Trojaner-Board
Seite 2 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)
-   -   Mein Trojan.Generic 3580153 (https://www.trojaner-board.de/84947-trojan-generic-3580153-a.html)

Sion 18.04.2010 11:29
Hehe, hast Recht, war zu früh heute...

1. Hol dir RootRepeal .
Starte RootRepeal.
Beende alle anderen Programme, schalte AV-Wächter ab.
Gehe auf Report.
Klicke auf Scan.
Setze alle Häkchen.
Bestätige mit OK.
Poste das Log.

Sashlyrics 18.04.2010 11:58
Code:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:                2010/04/18 12:41
Program Version:                Version 1.3.5.0
Windows Version:                Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: klmdb.sys
Image Path: klmdb.sys
Address: 0xF7707000        Size: 31104        File Visible: No        Signed: -
Status: -

Name: PCI_PNP0260
Image Path: \Driver\PCI_PNP0260
Address: 0x00000000        Size: 0        File Visible: No        Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5D8A000        Size: 49152        File Visible: No        Signed: -
Status: -

Name: spgf.sys
Image Path: spgf.sys
Address: 0xF7293000        Size: 995328        File Visible: No        Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000        Size: 0        File Visible: No        Signed: -
Status: -

Name: tsk8F.tmp
Image Path: tsk8F.tmp
Address: 0xF71DE000        Size: 96512        File Visible: No        Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\cfqrufu.dll.bak
Status: Locked to the Windows API!

Path: c:\dokumente und einstellungen\sascha\anwendungsdaten\mozilla\firefox\profiles\kkokuipl.default\sessionstore.js
Status: Size mismatch (API: 100357, Raw: 100699)

Path: c:\dokumente und einstellungen\sascha\lokale einstellungen\anwendungsdaten\mozilla\firefox\profiles\kkokuipl.default\cache\_cache_001_
Status: Size mismatch (API: 2065923, Raw: 2065332)

SSDT
-------------------
#: 041        Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf74f787e

#: 071        Function Name: NtEnumerateKey
Status: Hooked by "spgf.sys" at address 0xf72acda4

#: 073        Function Name: NtEnumerateValueKey
Status: Hooked by "spgf.sys" at address 0xf72ad132

#: 119        Function Name: NtOpenKey
Status: Hooked by "spgf.sys" at address 0xf72940c0

#: 122        Function Name: NtOpenProcess
Status: Hooked by "C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xa6ec4c90

#: 128        Function Name: NtOpenThread
Status: Hooked by "C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xa6ec4d7e

#: 160        Function Name: NtQueryKey
Status: Hooked by "spgf.sys" at address 0xf72ad20a

#: 177        Function Name: NtQueryValueKey
Status: Hooked by "spgf.sys" at address 0xf72ad08a

#: 247        Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf74f7bfe

#: 257        Function Name: NtTerminateProcess
Status: Hooked by "C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xa6ec4bf4

#: 258        Function Name: NtTerminateThread
Status: Hooked by "C:\Programme\BitDefender\BitDefender 2009\bdselfpr.sys" at address 0xa6ec4ec4

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System        Address: 0x8a6031f8        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_CREATE]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_CLOSE]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_READ]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_WRITE]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: UdfsЅ౨瑎晦܂Èੈ, IRP_MJ_PNP]
Process: System        Address: 0x8a34e500        Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CREATE]
Process: System        Address: 0x89f381f8        Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_CLOSE]
Process: System        Address: 0x89f381f8        Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x89f381f8        Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x89f381f8        Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_POWER]
Process: System        Address: 0x89f381f8        Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x89f381f8        Size: 121

Object: Hidden Code [Driver: sys, IRP_MJ_PNP]
Process: System        Address: 0x89f381f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System        Address: 0x89f5e1f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System        Address: 0x89f311f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System        Address: 0x8a6041f8        Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System        Address: 0x8a3891f8        Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System        Address: 0x8a3891f8        Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a3891f8        Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a3891f8        Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System        Address: 0x8a3891f8        Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a3891f8        Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System        Address: 0x8a3891f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System        Address: 0x8a6751f8        Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System        Address: 0x89ec3500        Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System        Address: 0x89ec3500        Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x89ec3500        Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x89ec3500        Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System        Address: 0x89ec3500        Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System        Address: 0x89ec3500        Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System        Address: 0x89f431f8        Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System        Address: 0x89f431f8        Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x89f431f8        Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x89f431f8        Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System        Address: 0x89f431f8        Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x89f431f8        Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System        Address: 0x89f431f8        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System        Address: 0x89f2f500        Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System        Address: 0x89f2f500        Size: 121

==EOF==

Sion 18.04.2010 15:11
1. Hol dir Avenger
Entpacke Avenger auf den Desktop.
Starte Avenger.
Setze unten beide Häkchen.
Kopiere in das Skript-Feld rein:

Zitat:
files to delete:
C:\WINDOWS\system32\cfqrufu.dll.bak

drivers to delete:
klmdb
tsk8F
Klicke auf Execute
Neustart zulassen.
Nach dem Neustart sollte ein Log eingeblendet werden, poste es.

Sashlyrics 18.04.2010 15:33
Code:
Logfile of The Avenger Version 2.0, (c) by Swandog46
hxxp://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  could not open file "C:\WINDOWS\system32\cfqrufu.dll.bak"
Deletion of file "C:\WINDOWS\system32\cfqrufu.dll.bak" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\klmdb" not found!
Deletion of driver "klmdb" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\tsk8F" not found!
Deletion of driver "tsk8F" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.

Sion 18.04.2010 16:17
Heftiges Teil hast du dir da eingefangen...

Hilft wohl nichts, Combofix muss ran.

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Den Leitfaden genau beachten und befolgen, ComboFix versteht kein Spaß.
Poste anschließend das ComboFix-Log.

Sashlyrics 18.04.2010 18:18
Code:
ComboFix 10-04-17.07 - sascha 18.04.2010  18:38:30.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.49.1031.18.2046.1263 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\sascha\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.

((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dokumente und einstellungen\sascha\Lokale Einstellungen\Anwendungsdaten\FTFDHFHP\StartService.exe
c:\windows\eSellerateEngine.dll
c:\windows\system32\ActNAV_cltDynam.dat
c:\windows\system32\atiptaxx .exe
c:\windows\system32\cfqrufu.dll
c:\windows\system32\drivers\xliadnqr.sys
c:\windows\system32\drivers\zkstwsub.sys
c:\windows\system32\icdqctv.dll
c:\windows\system32\zcmpqciq.dll
D:\AUTORUN.INF

Infizierte Kopie von c:\windows\system32\drivers\ftdisk.sys wurde gefunden und desinfiziert
Kopie von - Kitty had a snack :p wurde wiederhergestellt
.
(((((((((((((((((((((((((((((((((((((((  Treiber/Dienste  )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JXHBWAMG
-------\Legacy_SSHNAS
-------\Legacy_ZKSTWSUB
-------\Service_jxhbwamg
-------\Service_zkstwsub


(((((((((((((((((((((((  Dateien erstellt von 2010-03-18 bis 2010-04-18  ))))))))))))))))))))))))))))))
.

2010-04-15 21:33 . 2010-04-15 21:33        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\Malwarebytes
2010-04-15 21:32 . 2010-03-29 13:24        38224        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-15 21:32 . 2010-04-15 21:32        --------        d-----w-        c:\programme\Malwarebytes' Anti-Malware
2010-04-15 21:32 . 2010-04-15 21:32        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-04-15 21:32 . 2010-03-29 13:24        20824        ----a-w-        c:\windows\system32\drivers\mbam.sys
2010-04-15 17:30 . 2010-04-15 17:30        --------        d-----w-        c:\programme\Trend Micro
2010-04-14 20:55 . 2010-04-14 17:14        15880        ----a-w-        c:\windows\system32\lsdelete.exe
2010-04-14 17:15 . 2010-02-04 15:53        64288        ----a-w-        c:\windows\system32\drivers\Lbd.sys
2010-04-14 17:14 . 2010-04-14 17:14        95024        ----a-w-        c:\windows\system32\drivers\SBREDrv.sys
2010-04-14 17:10 . 2010-04-14 17:10        --------        dc-h--w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-04-14 17:10 . 2010-04-14 17:14        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Lavasoft
2010-04-14 17:10 . 2010-04-14 17:10        --------        d-----w-        c:\programme\Lavasoft
2010-04-14 13:19 . 2010-04-14 13:19        --------        d-----w-        c:\programme\Enigma Software Group
2010-04-14 13:17 . 2010-04-15 17:20        --------        d-----w-        c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-14 13:16 . 2010-04-14 13:16        --------        d-----w-        c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2010-04-14 12:53 . 2010-04-18 16:56        --------        d-----w-        c:\dokumente und einstellungen\sascha\Lokale Einstellungen\Anwendungsdaten\FTFDHFHP
2010-04-12 16:46 . 2010-04-12 16:46        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\BitDefender
2010-04-11 17:44 . 2010-04-11 17:44        --------        d-----w-        c:\dokumente und einstellungen\NetworkService\Tracing
2010-04-11 17:36 . 2010-04-11 17:36        --------        d-----w-        c:\dokumente und einstellungen\sascha\Lokale Einstellungen\Anwendungsdaten\Symantec
2010-04-11 16:47 . 2010-04-11 21:10        --------        d-----w-        c:\programme\DAEMON Tools Pro
2010-04-11 16:47 . 2010-04-11 17:33        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\DAEMON Tools Pro
2010-04-11 16:47 . 2010-04-11 16:47        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\DAEMON Tools Pro
2010-04-11 13:55 . 2010-04-11 13:55        --------        d-----r-        c:\dokumente und einstellungen\NetworkService\Favoriten
2010-04-11 07:33 . 2010-04-11 17:05        654        ----a-w-        c:\windows\eReg.dat
2010-04-10 18:49 . 2010-04-10 18:49        --------        d-----w-        c:\programme\Intelore
2010-04-08 18:42 . 2010-04-08 18:42        --------        d-----w-        c:\programme\Ulead Systems
2010-04-07 15:41 . 2010-04-07 15:41        --------        d-----w-        c:\programme\Lavalys
2010-04-01 15:36 . 2010-04-01 15:36        --------        d-----w-        c:\programme\Microsoft WSE
2010-03-26 16:29 . 2010-03-29 18:08        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\Command and Conquer 4
2010-03-26 16:29 . 2010-03-26 16:29        --------        d-----w-        c:\dokumente und einstellungen\sascha\Lokale Einstellungen\Anwendungsdaten\Electronic_Arts_Inc
2010-03-26 14:15 . 2010-04-03 18:17        708624        ----a-w-        c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2010-03-26 14:14 . 2010-03-26 14:17        --------        d-----w-        c:\windows\system32\XPSViewer
2010-03-26 14:13 . 2010-03-26 14:13        --------        d-----w-        c:\programme\Reference Assemblies
2010-03-21 08:55 . 2010-03-21 08:55        --------        d-----w-        c:\programme\ARM Software

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 16:54 . 2008-11-09 16:21        81984        ----a-w-        c:\windows\system32\bdod.bin
2010-04-17 21:51 . 2004-08-10 19:00        96512        ----a-w-        c:\windows\system32\drivers\atapi.sys
2010-04-15 22:02 . 2009-07-28 22:59        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\vlc
2010-04-15 16:38 . 2008-12-24 09:54        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google Updater
2010-04-13 22:21 . 2010-01-23 16:25        --------        d-----w-        c:\programme\QuickTime
2010-04-13 05:20 . 2009-07-21 22:44        --------        d-----w-        c:\programme\iTunes
2010-04-12 21:55 . 2008-08-12 16:40        242184        ----a-w-        c:\windows\system32\drivers\bdfsfltr.sys
2010-04-12 21:55 . 2008-04-23 16:34        192512        ----a-w-        c:\windows\system32\txmlutil.dll
2010-04-12 21:55 . 2008-08-14 16:54        104456        ----a-w-        c:\windows\system32\drivers\bdfndisf.sys
2010-04-12 21:55 . 2008-08-12 16:40        111112        ----a-w-        c:\windows\system32\drivers\bdfm.sys
2010-04-12 21:55 . 2008-07-02 11:07        82696        ----a-w-        c:\windows\system32\drivers\BDVEDISK.sys
2010-04-12 21:26 . 2010-04-11 13:54        112        ----a-w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\vx1266MA.dat
2010-04-12 16:46 . 2009-01-14 14:19        --------        d-----w-        c:\programme\BitDefender
2010-04-12 16:45 . 2009-01-14 14:18        --------        d-----w-        c:\programme\Gemeinsame Dateien\BitDefender
2010-04-12 16:39 . 2010-02-04 19:06        --------        d-----w-        c:\programme\NortonInstaller
2010-04-12 16:39 . 2009-10-25 10:49        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Norton
2010-04-12 16:35 . 2008-11-27 21:35        --------        d-----w-        c:\programme\Gemeinsame Dateien\Symantec Shared
2010-04-11 20:27 . 2009-10-06 15:14        --------        d-----w-        c:\programme\Stylish Profile
2010-04-11 17:04 . 2008-11-16 20:40        --------        d-----w-        c:\programme\EA Sports
2010-04-11 16:47 . 2009-07-14 08:55        691696        ----a-w-        c:\windows\system32\drivers\sptd.sys
2010-04-08 21:26 . 2010-04-08 21:26        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\Ulead Systems
2010-04-08 21:26 . 2010-04-08 18:42        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Ulead Systems
2010-04-08 20:23 . 2008-11-09 13:01        85240        ----a-w-        c:\dokumente und einstellungen\sascha\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2010-04-08 19:22 . 2009-06-16 22:18        --------        d-----w-        c:\programme\Gemeinsame Dateien\DVDVideoSoft
2010-04-08 19:22 . 2009-06-16 22:18        --------        d-----w-        c:\programme\DVDVideoSoft
2010-04-08 18:49 . 2010-04-08 18:49        --------        d-----w-        c:\programme\Gemeinsame Dateien\SONY Digital Images
2010-04-08 18:49 . 2010-04-08 18:42        --------        d-----w-        c:\programme\Gemeinsame Dateien\Ulead Systems
2010-04-08 18:47 . 2008-11-09 13:03        --------        d--h--w-        c:\programme\InstallShield Installation Information
2010-04-08 18:47 . 2010-04-08 18:47        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\SmartSound Software Inc
2010-04-08 18:47 . 2010-04-08 18:47        --------        d-----w-        c:\programme\SmartSound Software
2010-04-08 18:45 . 2010-04-08 18:45        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\QuickTime
2010-04-08 18:44 . 2010-04-08 18:44        --------        d-----w-        c:\programme\Windows Media-Komponenten
2010-04-01 15:08 . 2008-11-16 21:13        --------        d-----w-        c:\programme\Electronic Arts
2010-03-28 07:14 . 2004-08-10 19:00        85836        ----a-w-        c:\windows\system32\perfc007.dat
2010-03-28 07:14 . 2004-08-10 19:00        462938        ----a-w-        c:\windows\system32\perfh007.dat
2010-03-26 14:14 . 2008-11-09 13:18        --------        d-----w-        c:\programme\MSBuild
2010-03-19 19:41 . 2009-06-23 08:09        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\gtk-2.0
2010-03-18 22:56 . 2009-07-07 20:09        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\Skype
2010-03-18 15:06 . 2009-07-07 20:18        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\skypePM
2010-03-15 11:28 . 2010-03-15 11:28        --------        d-----w-        c:\programme\dehmer
2010-03-13 20:40 . 2010-01-30 21:22        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\Facebook
2010-02-25 13:05 . 2010-02-25 13:05        58204        ---ha-w-        c:\windows\system32\mlfcache.dat
2010-02-24 15:38 . 2009-03-28 12:18        --------        d-----w-        c:\dokumente und einstellungen\sascha\Anwendungsdaten\Move Networks
2010-02-18 18:13 . 2008-11-27 21:35        --------        d-----w-        c:\programme\Norton Security Scan
2010-02-18 18:12 . 2010-02-18 18:12        --------        d-----w-        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Symantec
2010-01-24 13:57 . 2010-01-24 13:47        132        ----a-w-        c:\windows\system32\rezumatenoi.dat
2010-04-12 21:55 . 2008-08-13 17:02        65536        ----a-w-        c:\programme\mozilla firefox\components\FFComm.dll
.

       
Code:

       
<pre>
c:\programme\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\programme\Alcohol Soft\Alcohol 120\axcmd .exe
c:\programme\ANI\ANIWZCS2 Service\WZCSLDR2 .exe
c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\programme\D-Link\AirPlus G\AirGCFG .exe
c:\programme\DAEMON Tools Pro\DTProAgent .exe
c:\windows\ehome\ehtray .exe
</pre>

((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"AlcoholAutomount"="c:\programme\Alcohol Soft\Alcohol 120\axcmd.exe" [N/A]
"EA Core"="c:\programme\Electronic Arts\EADM\Core.exe" [N/A]
"CursorFX"="c:\programme\Stardock\CursorFX\CursorFX.exe" [N/A]
"StartServiceFTFDHFHP"="c:\dokumente und einstellungen\sascha\Lokale Einstellungen\Anwendungsdaten\FTFDHFHP\StartService.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\programme\QuickTime\qttask    .exe -atboottime" [X]
"ccApp"="-" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 16264192]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ANIWZCS2Service"="c:\programme\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [N/A]
"StartCCC"="c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [N/A]
"Sony Ericsson PC Suite"="c:\programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [N/A]
"AtiPTA"="atiptaxx.exe" [N/A]
"ISUSPM Startup"="c:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe" [N/A]
"ISUSScheduler"="c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [N/A]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [N/A]
"BDAgent"="c:\programme\BitDefender\BitDefender 2009\bdagent.exe" [2010-04-12 782336]
"BitDefender Antiphishing Helper"="c:\programme\BitDefender\BitDefender 2009\IEShow.exe" [2010-04-12 69632]
"StartServiceFTFDHFHP"="c:\dokumente und einstellungen\sascha\Lokale Einstellungen\Anwendungsdaten\FTFDHFHP\StartService.exe" [N/A]
"SpyHunter Security Suite"="c:\programme\Enigma Software Group\SpyHunter\SpyHunter4.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"msnmsgr"="c:\programme\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883840]

c:\dokumente und einstellungen\sascha\Startmen\Programme\Autostart\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\programme\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\dokumente und einstellungen\sascha\Startmen\Programme\Autostart\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\programme\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\dokumente und einstellungen\sascha\Startmen\Programme\Autostart\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\programme\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

c:\dokumente und einstellungen\sascha\Startmen\Programme\Autostart\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\programme\Microsoft Office\Office12\ONENOTEM.EXE [2007-8-24 101784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Programme\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\Messenger\\msmsgs.exe"=
"c:\\Programme\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programme\\SopCast\\SopCast.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programme\\EA Sports\\FIFA 09\\FIFA09.exe"=
"c:\\Programme\\ICQ6.5\\ICQ.exe"=
"c:\\Programme\\TmNationsForever\\TmForever.exe"=
"c:\\Programme\\StreamTorrent 1.0\\StreamTorrent.exe"=
"c:\\Programme\\EA Sports\\FIFA 10\\FIFA10.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Programme\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14.04.2010 19:15 64288]
R1 atitray;atitray;c:\programme\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [27.01.2009 23:04 17952]
R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [09.11.2008 14:59 11970]
R2 BDVEDISK;BDVEDISK;c:\programme\BitDefender\BitDefender 2009\BDVEDISK.sys [02.07.2008 13:07 82696]
R2 ICQ Service;ICQ Service;c:\programme\ICQ6Toolbar\ICQ Service.exe [09.11.2008 22:20 222968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programme\Lavasoft\Ad-Aware\AAWService.exe [04.02.2010 17:52 1265264]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [12.08.2008 18:40 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [14.08.2008 18:54 104456]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [09.11.2008 14:58 207424]
R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [09.11.2008 14:58 299843]
R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [09.11.2008 14:58 148545]
R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [09.11.2008 14:58 497216]
R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [09.11.2008 14:58 23104]
S2 .1226230772;1226230772;c:\programme\1226230772\sash1226230772L.exe --> c:\programme\1226230772\sash1226230772L.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\programme\Google\Update\GoogleUpdate.exe [06.01.2010 07:02 135664]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE --> c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [?]
S3 Arrakis3;BitDefender Arrakis Server;c:\programme\Gemeinsame Dateien\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [17.07.2008 13:06 118784]
S3 esgiguard;esgiguard;\??\c:\programme\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\programme\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14.07.2009 10:55 691696]

--- Andere Dienste/Treiber im Speicher ---

*NewlyCreated* - ZKSTWSUB
*Deregistered* - zkstwsub

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc        REG_MULTI_SZ          vvdsvc
getPlusHelper        REG_MULTI_SZ          getPlusHelper
bdx        REG_MULTI_SZ          scan
.
Inhalt des "geplante Tasks" Ordners

2010-04-18 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 17:14]

2010-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2010-04-18 c:\windows\Tasks\Google Software Updater.job
- c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-24 19:59]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\programme\Google\Update\GoogleUpdate.exe [2010-01-06 05:02]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\programme\Google\Update\GoogleUpdate.exe [2010-01-06 05:02]

2010-04-18 c:\windows\Tasks\Norton Security Scan for sascha.job
- c:\programme\Norton Security Scan\Norton Security Scan\Engine\2.3.0.44\Nss.exe [2010-02-18 15:45]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://facebook.com/
uDefault_Search_URL = hxxp://www.Google.com
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.Google.com/
uCustomizeSearch = hxxp://www.Google.com/
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{14CD42DD-ABCD-3586-DCAB-40E3693E3737} - c:\programme\Stylish Profile\ct.htm
TCP: {9A86B0AF-47F0-44D5-BD21-C76CF655C07C} = 195.3.96.67,195.3.96.68
FF - ProfilePath - c:\dokumente und einstellungen\sascha\Anwendungsdaten\Mozilla\Firefox\Profiles\kkokuipl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search13.net/search.php?clid=486&q=
FF - prefs.js: browser.search.selectedEngine - Google (Language: DE)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/ig
FF - component: c:\dokumente und einstellungen\sascha\Anwendungsdaten\Mozilla\Firefox\Profiles\kkokuipl.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\dokumente und einstellungen\sascha\Anwendungsdaten\Mozilla\Firefox\Profiles\kkokuipl.default\extensions\{D249FD00-4DF9-11D9-9FDC-0080481ADA61}\components\mpint.dll
FF - component: c:\programme\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\dokumente und einstellungen\sascha\Anwendungsdaten\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\dokumente und einstellungen\sascha\Anwendungsdaten\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\dokumente und einstellungen\sascha\Anwendungsdaten\Mozilla\Firefox\Profiles\kkokuipl.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
FF - plugin: c:\programme\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\programme\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\programme\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\programme\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programme\Veetle\Player\npvlc.dll
FF - plugin: c:\programme\Veetle\plugins\npVeetle.dll
FF - plugin: c:\programme\Veetle\VLCBroadcast\npvbp.dll
FF - plugin: c:\programme\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

ShellIconOverlayIdentifiers-{F754FF01-84BC-40F7-B262-A66BCD5D133C} - (no file)
Notify-avldr - avldr.dll
SafeBoot-klmdb.sys
AddRemove-Folder Access 2.1 Free Version - c:\progra~1\FOLDER~1\UNWISE.EXE
AddRemove-2kv4.8.442 - c:\windows\Radeon Omega Drivers v4.8.442



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-04-18 18:57
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1336601894-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9e,da,68,04,2a,aa,00,2d,a7,c3,65,0e,bf,59,51,6c,d6,ee,4d,b5,7d,c5,0c,
  58,7e,a1,f3,bf,70,1d,32,73,fc,4d,83,97,8b,7b,ed,19,17,22,93,13,62,56,23,87,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d

[HKEY_USERS\S-1-5-21-1078081533-1336601894-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:7d,30,e4,c3,ec,86,eb,2e,49,74,84,1b,9c,e9,31,bb,ac,bc,f0,39,8a,
  64,6e,01,f5,78,16,4b,cb,10,78,e9,5a,63,55,ef,76,98,9b,3a,00,ff,da,d6,db,3e,\
"rkeysecu"=hex:8a,f1,f7,a2,18,44,48,13,dc,f6,7a,eb,4e,ef,e2,f8
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(1440)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2368)
c:\programme\iTunes\iTunesMiniPlayer.dll
c:\programme\iTunes\iTunesMiniPlayer.Resources\de.lproj\iTunesMiniPlayerLocalized.dll
c:\programme\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\programme\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\programme\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\mdm.exe
c:\programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\wscntfy.exe
c:\programme\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-04-18  19:12:15 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2010-04-18 17:12

Vor Suchlauf: 17 Verzeichnis(se), 22.341.484.544 Bytes frei
Nach Suchlauf: 20 Verzeichnis(se), 24.745.275.392 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - AFB590280F7AA41CFBFA3F3504A964BF

Sion 18.04.2010 19:24
Auf Kitty ist Verlass.

1. Mach einen erneuten Suchlauf mit Malwarebytes. Denk ans Updaten.

2. Versuche einen erneuten Suchlauf mit Gmer. Sollte jetzt gehen. Lösche aber erst die alte Gmer-Datei und hol dir eine "frische".

Sashlyrics 19.04.2010 17:35
Kann man das irgendwie einstellen dass GMER nicht automatisch nach dem Scan neustartet? Hab jetzt schon mehrfach mit gmer gescannt aber nicht alle ~3 Stunden abwarten können um wirklich den kompletten Log zu kopieren.

Hier mal Malware Log von gestern Abend:

Code:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Datenbank Version: 4005

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

18.04.2010 22:10:25
ambam-log-2010-04-18 (22-10-25).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|)
Durchsuchte Objekte: 292436
Laufzeit: 1 Stunde(n), 28 Minute(n), 20 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 6

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Dokumente und Einstellungen\sascha\Eigene Dateien\TigerWoods PGA08\tw08\kaplan.odun\Tiger Woods PGA Tour 08\CRACK&SERIAL\keygen.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\sascha\Eigene Dateien\E2004\UEFA EURO 2004\crack\EA Keygen.exe (Trojan.Orsam) -> No action taken.
C:\Dokumente und Einstellungen\sascha\Eigene Dateien\KW.DotNXT\KW\EA Games Generic Keygen 190.exe (Trojan.Orsam) -> No action taken.
C:\Programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe (Rogue.Installer) -> No action taken.
C:\Programme\DVDVideoSoft\Free YouTube Download\unins000.exe (Rogue.Installer) -> No action taken.
C:\System Volume Information\_restore{8E7F6492-B30F-4E74-BE00-F624172B868A}\RP6\A0012028.sys (Rootkit.Agent) -> No action taken.

Sion 19.04.2010 18:48
Zitat:
C:\Dokumente und Einstellungen\sascha\Eigene Dateien\TigerWoods PGA08\tw08\kaplan.odun\Tiger Woods PGA Tour 08\CRACK&SERIAL\keygen.exe (Trojan.Downloader) -> No action taken.
C:\Dokumente und Einstellungen\sascha\Eigene Dateien\E2004\UEFA EURO 2004\crack\EA Keygen.exe (Trojan.Orsam) -> No action taken.
C:\Dokumente und Einstellungen\sascha\Eigene Dateien\KW.DotNXT\KW\EA Games Generic Keygen 190.exe (Trojan.Orsam) -> No action taken.
Cracks, Keygens und so weiter sind illegal und werden hier nicht bereinigt. Weiter gehts mit:

http://www.trojaner-board.de/51262-a...sicherung.html

Du solltest in der Zukunft von der Benutzung solcher Sachen absehen - die sind nicht nur illegal, sondern auch in den meisten Fällen verseucht.

Ich bin weg.

Sashlyrics 19.04.2010 19:06
ok danke dennoch.


Alle Zeitangaben in WEZ +1. Es ist jetzt 12:39 Uhr.
Seite 2 von 2 1 2
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132