | C] () -- C:\Windows\System32\MSVCRT10.DLL
[2008.04.09 14:47:35 | 00,000,027 | ---- | C] () -- C:\Windows\VIPZKA.INI
[2008.04.09 14:02:24 | 00,000,151 | ---- | C] () -- C:\Windows\ODBC.INI
[2008.04.09 13:51:45 | 00,014,616 | ---- | C] () -- C:\Windows\System32\skypdfmonpro.dll
[2008.04.09 13:51:45 | 00,012,568 | ---- | C] () -- C:\Windows\System32\skypdfmonuipro.dll
[2008.04.09 13:19:35 | 00,000,092 | ---- | C] () -- C:\Users\Hank\AppData\Local\fusioncache.dat
[2008.04.09 13:00:56 | 00,000,021 | ---- | C] () -- C:\Windows\DvInesKurusOleServer002.INI
[2008.04.09 12:57:30 | 00,000,103 | ---- | C] () -- C:\Windows\dvinesinstalllocation001.INI
[2008.04.09 12:57:28 | 00,000,103 | ---- | C] () -- C:\Windows\dvinesinstart001.INI
[2008.04.09 12:55:00 | 00,000,021 | ---- | C] () -- C:\Windows\Startup.INI
[2008.04.03 14:57:52 | 00,116,224 | ---- | C] () -- C:\Windows\System32\redmonnt.dll
[2008.03.21 07:57:08 | 00,054,784 | ---- | C] () -- C:\Users\Hank\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008.03.19 04:08:37 | 00,910,304 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2008.03.19 04:08:37 | 00,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1253.dll
[2008.03.19 04:08:35 | 00,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2008.03.19 04:08:34 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007.07.25 17:40:02 | 00,999,424 | ---- | C] () -- C:\Windows\System32\WLIHVUI.dll
[2006.11.03 18:25:56 | 00,389,120 | ---- | C] () -- C:\Windows\System32\btwhidcs.dll
[2006.11.02 13:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006.11.02 11:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006.11.02 08:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001.11.14 13:56:00 | 01,802,240 | ---- | C] () -- C:\Windows\System32\lcppn21.dll
[1999.01.19 14:18:30 | 00,110,080 | ---- | C] () -- C:\Windows\System32\LFPNG60N.DLL
[1999.01.19 14:18:30 | 00,046,080 | ---- | C] () -- C:\Windows\System32\LFTIF60N.DLL
[1999.01.19 14:18:30 | 00,043,008 | ---- | C] () -- C:\Windows\System32\LTFIL60N.DLL
[1999.01.19 14:18:30 | 00,020,480 | ---- | C] () -- C:\Windows\System32\LFPSD60N.DLL
[1999.01.19 14:18:30 | 00,019,968 | ---- | C] () -- C:\Windows\System32\LFTGA60N.DLL
[1999.01.19 14:18:30 | 00,019,456 | ---- | C] () -- C:\Windows\System32\LFWPG60N.DLL
[1999.01.19 14:18:30 | 00,019,456 | ---- | C] () -- C:\Windows\System32\LFWMF60N.DLL
[1999.01.19 14:18:28 | 00,176,128 | ---- | C] () -- C:\Windows\System32\LFFAX60N.DLL
[1999.01.19 14:18:28 | 00,141,824 | ---- | C] () -- C:\Windows\System32\LFCMP60N.DLL
[1999.01.19 14:18:28 | 00,023,552 | ---- | C] () -- C:\Windows\System32\LFPCX60N.DLL
[1999.01.19 14:18:28 | 00,022,528 | ---- | C] () -- C:\Windows\System32\LFPCT60N.DLL
[1999.01.19 14:18:28 | 00,022,528 | ---- | C] () -- C:\Windows\System32\LFEPS60N.DLL
[1999.01.19 14:18:28 | 00,022,016 | ---- | C] () -- C:\Windows\System32\LFBMP60N.DLL
[1999.01.19 14:18:28 | 00,018,432 | ---- | C] () -- C:\Windows\System32\LFMSP60N.DLL
[1999.01.19 14:18:28 | 00,017,920 | ---- | C] () -- C:\Windows\System32\LFMAC60N.DLL
[1995.02.14 23:11:00 | 00,017,920 | ---- | C] () -- C:\Windows\System32\IMPLODE.DLL
 
========== LOP Check ==========
 
[2009.09.27 10:45:18 | 00,000,000 | ---D | M] -- C:\Users\Hank\AppData\Roaming\Ashampoo Cover Studio 2
[2009.11.07 10:57:01 | 00,000,000 | ---D | M] -- C:\Users\Hank\AppData\Roaming\Audacity
[2008.08.03 09:59:03 | 00,000,000 | ---D | M] -- C:\Users\Hank\AppData\Roaming\CDBurnerXP_Soft
[2008.03.27 17:13:21 | 00,000,000 | ---D | M] -- C:\Users\Hank\AppData\Roaming\eBay
[2009.01.05 20:47:01 | 00,000,000 | ---D | M] -- C:\Users\Hank\AppData\Roaming\Nokia
[2009.10.25 05:03:11 | 00,000,000 | ---D | M] -- C:\Users\Hank\AppData\Roaming\PC Suite
[2008.03.26 16:05:44 | 00,000,000 | ---D | M] -- C:\Users\Hank\AppData\Roaming\TuneUp Software
[2008.10.05 16:13:19 | 00,000,000 | ---D | M] -- C:\Users\Hank\AppData\Roaming\Zylom
[2009.11.29 14:00:02 | 00,000,498 | ---- | M] () -- C:\Windows\Tasks\1-Klick-Wartung.job
[2009.11.29 11:55:32 | 00,032,534 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
 
< %SYSTEMDRIVE%\*.exe >
 
< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
 
< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2009.04.10 22:28:26 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2006.11.02 10:46:12 | 00,176,640 | ---- | M] (Microsoft Corporation) MD5=80E2839D05CA5970A86D7BE2A08BFF61 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll
[2008.01.19 08:36:19 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009.04.10 22:28:26 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll
 
< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2009.04.10 22:28:24 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2006.11.02 10:46:11 | 00,559,616 | ---- | M] (Microsoft Corporation) MD5=889A2C9F2AACCD8F64EF50AC0B3D553B -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll
[2008.01.19 08:35:36 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll
[2009.04.10 22:28:24 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll
 
< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >
[2006.11.02 10:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006.11.02 10:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll
 
< %SYSTEMDRIVE%\sceclt.dll /s /md5 >
 
< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >
 
< %SYSTEMDRIVE%\logevent.dll /s /md5 >
 
< %SYSTEMDRIVE%\iaStor.sys /s /md5 >
[2007.09.06 17:43:26 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Drivers\storage\R166200\iastor.sys
[2007.03.21 13:58:56 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Programme\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007.03.21 13:59:30 | 00,381,720 | ---- | M] (Intel Corporation) MD5=9D7ED4275702E2FC409F2CC563245740 -- C:\Programme\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2007.09.06 17:43:26 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\drivers\iaStor.sys
[2007.09.06 17:43:26 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys
[2007.09.06 17:43:26 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys
 
< %SYSTEMDRIVE%\nvstor.sys /s /md5 >
[2006.11.02 10:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\drivers\nvstor.sys
[2008.01.19 08:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2006.11.02 10:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008.01.19 08:42:09 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys
 
< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2009.04.10 22:32:28 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2008.03.19 03:51:01 | 00,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5a9555b4\atapi.sys
[2008.03.19 04:07:57 | 00,021,688 | ---- | M] (Microsoft Corporation) MD5=61CA2C1E145809813C28752298CF9843 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_5da5d093\atapi.sys
[2008.03.21 08:59:45 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_64dfd8ea\atapi.sys
[2008.03.19 04:07:57 | 00,021,688 | ---- | M] (Microsoft Corporation) MD5=7EB55F6BEFB392BD312CD0CD5263305D -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_6c3af7d3\atapi.sys
[2008.03.21 08:59:46 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_7de13c21\atapi.sys
[2008.03.19 03:51:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_82339ef2\atapi.sys
[2009.04.10 22:32:28 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2006.11.02 10:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008.01.19 08:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008.03.19 03:51:50 | 00,021,688 | ---- | M] (Microsoft Corporation) MD5=3E39E69F31F95D056703212E94320899 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_e6b2949c\atapi.sys
[2008.03.19 03:51:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=A779CA2C76DA4FCB595E692C05E8E4EB -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16391_none_daf194c024ab5b06\atapi.sys
[2008.03.19 04:07:57 | 00,021,688 | ---- | M] (Microsoft Corporation) MD5=7EB55F6BEFB392BD312CD0CD5263305D -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16470_none_db063634249c06f4\atapi.sys
[2008.03.21 08:59:46 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=B35CFCEF838382AB6490B321C87EDF17 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.16632_none_db337a442479c42c\atapi.sys
[2008.03.19 03:51:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=5653737BAD8C6C10136451C195C19881 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20485_none_db8a029f3dbd443b\atapi.sys
[2008.03.19 03:51:01 | 00,021,688 | ---- | M] (Microsoft Corporation) MD5=9E7E85EC61D1C9C3171CC08427108863 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20509_none_dbe4850d3d78c736\atapi.sys
[2008.03.19 03:51:50 | 00,021,688 | ---- | M] (Microsoft Corporation) MD5=3E39E69F31F95D056703212E94320899 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20544_none_dbb443eb3d9db847\atapi.sys
[2008.03.19 04:07:57 | 00,021,688 | ---- | M] (Microsoft Corporation) MD5=61CA2C1E145809813C28752298CF9843 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20580_none_db8503133dc1c2af\atapi.sys
[2008.03.21 08:59:45 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=E03E8C99D15D0381E02743C36AFC7C6F -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6000.20757_none_dbac78a93da31a8b\atapi.sys
[2008.01.19 08:41:30 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2009.04.10 22:32:28 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys
 
< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >
 
< %SYSTEMDRIVE%\viasraid.sys /s /md5 >
 
< %SYSTEMDRIVE%\AGP440.sys /s /md5 >
[2008.03.19 03:51:04 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\drivers\AGP440.sys
[2008.01.19 08:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2008.03.19 03:51:04 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_8ed06b47\AGP440.sys
[2006.11.02 10:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys
[2008.01.19 08:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008.03.19 03:51:04 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=8B10CE1C1F9F1D47E4DEB1A547A00CD4 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.16400_none_b82caac9c18a4e3b\AGP440.sys
[2008.03.19 03:51:04 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=BF34B4A0E0B64440C5389AA6B902F4AD -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6000.20496_none_b85af81edaeb8461\AGP440.sys
[2008.01.19 08:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008.01.19 08:42:25 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys
 
< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >
 
< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >
< End of report >

alex1009 29.11.2009 20:38
Code:
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-29 20:35:04
Windows 6.0.6002 Service Pack 2
Running: i8s3dy6p.exe; Driver: C:\Users\Hank\AppData\Local\Temp\pwlyipoc.sys


---- System - GMER 1.0.15 ----

SSDT                                                                                                                                  82331134                                                                                                ZwCreateThread
SSDT                                                                                                                                  82331120                                                                                                ZwOpenProcess
SSDT                                                                                                                                  82331125                                                                                                ZwOpenThread
SSDT                                                                                                                                  8233112F                                                                                                ZwTerminateProcess
SSDT                                                                                                                                  \SystemRoot\system32\ntkrnlpa.exe  [85A34FEC] JMP 854D2FA7; \SystemRoot\system32\drivers\aksfridge.sys  ZwCreateKey [0x85A34FEC]
SSDT                                                                                                                                  \SystemRoot\system32\ntkrnlpa.exe[unknown section] [85A34FEC]                                          ZwCreateKey [0x85A34FEC]
SSDT                                                                                                                                  \SystemRoot\system32\ntkrnlpa.exe  [85A34FF1] JMP 854CAAB9; \SystemRoot\system32\drivers\aksfridge.sys  ZwOpenKey [0x85A34FF1]
SSDT                                                                                                                                  \SystemRoot\system32\ntkrnlpa.exe[unknown section] [85A34FF1]                                          ZwOpenKey [0x85A34FF1]

INT 0x03                                                                                                                              \SystemRoot\system32\ntkrnlpa.exe[unknown section]                                                      85A34FFB

---- Kernel code sections - GMER 1.0.15 ----

.text                                                                                                                                ntkrnlpa.exe!KeSetEvent + 1E9                                                                          85AE092C 3 Bytes  [EC, 4F, A3]
.text                                                                                                                                ntkrnlpa.exe!KeSetEvent + 221                                                                          85AE0964 4 Bytes  [34, 11, 33, 82]
.text                                                                                                                                ntkrnlpa.exe!KeSetEvent + 3DD                                                                          85AE0B20 3 Bytes  [F1, 4F, A3]
.text                                                                                                                                ntkrnlpa.exe!KeSetEvent + 3F1                                                                          85AE0B34 4 Bytes  [20, 11, 33, 82]
.text                                                                                                                                ntkrnlpa.exe!KeSetEvent + 40D                                                                          85AE0B50 4 Bytes  [25, 11, 33, 82]
.text                                                                                                                                ...                                                                                                   
.text                                                                                                                                C:\Windows\system32\drivers\aksfridge.sys                                                              section is writeable [0x8549B000, 0x48011, 0xE0000020]
.init                                                                                                                                C:\Windows\system32\drivers\aksfridge.sys                                                              entry point in ".init" section [0x854F0224]
.init                                                                                                                                C:\Windows\system32\drivers\aksfridge.sys                                                              unknown last code section [0x854F0000, 0x4000, 0xE20000E0]
.text                                                                                                                                C:\Windows\system32\drivers\hardlock.sys                                                                section is writeable [0x854F4400, 0x6E1B2, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x8557E220]  C:\Windows\system32\drivers\hardlock.sys                                                                entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0x8557E220]
.protectÿÿÿÿhardlockunknown last code section [0x8557E000, 0x50EA, 0xE0000020]                                                        C:\Windows\system32\drivers\hardlock.sys                                                                unknown last code section [0x8557E000, 0x50EA, 0xE0000020]

---- Devices - GMER 1.0.15 ----

Device                                                                                                                                \Driver\disk \Device\Harddisk0\DR0                                                                      aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice                                                                                                                        \FileSystem\fastfat \Fat                                                                                fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice                                                                                                                        \FileSystem\fastfat \Fat                                                                                fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg                                                                                                                                  HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3ae07a00                           
Reg                                                                                                                                  HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f3ae07a00@00192d02a365                0x6A 0x97 0x35 0x4F ...
Reg                                                                                                                                  HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f3ae07a00 (not active ControlSet)       
Reg                                                                                                                                  HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f3ae07a00@00192d02a365                    0x6A 0x97 0x35 0x4F ...

---- EOF - GMER 1.0.15 ----
... hoffentlich hab ich jetzt alles richtig gemacht ...

Larusso 29.11.2009 20:46
Während dieser Scans soll(en):
  • alle anderen Scanner gegen Viren, Spyware, usw. deaktiviert sein,
  • keine Verbindung zu einem Netzwerk/Internet bestehen (WLAN nicht vergessen),
  • nichts am Rechner getan werden,
  • nach jedem Scan der Rechner neu gestartet werden.
Rootkitscan mit RootRepeal
  • Gehe hierhin, scrolle runter und downloade RootRepeal.zip.
  • Entpacke die Datei auf Deinen Desktop.
  • Doppelklicke die RootRepeal.exe, um den Scanner zu starten.
  • Klicke auf den Reiter Report und dann auf den Button Scan.
  • Mache einen Haken bei den folgenden Elementen und klicke Ok.
    .
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Shadow SSDT
    .
  • Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.
  • Wähle C:\ und klicke wieder Ok.
  • Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.
  • Wenn der Suchlauf beendet ist, klicke auf Save Report.
  • Speichere das Logfile als RootRepeal.txt auf dem Desktop.
  • Kopiere den Inhalt hier in den Thread.

alex1009 29.11.2009 20:48
Soll ich das Laufwerk D nicht scannen? Bei Gmer hab ich auch C und D gescannt, war das falsch?
Lg Alexandra

alex1009 29.11.2009 20:52
Soll ich auf der Seite RootRepeal.rar downloaden?

Larusso 29.11.2009 20:53
Ne, aber hier reicht C: :)

Mach einfach das was in der Anleitung steht, dann bist auf dem richtigen Weg ;)

alex1009 29.11.2009 21:10
Zitat:
Zitat von alex1009 (Beitrag 483938)
Soll ich auf der Seite RootRepeal.rar downloaden?
ich kann rootreal.zip nicht finden, finde nur roorrepeal.rar und das läßtsich nicht öffen! :-(

alex1009 29.11.2009 21:12
ich hab's :-)))

alex1009 30.11.2009 06:58
Code:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:                2009/11/29 22:58
Program Version:                Version 1.3.5.0
Windows Version:                Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x8BB0D000        Size: 815104        File Visible: No        Signed: -
Status: -

Name: pwlyipoc.sys
Image Path: C:\Users\Hank\AppData\Local\Temp\pwlyipoc.sys
Address: 0xB3709000        Size: 91904        File Visible: No        Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xB372C000        Size: 49152        File Visible: No        Signed: -
Status: -

Hidden/Locked Files
-------------------
Processes
-------------------
Path: System
PID: 4        Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1256        Status: Locked to the Windows API!

SSDT
-------------------
#: 064        Function Name: NtCreateKey
Status: Hooked by "C:\Windows\system32\ntkrnlpa.exe" at address 0x85a34fec

#: 078        Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x82331134

#: 189        Function Name: NtOpenKey
Status: Hooked by "C:\Windows\system32\ntkrnlpa.exe" at address 0x85a34ff1

#: 194        Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x82331120

#: 201        Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x82331125

#: 334        Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8233112f

==EOF==
Hab eine Fehlermeldung bekommen
Could not read System registry! Please contact the author!


Alle Zeitangaben in WEZ +1. Es ist jetzt 03:43 Uhr.
Seite 1 von 3 1 23
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2024, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28