Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Kontrolle nach Ereignissen (https://www.trojaner-board.de/102303-kontrolle-ereignissen.html)

Gewissen 09.08.2011 21:17

Kontrolle nach Ereignissen
 
Sehr geehrte Forenuser,

Seit ca. 1 1/2 Wochen erlebe ich diverse Ereignisse an diesem Rechner, die mich schlicht verunsichern.
Es begann mit etwas regelmäßig piependem im Rechner. Weiter störte es nicht, solange es den PC nicht sporadisch ca. 1-4min. einfror. Dies liste ich jedoch mehr aus Gründen der Chronologie auf.
Ein weiterer Punkt in der Chronologie war ein Bluescreen bei login, bei dem storport.sys als Fehler angegeben wurde.
Anmerkung System: Windows Vista Home Premium 32bit SP2, 4GB Ram
Google recherche besagte, dass dieses Problem (Auftreten bei Ram > 3GB)
durch SP1 bereits gelöst worden sei.
Der dritte Vorfall (heute, 09.08.2011) hat mich dann letztendlich zu diesem Forum doch bewegt:
Aus dem nichts öffnete sich eine Festplatte (G: ), die vorher nicht existierte,
und Windows wollte erfahren, wie sie geöffnet werden soll (wie bei Einsatz eines USB-Sticks). Ich schloss das Fenster, Schaute mir jedoch den Inhalt der Festplatte an: 121 Elemente (120 Ordner), Mit informationen über Hardware. Ich weiß nicht, was diesen Akt beorderte, jedoch kann der Virenscanner (Kaspersky) darin nichts besonderes Finden.
Screenshots liegen anbei. (Möglichst komprimiert)
Jedoch verschwand die Festplatte nach einer halben oder vollen Stunde, tauchte jedoch nach Stunden (um 21:06) wieder auf.
Selbes/er Schema/Inhalt.
Ich habe erforderte Logfiles gemacht und hoffe, dass sich diese jemand anschaut, um zumindest in Sachen Virus Gewissenheit zu schaffen,

Danke im Voraus,
Gewissen

cosinus 10.08.2011 14:57

Hallo und :hallo:

Bitte routinemäßig einen Vollscan mit malwarebytes machen und Log posten.
Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!

Falls Logs aus älteren Scans mit Malwarebytes vorhanden sind, bitte auch davon alle posten!

Gewissen 11.08.2011 11:22

Danke für die Begrüßung.

Hier die Logfile:
Zitat:

Datenbank Version: 7428

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

10.08.2011 23:13:31
mbam-log-2011-08-10 (23-13-31).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|F:\|)
Durchsuchte Objekte: 601839
Laufzeit: 1 Stunde(n), 39 Minute(n), 16 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Sieht leer aus...

cosinus 11.08.2011 13:36

Gibt es noch weitere Logs von Malwarebytes? Wenn ja bitte alle posten, die in Malwarebytes im Reiter Logdateien sichtbar sind.

Gewissen 11.08.2011 16:09

Ich habe eigentlich Malwarebytes erst seit deinem Post und mehr auf den Scan gehofft, da ich noch einen anderen Virenscanner habe und nicht weiß, iniefern sie sich überschneieden/ergänzen. Deshalb steht in den 2 Protection logs vom selben Tag nur der Programmstart und die Updates.

Zitat:

21:32:44 **** MESSAGE Protection started successfully
21:32:50 **** MESSAGE IP Protection started successfully
21:33:41 **** ERROR Scheduled update failed: No address found failed with error code 11004
23:58:03 **** MESSAGE IP Protection stopped
23:58:09 **** MESSAGE IP Protection started successfully
Zweite Logfile, bei der alle ab 17:00 Uhr von heute sind.
Zitat:

15:18:48 **** MESSAGE Scheduled update executed successfully
17:00:15 **** MESSAGE Protection started successfully
17:00:23 **** MESSAGE IP Protection started successfully
17:00:25 **** MESSAGE IP Protection stopped
17:00:29 **** MESSAGE Database updated successfully
17:00:34 **** MESSAGE IP Protection started successfully

cosinus 11.08.2011 20:33

Führ bitte auch ESET aus, danach sehen wir weiter:


ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset


Gewissen 12.08.2011 20:58

Nach fast 5 Stunden...

Zitat:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=b9fd04c86c57a64f8d6db517f993cabe
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-12 02:54:28
# local_time=2011-08-12 04:54:28 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1280 16777215 100 0 8238957 8238957 0 0
# compatibility_mode=5892 16776573 100 100 20950 150693433 0 0
# compatibility_mode=8192 67108863 100 0 187 187 0 0
# scanned=46
# found=0
# cleaned=0
# scan_time=163
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=b9fd04c86c57a64f8d6db517f993cabe
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-08-12 07:55:49
# local_time=2011-08-12 09:55:49 (+0100, Mitteleuropäische Sommerzeit)
# country="Germany"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1280 16777215 100 0 8239342 8239342 0 0
# compatibility_mode=5892 16776573 100 100 21335 150693818 0 0
# compatibility_mode=8192 67108863 100 0 572 572 0 0
# scanned=433962
# found=6
# cleaned=0
# scan_time=17859
C:\Users\****\AppData\Roaming\Auslogics\Rescue\Boost Speed\110704193301591.rsc Win32/RegistryBooster application (unable to clean) 00000000000000000000000000000000 I
C:\Users\****\AppData\Roaming\OpenCandy\OpenCandy_3880F41DFC234CC487DB0C18C5CDE198\PPIRegistryReviverSetup_silent.exe a variant of Win32/SlowPCfighter application (unable to clean) 00000000000000000000000000000000 I
C:\Users\****\AppData\Roaming\OpenCandy\OpenCandy_3880F41DFC234CC487DB0C18C5CDE198\PPIRegRevSilent_p2v1.exe a variant of Win32/SlowPCfighter application (unable to clean) 00000000000000000000000000000000 I
F:\Program Files (x86)\Avanquest\Fix-It\W32Int13.dll a variant of Win32/Kryptik.FNT trojan (unable to clean) 00000000000000000000000000000000 I
F:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS5158974E2D28401893357694C2974746_10_3_24_1.MSI a variant of Win32/Kryptik.FNT trojan (unable to clean) 00000000000000000000000000000000 I
F:\Windows\Installer\977f5a.msi a variant of Win32/Kryptik.FNT trojan (unable to clean) 00000000000000000000000000000000 I

cosinus 12.08.2011 22:11

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix
  • Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.
  • Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
    Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.
  • Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.
Wichtiger Hinweis:
Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Gewissen 13.08.2011 12:35

Die log.txt:

Combofix Logfile:
Code:

ComboFix 11-08-13.01 - **** 13.08.2011  13:15:08.1.2 - x86
Microsoft® Windows Vista™ Home Premium  6.0.6002.2.1252.49.1031.18.3582.2438 [GMT 2:00]
ausgeführt von:: c:\users\****\Downloads\ComboFix.exe
AV: Kaspersky Security Suite CBE 11 *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Security Suite CBE 11 *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Security Suite CBE 11 *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((  Weitere Löschungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Autorun.inf
C:\downloader.exe
C:\readme.txt
C:\setup.exe
c:\windows\IsUn0407.exe
c:\windows\system32\Cache
c:\windows\system32\logs
.
.
(((((((((((((((((((((((  Dateien erstellt von 2011-07-13 bis 2011-08-13  ))))))))))))))))))))))))))))))
.
.
2011-08-13 11:24 . 2011-08-13 11:24        --------        d-----w-        c:\users\****\AppData\Local\temp
2011-08-12 14:48 . 2011-08-12 14:48        --------        d-----w-        c:\program files\ESET
2011-08-12 09:02 . 2011-07-13 03:39        6881616        ----a-w-        c:\programdata\Microsoft\Windows Defender\Definition Updates\{290E5EF8-8B85-4D93-8836-F32D456F169D}\mpengine.dll
2011-08-11 10:48 . 2011-08-11 10:48        --------        d-----w-        c:\programdata\Tages
2011-08-11 10:44 . 2011-08-11 10:44        281760        ----a-w-        c:\windows\system32\drivers\atksgt.sys
2011-08-11 10:44 . 2011-08-11 10:44        25888        ----a-w-        c:\windows\system32\drivers\lirsgt.sys
2011-08-11 08:29 . 2011-07-06 15:31        214016        ----a-w-        c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 08:29 . 2011-06-17 16:03        375808        ----a-w-        c:\windows\system32\winsrv.dll
2011-08-11 08:29 . 2011-06-06 10:59        2409784        ----a-w-        c:\program files\Windows Mail\OESpamFilter.dat
2011-08-11 08:29 . 2011-06-20 08:54        3602832        ----a-w-        c:\windows\system32\ntkrnlpa.exe
2011-08-11 08:29 . 2011-06-20 08:54        3550096        ----a-w-        c:\windows\system32\ntoskrnl.exe
2011-08-11 08:29 . 2011-06-17 20:13        905104        ----a-w-        c:\windows\system32\drivers\tcpip.sys
2011-08-10 19:00 . 2011-08-10 19:00        --------        d-----w-        c:\users\****\AppData\Roaming\Malwarebytes
2011-08-10 19:00 . 2011-07-06 17:52        41272        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-10 19:00 . 2011-08-10 19:00        --------        d-----w-        c:\programdata\Malwarebytes
2011-08-10 19:00 . 2011-08-10 19:00        --------        d-----w-        c:\program files\Malwarebytes' Anti-Malware
2011-08-10 19:00 . 2011-07-06 17:52        22712        ----a-w-        c:\windows\system32\drivers\mbam.sys
2011-08-10 14:18 . 2011-08-10 14:18        22328        ----a-w-        c:\windows\system32\drivers\PnkBstrK.sys
2011-08-10 14:18 . 2011-08-10 14:18        22328        ----a-w-        c:\users\****\AppData\Roaming\PnkBstrK.sys
2011-08-10 14:18 . 2011-08-10 14:18        103736        ----a-w-        c:\windows\system32\PnkBstrB.exe
2011-08-10 14:18 . 2011-08-10 14:18        66872        ----a-w-        c:\windows\system32\PnkBstrA.exe
2011-08-10 14:18 . 2011-08-10 14:18        669184        ----a-w-        c:\windows\system32\pbsvc.exe
2011-08-10 14:17 . 2011-08-10 14:40        --------        d-----w-        c:\programdata\Media Center Programs
2011-08-10 14:06 . 2011-08-10 14:06        --------        d-----w-        c:\program files\Electronic Arts
2011-08-10 09:44 . 2011-08-10 09:44        --------        d-----w-        c:\program files\Opticon
2011-08-06 19:53 . 2011-08-06 19:53        --------        d-----w-        c:\program files\SimCity4 StartupManager
2011-08-04 14:08 . 2011-08-04 15:19        --------        d-----w-        c:\programdata\SecTaskMan
2011-08-03 18:45 . 2011-08-03 18:45        --------        d-----w-        c:\program files\Lionhead Studios Ltd
2011-07-30 00:45 . 2011-07-30 01:45        --------        d-----w-        c:\users\****\AppData\Roaming\Skype
2011-07-30 00:45 . 2011-07-30 00:45        --------        d-----r-        c:\program files\Skype
2011-07-30 00:45 . 2011-07-30 00:45        --------        d-----w-        c:\programdata\Skype
2011-07-17 08:46 . 2011-07-21 12:29        --------        d-----w-        c:\program files\GfK Internet-Monitor
2011-07-14 13:40 . 2011-07-14 13:40        --------        d-----w-        c:\program files\Maxis
.
.
.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-10 14:40 . 2010-07-08 14:02        107888        ----a-w-        c:\windows\system32\CmdLineExt.dll
2011-06-24 14:20 . 2011-05-19 13:46        404640        ----a-w-        c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 17:53 . 2011-06-02 17:53        94208        ----a-w-        c:\windows\system32\dpl100.dll
2011-06-02 13:34 . 2011-07-13 12:05        2043392        ----a-w-        c:\windows\system32\win32k.sys
2011-05-25 07:24 . 2011-06-10 20:12        615528        ----a-w-        c:\windows\system32\nvvsvc.exe
2011-05-25 07:24 . 2011-06-10 20:12        2560616        ----a-w-        c:\windows\system32\nvsvcr.dll
2011-05-25 07:24 . 2011-06-10 20:12        2557544        ----a-w-        c:\windows\system32\nvsvc.dll
2011-05-25 07:24 . 2011-06-10 20:12        66664        ----a-w-        c:\windows\system32\nvshext.dll
2011-05-25 07:24 . 2011-06-10 20:12        111208        ----a-w-        c:\windows\system32\nvmctray.dll
2011-05-25 07:24 . 2011-06-10 20:12        3693672        ----a-w-        c:\windows\system32\nvcpl.dll
2011-05-25 07:24 . 2011-06-10 20:12        543336        ----a-w-        c:\windows\system32\easyupdatusapiu.dll
2011-05-25 07:24 . 2011-06-10 20:11        6555240        ----a-w-        c:\windows\system32\nvwgf2um.dll
2011-05-25 07:24 . 2011-06-10 20:11        57960        ----a-w-        c:\windows\system32\OpenCL.dll
2011-05-25 07:24 . 2011-06-10 20:11        16456296        ----a-w-        c:\windows\system32\nvoglv32.dll
2011-05-25 07:24 . 2011-06-10 20:11        899688        ----a-w-        c:\windows\system32\nvdispco3220150.dll
2011-05-25 07:24 . 2011-06-10 20:11        865896        ----a-w-        c:\windows\system32\nvgenco322090.dll
2011-05-25 07:24 . 2011-06-10 20:11        11992680        ----a-w-        c:\windows\system32\nvd3dum.dll
2011-05-25 07:24 . 2011-06-10 20:11        10589800        ----a-w-        c:\windows\system32\drivers\nvlddmkm.sys
2011-05-25 07:24 . 2011-06-10 20:11        2804328        ----a-w-        c:\windows\system32\nvcuvid.dll
2011-05-25 07:24 . 2011-06-10 20:11        5301352        ----a-w-        c:\windows\system32\nvcuda.dll
2011-05-25 07:24 . 2011-06-10 20:11        2335848        ----a-w-        c:\windows\system32\nvapi.dll
2011-05-25 07:24 . 2011-06-10 20:11        2082408        ----a-w-        c:\windows\system32\nvcuvenc.dll
2011-05-25 07:24 . 2011-06-10 20:11        13011560        ----a-w-        c:\windows\system32\nvcompiler.dll
2011-05-25 07:24 . 2011-06-10 20:11        12392        ----a-w-        c:\windows\system32\drivers\nvBridge.kmd
2011-05-24 17:14 . 2010-07-08 09:30        222080        ------w-        c:\windows\system32\MpSigStub.exe
2011-05-19 14:18 . 2011-05-19 14:18        218688        ----a-w-        c:\windows\system32\drivers\dtsoftbus01.sys
2011-06-16 04:32 . 2011-06-19 23:32        142296        ----a-w-        c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((  Autostartpunkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12        94208        ----a-w-        c:\users\****\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12        94208        ----a-w-        c:\users\****\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12        94208        ----a-w-        c:\users\****\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12        94208        ----a-w-        c:\users\****\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Security Suite CBE 11\avp.exe" [2011-04-13 387696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\KASPER~1\KASPER~1\mzvkbd3.dll c:\progra~1\KASPER~1\KASPER~1\kloehk.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute        REG_MULTI_SZ          PDBoot.exe\0autocheck autochk *
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ocs_SM
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando Media Booster
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 10:55        937920        ----a-w-        c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5.5ServiceManager]
2011-01-12 05:08        1523360        ----a-w-        c:\program files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56        1230704        ----a-w-        c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 10:59        254696        ----a-w-        c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
2010-02-19 11:37        517096        ----a-w-        c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"RfxSrvTray"="c:\program files\Tobit Radio.fx\Client\rfx-tray.exe"
"WMPNSCFG"=c:\program files\Windows Media Player\WMPNSCFG.exe
"Steam"="c:\program files\Steam\Steam.exe" -silent
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
"SwitchBoard"=c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-419034727-2576159466-3780662473-1000]
"EnableNotificationsRef"=dword:00000002
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2010-07-15 14216]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2010-07-15 8456]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-03-31 36608]
R3 optousb;OPTO ELECTRONICS optousb;c:\windows\system32\DRIVERS\optousb.sys [2009-08-26 18432]
R3 optovcm;OPTO ELECTRONICS optovcm;c:\windows\system32\DRIVERS\optovcm.sys [2009-08-26 26368]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 sc4stupmngrService;SimCity4 Startup Manager Service;c:\program files\SimCity4 StartupManager\sumservice.exe [2007-06-03 133120]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2009-03-20 90112]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2009-03-20 14976]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2009-03-20 121856]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2010-02-24 10064]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R4 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2009-03-31 233472]
R4 GfK-Reporting-Service;GfK-Reporting-Service;c:\program files\GfK Internet-Monitor\GfK-Reporting.exe [2011-01-20 102400]
R4 GfK-Update-Service;GfK-Update-Service;c:\program files\GfK Internet-Monitor\GfK-Updater.exe [2011-01-20 180224]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 135664]
R4 pr2agqwb;Loki Drivers Auto Removal (pr2agqwb);c:\windows\system32\pr2agqwb.exe svc [x]
R4 pr2agqwc;Loki Drivers Auto Removal (pr2agqwc);c:\windows\system32\pr2agqwc.exe svc [x]
R4 Radio.fx;Radio.fx Server;c:\program files\Tobit Radio.fx\Server\rfx-server.exe [2011-02-28 3577688]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-10-30 691696]
R4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R4 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2011-01-12 1051968]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 hotcore3;hc3ServiceName;c:\windows\system32\DRIVERS\hotcore3.sys [2010-09-15 40560]
S0 pe3agqwb;Loki Environment Driver (pe3agqwb);c:\windows\system32\drivers\pe3agqwb.sys [2008-02-25 64616]
S0 pe3agqwc;Loki Environment Driver (pe3agqwc);c:\windows\system32\drivers\pe3agqwc.sys [2007-05-16 64880]
S0 ps6agqwc;Loki Synchronization Driver (ps6agqwc);c:\windows\system32\drivers\ps6agqwc.sys [2007-08-02 68208]
S0 ps7agqwb;Loki Synchronization Driver (ps7agqwb);c:\windows\system32\drivers\ps7agqwb.sys [2008-02-25 68208]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-05-19 218688]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-25 2214504]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2000-01-01 181792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation        REG_MULTI_SZ          FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners
.
2011-08-13 c:\windows\Tasks\AbelssoftPreloader.job
- c:\program files\WashAndGo\AbelssoftPreloader.exe [2011-06-05 12:58]
.
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 23:37]
.
2010-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-04 23:37]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2475029
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\****\AppData\Roaming\Mozilla\Firefox\Profiles\v6lrncg4.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Amazon.de
FF - prefs.js: browser.startup.homepage - www.google.de
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
URLSearchHooks-{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
URLSearchHooks-{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2011-08-13 13:24
Windows 6.0.6002 Service Pack 2 NTFS
.
Scanne versteckte Prozesse...
.
Scanne versteckte Autostarteinträge...
.
Scanne versteckte Dateien...
.
Scan erfolgreich abgeschlossen
versteckte Dateien:
.
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-419034727-2576159466-3780662473-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:98,00,6d,56,38,ef,ac,8d,60,5c,02,da,20,c1,99,57,f0,8e,98,0c,b2,65,8d,
  af,59,60,84,50,77,ad,1f,76,8e,c4,f2,0c,31,06,b4,eb,d9,da,b3,2b,94,92,72,81,\
"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
.
[HKEY_USERS\S-1-5-21-419034727-2576159466-3780662473-1000\Software\SecuROM\License information*]
"datasecu"=hex:c3,b8,76,c1,8a,b4,f8,4c,b6,cd,1c,5f,36,ee,89,fa,fb,7d,85,2f,f8,
  fd,10,0a,c4,99,3e,d5,e4,9d,80,ad,eb,15,8c,43,0e,d2,ec,79,53,dc,92,03,b6,bb,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
[HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Zeit der Fertigstellung: 2011-08-13  13:26:35
ComboFix-quarantined-files.txt  2011-08-13 11:26
.
Vor Suchlauf: 19 Verzeichnis(se), 157.463.117.824 Bytes frei
Nach Suchlauf: 22 Verzeichnis(se), 157.806.198.784 Bytes frei
.
Current=2 Default=2 Failed=8 LastKnownGood=6 Sets=1,2,3,4,5,6,8,27
- - End Of File - - 919994E9E9EDB74456139152078AEA3E[/QUOTE]

--- --- ---

cosinus 15.08.2011 10:48

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Hinweis: Zum Entpacken von OSAM bitte WinRAR oder 7zip verwenden! Stell auch unbedingt den Virenscanner ab, besonders der Scanner von McAfee meldet oft einen Fehalarm in OSAM!


Downloade dir bitte aswMBR.exe und speichere die Datei auf deinem Desktop.
  • Starte die aswMBR.exe - (aswMBR.exe Anleitung)
    Ab Windows Vista (oder höher) bitte mit Rechtsklick "als Administrator ausführen" starten".
  • Das Tool wird dich fragen, ob Du mit der aktuellen Virendefinition von AVAST! dein System scannen willst. Beantworte diese Frage bitte mit Ja. (Sollte deine Firewall fragen, bitte den Zugriff auf das Internet zulassen )
    Der Download der Definitionen kann je nach Verbindung eine Weile dauern.
  • Klicke auf Scan.
  • Warte bitte bis Scan finished successfully im DOS-Fenster steht.
  • Drücke auf Save Log und speichere diese auf dem Desktop.
Poste mir die aswMBR.txt in deiner nächsten Antwort.

Wichtig: Drücke keinesfalls einen der Fix Buttons ohne Anweisung

Hinweis: Sollte der Scan Button ausgeblendet sein, schließe das Tool und starte es erneut. Sollte der Scan abbrechen und das Programm abstürzen, dann teile mir das mit und wähle unter AV Scan die Einstellung (none).


Gewissen 23.08.2011 17:36

Entschuldige bitte die Verspätung.
aswMBR ist ein quickscan.
GMER Logfile:
Code:

GMER 1.0.15.15641 - hxxp://www.gmer.net
Rootkit scan 2011-08-17 17:35:12
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\0000005d SAMSUNG_ rev.CR10
Running: 5f6yhthx.exe; Driver: C:\Users\***\AppData\Local\Temp\fwliapob.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwAdjustPrivilegesToken [0x96355DAA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwAlpcConnectPort [0x96357FE8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwAlpcCreatePort [0x96358262]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwAlpcSendWaitReceivePort [0x963584D8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwClose [0x963566BE]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwConnectPort [0x963574F2]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateEvent [0x96357A3C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateFile [0x9635699A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateMutant [0x96357922]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateNamedPipeFile [0x96355998]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreatePort [0x963577F6]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateSection [0x96355B40]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateSemaphore [0x96357B5C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateThread [0x96356344]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateWaitablePort [0x9635788C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwDebugActiveProcess [0x9635924A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwDeviceIoControlFile [0x96356E1C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwDuplicateObject [0x9635A458]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwFsControlFile [0x96356C2A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwLoadDriver [0x9635933C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwMapViewOfSection [0x96359AA4]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwOpenEvent [0x96357AD2]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwOpenFile [0x96356740]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwOpenMutant [0x963579B2]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwOpenProcess [0x96355FE8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwOpenSection [0x9635983E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwOpenSemaphore [0x96357BF2]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwOpenThread [0x96355ED8]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwQueryDirectoryObject [0x963587DC]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwQuerySection [0x96359DDE]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwQueueApcThread [0x963596D0]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwReplaceKey [0x96354652]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwReplyPort [0x96357F56]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwReplyWaitReceivePort [0x96357E1C]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwRequestWaitReplyPort [0x96358FE4]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwRestoreKey [0x963549CA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwResumeThread [0x9635A2FA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSaveKey [0x963545EA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSecureConnectPort [0x96357238]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSetContextThread [0x96356560]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSetInformationToken [0x9635887E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSetSecurityObject [0x963594DA]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSetSystemInformation [0x96359F2E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSuspendProcess [0x9635A020]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSuspendThread [0x9635A15A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwSystemDebugControl [0x9635916E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwTerminateProcess [0x9635618E]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwTerminateThread [0x963560E4]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwUnmapViewOfSection [0x96359C82]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwWriteVirtualMemory [0x9635627A]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateThreadEx [0x96356442]
SSDT            \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab)                  ZwCreateUserProcess [0x96358722]

---- Kernel code sections - GMER 1.0.15 ----

.text          ntkrnlpa.exe!KeSetEvent + 119                                                                        82CE789C 4 Bytes  [AA, 5D, 35, 96]
.text          ntkrnlpa.exe!KeSetEvent + 13D                                                                        82CE78C0 8 Bytes  CALL E564AE44
.text          ntkrnlpa.exe!KeSetEvent + 181                                                                        82CE7904 4 Bytes  [D8, 84, 35, 96]
.text          ntkrnlpa.exe!KeSetEvent + 1A9                                                                        82CE792C 4 Bytes  [BE, 66, 35, 96]
.text          ntkrnlpa.exe!KeSetEvent + 1C1                                                                        82CE7944 4 Bytes  CALL B8436BCB
.text          ...                                                                                                 
.xreloc        C:\Windows\system32\drivers\ps6agqwc.sys                                                              unknown last section [0x832A5000, 0x9FC, 0x40000040]
.xreloc        C:\Windows\system32\drivers\ps7agqwb.sys                                                              unknown last section [0x832BB000, 0x9F4, 0x40000040]
.text          C:\Windows\system32\DRIVERS\atksgt.sys                                                                section is writeable [0x824A3300, 0x3B6D8, 0xE8000020]
.text          C:\Windows\system32\DRIVERS\lirsgt.sys                                                                section is writeable [0x824E6300, 0x1BEE, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                [74AC7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                  [74B1A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]              [74ACBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]        [74ABF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                  [74AC75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]              [74ABE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM]  [74AF8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream]      [74ACDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]              [74ABFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]              [74ABFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                [74AB71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM]        [74B4CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile]          [74AEC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]              [74ABD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                        [74AB6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                      [74AB687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT            C:\Windows\Explorer.EXE[5848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]          [74AC2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\volsnap \Device\HarddiskVolumeShadowCopy1                                                    hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\tdx \Device\Tcp                                                                              kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\tdx \Device\Udp                                                                              kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice  \Driver\tdx \Device\RawIp                                                                            kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)

Device                                                                                                                cdfs.sys (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC                     
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                  0x00 0x00 0x00 0x00 ...
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                  0
Reg            HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                0x00 0x36 0xC5 0xE9 ...
Reg            HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                      0x00 0x00 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                      0
Reg            HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                    0x00 0x36 0xC5 0xE9 ...
Reg            HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                      0x00 0x00 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                      0
Reg            HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                    0x00 0x36 0xC5 0xE9 ...
Reg            HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                      0x00 0x00 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                      0
Reg            HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                    0x00 0x36 0xC5 0xE9 ...
Reg            HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                      0x00 0x00 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                      0
Reg            HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                    0x00 0x36 0xC5 0xE9 ...
Reg            HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                      0x00 0x00 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                      0
Reg            HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                    0x00 0x36 0xC5 0xE9 ...
Reg            HKLM\SYSTEM\ControlSet027\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) 
Reg            HKLM\SYSTEM\ControlSet027\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0                      0x00 0x00 0x00 0x00 ...
Reg            HKLM\SYSTEM\ControlSet027\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0                      0
Reg            HKLM\SYSTEM\ControlSet027\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12                    0x00 0x36 0xC5 0xE9 ...
Reg            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System                                               
Reg            HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODLED04.00.00.01PRO                            8F4D62F554FC372DF139C0FC535DBC7334D081B01B08C9834DCF95E5BE095DEC701196C4E77C5DD2946FB677CC2C33AC53A904E8EFC42F0598E17991BA1743529927DA56D9EC8A5D258B68F97DE823383F56DF1A517957460CB94C3A5A5D91CD8F1B25E614B3AA24B7734162EBA07FDF37B71563827DD823B64DC3E1BD9CA4EC4E208178321CFE8753B3415352490D73EF4FB627F80E1D7B1A3CA84C39FA2AC0C38D8BD004559CE5F1787A301D38E4C49146EE0D5F4B64B3A84658005382A7DC515AF8778EEF6B28839795266D29F5AA37E979009538C1B14D4F444AC71E75DA4CA7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98088EDD5E5BE2F6E667BA7FD869164D6794A9C6AECB7A5D14078A534BAF821F25798A28A49611CEF9CBA02DEBCC4206CDF397042A5803DF8A8147FA7D5D80154B44E496672099989A0FA1B3F312A735FA97A1B5ADFC1B4C485CAFC2E22EDE94DFA35D14B93D14FA228257D514DC98FC38791B90443C63A8369DF72F92FE279D05545D858F35CFA6A01C7C763DFA485EA1E8399A7C0F94681D0E6886D68EB832CE37E21391B071D097F5663F931D406046D8C29D95CE3D8239195CD4AD02C45BC752FEA71ABCF0B0FCCDF99D6F5C5C8B295F1229083B3E703A4EC5E749E1D4A3EA4C56F4384A990

---- EOF - GMER 1.0.15 ----

--- --- ---


OSAM Logfile:
Code:

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 19:23:54 on 17.08.2011

OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit
Default Browser: Mozilla Corporation Firefox 5.0

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[AppInit DLLs]
-----( HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows )-----
"AppInit_DLLs" - "Kaspersky Lab ZAO" - C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll
"AppInit_DLLs" - "Kaspersky Lab ZAO" - C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

[Boot Execute]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager )-----
"BootExecute" - "Raxco Software, Inc." - C:\Windows\system32\PDBoot.exe

[Common]
-----( %SystemRoot%\Tasks )-----
"AbelssoftPreloader.job" - "Microsoft" - C:\Program Files\WashAndGo\AbelssoftPreloader.exe
"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"DivXControlPanelApplet.cpl" - "DivX, Inc." - C:\Windows\system32\DivXControlPanelApplet.cpl
"FlashPlayerCPLApp.cpl" - "Adobe Systems Incorporated" - C:\Windows\system32\FlashPlayerCPLApp.cpl
"PhysX.cpl" - "NVIDIA Corporation" - C:\Windows\system32\PhysX.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"atksgt" (atksgt) - ? - C:\Windows\System32\DRIVERS\atksgt.sys  (File found, but it contains no detailed information)
"catchme" (catchme) - ? - C:\Users\***\AppData\Local\Temp\catchme.sys  (File not found)
"DefragFS" (DefragFS) - "Raxco Software, Inc." - C:\Windows\system32\drivers\DefragFS.sys
"epmntdrv" (epmntdrv) - ? - C:\Windows\system32\epmntdrv.sys  (File found, but it contains no detailed information)
"EuGdiDrv" (EuGdiDrv) - ? - C:\Windows\system32\EuGdiDrv.sys  (File found, but it contains no detailed information)
"FsUsbExDisk" (FsUsbExDisk) - ? - C:\Windows\system32\FsUsbExDisk.SYS  (File found, but it contains no detailed information)
"fwliapob" (fwliapob) - ? - C:\Users\***\AppData\Local\Temp\fwliapob.sys  (Hidden registry entry, rootkit activity | File not found)
"hc3ServiceName" (hotcore3) - "Paragon Software Group" - C:\Windows\System32\DRIVERS\hotcore3.sys
"IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys  (File not found)
"IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys  (File not found)
"IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys  (File not found)
"lirsgt" (lirsgt) - ? - C:\Windows\System32\DRIVERS\lirsgt.sys  (File found, but it contains no detailed information)
"Loki Environment Driver (pe3agqwb)" (pe3agqwb) - "Cyanide" - C:\Windows\System32\drivers\pe3agqwb.sys
"Loki Environment Driver (pe3agqwc)" (pe3agqwc) - "Cyanide" - C:\Windows\System32\drivers\pe3agqwc.sys
"Loki Synchronization Driver (ps6agqwc)" (ps6agqwc) - "Cyanide" - C:\Windows\System32\drivers\ps6agqwc.sys
"Loki Synchronization Driver (ps7agqwb)" (ps7agqwb) - "Cyanide" - C:\Windows\System32\drivers\ps7agqwb.sys
"MBAMProtector" (MBAMProtector) - "Malwarebytes Corporation" - C:\Windows\system32\drivers\mbam.sys
"PCCS Mode Change Filter Driver" (pccsmcfd) - ? - C:\Windows\System32\DRIVERS\pccsmcfd.sys  (File not found)
"Revoflt" (Revoflt) - ? - C:\Windows\System32\DRIVERS\revoflt.sys  (File not found)
"TuneUpUtilitiesDrv" (TuneUpUtilitiesDrv) - "TuneUp Software" - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys

[Explorer]
-----( HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? -  (File not found | COM-object registry key not found)
{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? -  (File not found | COM-object registry key not found)
{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? -  (File not found | COM-object registry key not found)
{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} "DropboxExt" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Handler )-----
{E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} "Album Download IE Asynchronous Pluggable Protocol Interface" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\Program Files\Windows Live\Messenger\msgrapp.dll
{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Messenger\msgrapp.dll
{03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" - "Microsoft Corporation" - C:\Program Files\Windows Live\Mail\mailcomm.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? -  (File not found | COM-object registry key not found)
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - C:\Program Files\7-Zip\7-zip.dll
{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? -  (File not found | COM-object registry key not found)
{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? -  (File not found | COM-object registry key not found)
{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? -  (File not found | COM-object registry key not found)
{A70C977A-BF00-412C-90B7-034C51DA2439} "DesktopContext Class" - "NVIDIA Corporation" - C:\Program Files\NVIDIA Corporation\Display\nvui.dll
{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? -  (File not found | COM-object registry key not found)
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? -  (File not found | COM-object registry key not found)
{00020d75-0000-0000-c000-000000000046} "lnkfile" - ? -  (File not found | COM-object registry key not found)
{3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} "NVIDIA CPL Context Menu Extension" - "NVIDIA Corporation" - C:\Windows\system32\nvshext.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{AE424E85-F6DF-4910-A6A9-438797986431} "OpenOffice.org Property Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\propertyhdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? -  (File not found | COM-object registry key not found)
{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? -  (File not found | COM-object registry key not found)
{BD88A479-9623-4897-8546-BC62B9628F44} "SPTHandler" - ? -  (File not found | COM-object registry key not found)
{4838CD50-7E5D-4811-9B17-C47A85539F28} "TuneUp Disk Space Explorer Shell Extension" - "TuneUp Software" - C:\Program Files\TuneUp Utilities 2010\DseShExt-x86.dll
{4858E7D9-8E12-45a3-B6A3-1CD128C9D403} "TuneUp Shredder Shell Extension" - "TuneUp Software" - C:\Program Files\TuneUp Utilities 2010\SDShelEx-win32.dll
{44440D00-FF19-4AFC-B765-9A0970567D97} "TuneUp Theme Extension" - "TuneUp Software" - C:\Windows\System32\uxtuneup.dll
{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? -  (File not found | COM-object registry key not found)
{0563DB41-F538-4B37-A92D-4659049B7766} "WLMD Message Handler" - ? -  (File not found | COM-object registry key not found)
{06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
ITBar7Height "ITBar7Height" - ? -  (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_26" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_26.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{80A21664-E813-4F79-B965-2058C0F7A84C} "ClsidExtension" - ? - C:\Program Files\GfK Internet-Monitor\Gacela2.dll
"ICQ7.2" - "ICQ, LLC." - C:\Program Files\ICQ7.2\ICQ.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{593DDEC6-7468-4cdd-90E1-42DADAA222E9} "DivX HiQ" - "DivX, LLC" - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
{326E768D-4182-46FD-9C16-1449A49795F4} "DivX Plus Web Player HTML5 <video>" - "DivX, LLC" - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
{E33CF602-D945-461A-83F0-819F76A199F8} "FilterBHO Class" - "Kaspersky Lab ZAO" - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite CBE 11\klwtbbho.dll
{4BEEA052-726D-4A6E-B65D-A6BD07C263F3} "GfK Internet-Monitor" - ? - C:\Program Files\GfK Internet-Monitor\Gacela2.dll
{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} "IEVkbdBHO Class" - "Kaspersky Lab ZAO" - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite CBE 11\ievkbd.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live ID Sign-in Helper" - "Microsoft Corp." - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{9FDDE16B-836F-4806-AB1F-1455CBEFF289} "Windows Live Messenger Companion Helper" - "Microsoft Corporation" - C:\Program Files\Windows Live\Companion\companioncore.dll

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----
"StartupPrograms" - ? - rdpclip  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"AVP" - "Kaspersky Lab ZAO" - "C:\Program Files\Kaspersky Lab\Kaspersky Security Suite CBE 11\avp.exe"
"Malwarebytes' Anti-Malware" - "Malwarebytes Corporation" - "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"@%SystemRoot%\System32\uxtuneup.dll,-4096" (UxTuneUp) - "TuneUp Software" - C:\Windows\System32\uxtuneup.dll
"@C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1" (TuneUp.Defrag) - "TuneUp Software" - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
"@c:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100" (WPFFontCache_v0400) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
"ASP.NET-Zustandsdienst" (aspnet_state) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
"ForceWare Intelligent Application Manager (IAM)" (ForceWare Intelligent Application Manager (IAM)) - ? - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
"ForceWare IP service" (nSvcIp) - ? - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
"Kaspersky Security Suite CBE 11 Service" (AVP) - "Kaspersky Lab ZAO" - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite CBE 11\avp.exe
"MBAMService" (MBAMService) - "Malwarebytes Corporation" - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
"NVIDIA Display Driver Service" (nvsvc) - "NVIDIA Corporation" - C:\Windows\system32\nvvsvc.exe
"NVIDIA Stereoscopic 3D Driver Service" (Stereo Service) - "NVIDIA Corporation" - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
"NVIDIA Update Service Daemon" (nvUpdatusService) - "NVIDIA Corporation" - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
"PDAgent" (PDAgent) - "Raxco Software, Inc." - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
"PDEngine" (PDEngine) - "Raxco Software, Inc." - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
"PnkBstrA" (PnkBstrA) - ? - C:\Windows\system32\PnkBstrA.exe  (File found, but it contains no detailed information)
"SimCity4 Startup Manager Service" (sc4stupmngrService) - ? - C:\Program Files\SimCity4 StartupManager\sumservice.exe
"TuneUp Utilities Service" (TuneUp.UtilitiesSvc) - "TuneUp Software" - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
"Windows Live ID Sign-in Assistant" (wlidsvc) - "Microsoft Corp." - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

[Winlogon]
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"klogon" - "Kaspersky Lab ZAO" - C:\Windows\system32\klogon.dll

===[ Logfile end ]=========================================[ Logfile end ]===

--- --- ---


Zitat:

aswMBR version 0.9.8.978 Copyright(c) 2011 AVAST Software
Run date: 2011-08-23 17:24:33
-----------------------------
17:24:33.560 OS Version: Windows 6.0.6002 Service Pack 2
17:24:33.560 Number of processors: 2 586 0x6B01
17:24:33.575 ComputerName: ***-PC UserName: ***
17:24:34.667 Initialize success
17:24:39.628 AVAST engine defs: 11082300
17:24:42.405 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005d
17:24:42.405 Disk 0 Vendor: SAMSUNG_ CR10 Size: 476940MB BusType: 8
17:24:44.449 Disk 0 MBR read successfully
17:24:44.464 Disk 0 MBR scan
17:24:44.464 Disk 0 Windows 7 default MBR code
17:24:44.480 Disk 0 scanning sectors +976752000
17:24:44.573 Disk 0 scanning C:\Windows\system32\drivers
17:25:01.390 Service scanning
17:25:02.077 Service KL1 C:\Windows\system32\DRIVERS\kl1.sys **LOCKED** 5
17:25:02.092 Service kl2 C:\Windows\system32\DRIVERS\kl2.sys **LOCKED** 5
17:25:02.092 Service KLIM6 C:\Windows\system32\DRIVERS\klim6.sys **LOCKED** 5
17:25:02.108 Service klmouflt C:\Windows\system32\DRIVERS\klmouflt.sys **LOCKED** 5
17:25:02.825 Modules scanning
17:25:14.354 Disk 0 trace - called modules:
17:25:14.401 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys
17:25:14.401 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x876239e8]
17:25:14.416 3 CLASSPNP.SYS[8d3658b3] -> nt!IofCallDriver -> [0x86cbc7c8]
17:25:14.416 5 acpi.sys[8320a6bc] -> nt!IofCallDriver -> \Device\0000005d[0x86cbcc90]
17:25:15.337 AVAST engine scan C:\Windows
17:25:33.183 AVAST engine scan C:\Windows\system32
17:28:25.594 AVAST engine scan C:\Windows\system32\drivers
17:28:52.879 AVAST engine scan C:\Users\***
17:41:15.440 File: C:\Users\***\Documents\hp\apps\APP11778\src\OUTPUTDIR_de_DE\Setup.exe **INFECTED** Win32:Malware-gen
17:41:15.612 File: C:\Users\***\Documents\hp\apps\APP11778\src\OUTPUTDIR_en_US\Setup.exe **INFECTED** Win32:Malware-gen
18:13:17.492 AVAST engine scan C:\ProgramData
18:22:53.631 Scan finished successfully
18:25:34.997 Disk 0 MBR has been saved successfully to "C:\Users\***\Documents\MBR.dat"
18:25:35.013 The log file has been saved successfully to "C:\Users\***\Documents\aswMBR.txt"

cosinus 23.08.2011 19:55

Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SASW und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!


Anschließend über den OnlineScanner von ESET eine zusätzliche Meinung zu holen ist auch nicht verkehrt:


ESET Online Scanner

  • Hier findest du eine bebilderte Anleitung zu ESET Online Scanner
  • Lade und starte Eset Online Scanner
  • Setze einen Haken bei Ja, ich bin mit den Nutzungsbedingungen einverstanden und klicke auf Starten.
  • Aktiviere die "Erkennung von eventuell unerwünschten Anwendungen" und wähle folgende Einstellungen.
  • Klicke auf Starten.
  • Die Signaturen werden heruntergeladen, der Scan beginnt automatisch.
  • Klicke am Ende des Suchlaufs auf Fertig stellen.
  • Schließe das Fenster von ESET.
  • Explorer öffnen.
  • C:\Programme\Eset\EsetOnlineScanner\log.txt (bei 64 Bit auch C:\Programme (x86)\Eset\EsetOnlineScanner\log.txt) suchen und mit Deinem Editor öffnen (bebildert).
  • Logfile hier posten.
  • Deinstallation: Systemsteuerung => Software / Programme deinstallieren => Eset Online Scanner V3 entfernen.
  • Manuell folgenden Ordner löschen und Papierkorb leeren => C:\Programme\Eset



Alle Zeitangaben in WEZ +1. Es ist jetzt 20:29 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131