Https Tidserv Request
 

Seit dem ich auf dem Urlaub zurück bin habe ich leider ein großes Problem.

Norton 360 meldet abwechselt Https Tidserv Request und dann auch mal Request 2. Meistens wenn ich über Google etwas suche. Wenn der tidserv request nicht geblockt wird kommt einfach ne neue Webseite auf einmal.

Ich habe schon alle möglichen Programme laufen lassen. Malwarebytes hat nichts gefunden. Norton selber hat auch nichts gefunden. TDSSKiller hat was im Atapi.dll gefunden aber nach dem neustart war es immer noch da.

Dann hab ich noch Combifix laufen lassen.. Hier das Ergebnis. Vielleicht kann mir ja jemand helfen?


ComboFix 10-04-05.06 - Devilgb 06.04.2010 23:34:17.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2767 [GMT 2:00]
Running from: c:\documents and settings\Devilgb\My Documents\Downloads\ComboFix.exe
AV: Norton 360 Online *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 Online *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Devilgb\Application Data\EurekaLog
c:\documents and settings\Devilgb\Application Data\inst.exe
c:\windows\system32\_005085_.tmp.dll
c:\windows\system32\_005086_.tmp.dll
c:\windows\system32\_005087_.tmp.dll
c:\windows\system32\_005088_.tmp.dll
c:\windows\system32\_005094_.tmp.dll
c:\windows\system32\_005095_.tmp.dll
c:\windows\system32\_005096_.tmp.dll
c:\windows\system32\_005097_.tmp.dll
c:\windows\system32\_005098_.tmp.dll
c:\windows\system32\_005099_.tmp.dll
c:\windows\system32\_005100_.tmp.dll
c:\windows\system32\_005101_.tmp.dll
c:\windows\system32\_005103_.tmp.dll
c:\windows\system32\_005104_.tmp.dll
c:\windows\system32\_005105_.tmp.dll
c:\windows\system32\_005107_.tmp.dll
c:\windows\system32\_005108_.tmp.dll
c:\windows\system32\_005109_.tmp.dll
c:\windows\system32\_005110_.tmp.dll
c:\windows\system32\_005111_.tmp.dll
c:\windows\system32\_005112_.tmp.dll
c:\windows\system32\_005113_.tmp.dll
c:\windows\system32\_005114_.tmp.dll
c:\windows\system32\_005115_.tmp.dll
c:\windows\system32\_005117_.tmp.dll
c:\windows\system32\_005118_.tmp.dll
c:\windows\system32\_005119_.tmp.dll
c:\windows\system32\_005120_.tmp.dll
c:\windows\system32\_005122_.tmp.dll
c:\windows\system32\_005123_.tmp.dll
c:\windows\system32\_005124_.tmp.dll
c:\windows\system32\_005125_.tmp.dll
c:\windows\system32\_005127_.tmp.dll
c:\windows\system32\_005128_.tmp.dll
c:\windows\system32\_005129_.tmp.dll
c:\windows\system32\_005130_.tmp.dll
c:\windows\system32\_005131_.tmp.dll
c:\windows\system32\_005133_.tmp.dll
c:\windows\system32\_005134_.tmp.dll
c:\windows\system32\_005135_.tmp.dll
c:\windows\system32\_005136_.tmp.dll
c:\windows\system32\_005137_.tmp.dll
c:\windows\system32\_005138_.tmp.dll
c:\windows\system32\_005139_.tmp.dll
c:\windows\system32\_005142_.tmp.dll
c:\windows\system32\_005143_.tmp.dll
c:\windows\system32\_005144_.tmp.dll
c:\windows\system32\_005145_.tmp.dll
c:\windows\system32\_005146_.tmp.dll
c:\windows\system32\_005147_.tmp.dll
c:\windows\system32\_005148_.tmp.dll
c:\windows\system32\_005149_.tmp.dll
c:\windows\system32\_005151_.tmp.dll
c:\windows\system32\_005152_.tmp.dll
c:\windows\system32\_005153_.tmp.dll
c:\windows\system32\_005154_.tmp.dll
c:\windows\system32\_005157_.tmp.dll
c:\windows\system32\_005158_.tmp.dll
c:\windows\system32\_005159_.tmp.dll
c:\windows\system32\_005160_.tmp.dll
c:\windows\system32\_005162_.tmp.dll
c:\windows\system32\_005164_.tmp.dll
c:\windows\system32\_005165_.tmp.dll
c:\windows\system32\_005166_.tmp.dll
c:\windows\system32\_005167_.tmp.dll
c:\windows\system32\_005168_.tmp.dll
c:\windows\system32\_005170_.tmp.dll
c:\windows\system32\_005171_.tmp.dll
c:\windows\system32\_005172_.tmp.dll
c:\windows\system32\_005173_.tmp.dll
c:\windows\system32\_005174_.tmp.dll
c:\windows\system32\_005175_.tmp.dll
c:\windows\system32\_005178_.tmp.dll
c:\windows\system32\_005179_.tmp.dll
c:\windows\system32\_005180_.tmp.dll
c:\windows\system32\_005181_.tmp.dll
c:\windows\system32\_005186_.tmp.dll
c:\windows\system32\_005188_.tmp.dll
c:\windows\system32\_005191_.tmp.dll
c:\windows\system32\_005193_.tmp.dll
c:\windows\system32\_005194_.tmp.dll
c:\windows\system32\_005195_.tmp.dll
c:\windows\system32\_005196_.tmp.dll
c:\windows\system32\_005199_.tmp.dll
c:\windows\system32\_005200_.tmp.dll
c:\windows\system32\_005201_.tmp.dll
c:\windows\system32\_005202_.tmp.dll
c:\windows\system32\_005203_.tmp.dll
c:\windows\system32\_005208_.tmp.dll
c:\windows\system32\_005210_.tmp.dll
c:\windows\system32\tmp.reg
c:\windows\system32\zip32.dll

c:\windows\system32\drivers\tsk4.tmp . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-03-06 to 2010-04-06 )))))))))))))))))))))))))))))))
.

2010-04-06 20:29 . 2010-04-06 20:29 53088 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-04-06 20:29 . 2010-04-06 20:29 30280 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-04-06 20:29 . 2010-04-06 20:29 24368 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-04-06 17:39 . 2010-04-06 17:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-06 12:05 . 2010-04-06 12:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-04-06 12:05 . 2010-04-06 12:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-30 11:10 . 2010-03-30 11:10 -------- d-----w- c:\documents and settings\All Users\Application Data\hps
2010-03-30 11:06 . 2010-03-30 11:06 -------- d-----w- c:\program files\CeWe Color
2010-03-22 17:07 . 2010-03-22 17:07 -------- d-----w- c:\documents and settings\All Users\Startmenü
2010-03-21 21:37 . 2010-03-27 14:23 -------- d-----w- c:\documents and settings\Devilgb\.jordan
2010-03-16 15:02 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-09 20:58 . 2010-03-09 20:58 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-03-09 20:05 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-08 17:56 . 2010-03-08 17:56 378 ----a-w- c:\windows\system32\Pen_Tablet.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-06 21:58 . 2009-12-14 15:00 -------- d-----w- c:\program files\PeerBlock
2010-04-06 21:57 . 2010-04-06 21:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-06 21:50 . 2010-04-05 20:14 52224 ----a-w- c:\documents and settings\Devilgb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-06 21:50 . 2009-03-23 13:25 117760 ----a-w- c:\documents and settings\Devilgb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 21:32 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-06 21:30 . 2010-04-06 21:30 96512 ----a-w- c:\windows\system32\drivers\tsk4.tmp
2010-04-06 12:53 . 2009-01-05 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-06 12:16 . 2008-12-19 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-06 12:16 . 2009-12-16 12:52 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-06 10:13 . 2008-12-19 00:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 10:10 . 2009-12-15 21:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-05 20:11 . 2008-12-18 22:22 -------- d-----w- c:\documents and settings\Devilgb\Application Data\uTorrent
2010-03-29 22:46 . 2008-12-19 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 22:45 . 2008-12-19 01:09 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-27 11:05 . 2008-12-18 23:56 -------- d-----w- c:\documents and settings\Devilgb\Application Data\Creative
2010-03-27 10:49 . 2008-12-18 22:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-27 10:46 . 2009-06-30 15:06 -------- d-----w- c:\documents and settings\Devilgb\Application Data\MakeUpPilot
2010-03-22 19:12 . 2010-03-22 19:12 5896 ----a-w- c:\documents and settings\All Users\Application Data\AAV\SSE\15\UpdateFiles\SSEStandard_Patch_15.08.bat
2010-03-22 19:12 . 2010-03-22 19:12 20776 ----a-w- c:\documents and settings\All Users\Application Data\AAV\SSE\15\UpdateFiles\ApplyMsp.exe
2010-03-22 19:12 . 2010-03-22 19:12 18728 ----a-w- c:\documents and settings\All Users\Application Data\AAV\SSE\15\UpdateFiles\RepairVLH2010.exe
2010-03-22 17:05 . 2009-03-08 15:45 -------- d-----w- c:\program files\Akademische Arbeitsgemeinschaft
2010-03-22 13:04 . 2010-03-22 13:04 53248 ----a-r- c:\documents and settings\Devilgb\Application Data\Microsoft\Installer\{DF6FE172-006A-4324-AF7F-ACFE4BA290FE}\ARPPRODUCTICON.exe
2010-03-22 12:18 . 2010-03-22 12:18 1821192 ----a-w- c:\documents and settings\All Users\Application Data\AAV\SSE\14\UpdateFiles\vcredist_x86.exe
2010-03-22 12:18 . 2010-03-22 12:18 6358 ----a-w- c:\documents and settings\All Users\Application Data\AAV\SSE\14\UpdateFiles\SSE_Patch_14.16.bat
2010-03-21 21:09 . 2008-12-21 17:04 -------- d-----w- c:\documents and settings\Devilgb\Application Data\Vso
2010-02-26 23:08 . 2010-02-15 11:06 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-02-26 23:08 . 2010-02-15 11:06 -------- d-----w- c:\program files\DVDVideoSoft
2010-02-25 13:49 . 2010-02-14 17:09 -------- d-----w- c:\documents and settings\Devilgb\Application Data\Ubisoft
2010-02-25 13:48 . 2010-02-25 13:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Solidshield
2010-02-25 06:24 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-15 14:08 . 2009-06-23 10:54 -------- d-----w- c:\program files\ICQ6.5
2010-02-14 17:01 . 2009-03-30 20:38 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2010-02-14 17:01 . 2009-03-30 20:38 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2010-02-12 16:41 . 2010-04-06 21:51 558448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2010-02-03 09:00 . 2010-04-06 17:05 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100406.003\NAVENG.SYS
2010-02-03 09:00 . 2010-04-06 17:05 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100406.003\NAVEX15.SYS
2010-02-03 08:05 . 2010-02-03 08:05 12212040 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X86-ENU.exe
2010-02-03 08:05 . 2010-02-03 08:05 13930312 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMFDist11-WindowsXP-X64-ENU.exe
2010-02-03 08:05 . 2010-02-03 08:05 77824 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\Run_XML6_SP1.exe
2010-02-03 08:05 . 2010-02-03 08:05 61440 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx86.exe
2010-02-03 08:05 . 2010-02-03 08:05 58880 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\WMF11Runx64.exe
2010-02-03 08:05 . 2010-02-03 08:05 50000 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Installer\CommonCustomActions\pcswpc.exe
2010-02-03 08:02 . 2010-02-03 08:04 95992424 ----a-w- c:\documents and settings\All Users\Application Data\OviInstallerCache\{B6164ADA-55DA-4FA9-B78B-A7EB741742A1}\Nokia_Ovi_Suite_webinstaller.exe
2010-02-03 04:52 . 2008-12-01 22:13 4605952 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-02-03 04:12 . 2009-05-16 01:35 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-02-03 04:12 . 2009-05-16 01:34 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-02-03 04:10 . 2009-05-16 01:33 3633152 ----a-w- c:\windows\system32\aticaldd.dll
2010-02-03 04:07 . 2008-12-01 20:19 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2010-02-03 04:02 . 2008-12-01 20:46 14188544 ----a-w- c:\windows\system32\atioglxx.dll
2010-02-03 03:50 . 2008-12-01 20:27 3566048 ----a-w- c:\windows\system32\ati3duag.dll
2010-02-03 03:40 . 2008-12-01 20:52 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-02-03 03:39 . 2008-12-01 20:51 301568 ----a-w- c:\windows\system32\ati2dvag.dll
2010-02-03 03:35 . 2008-12-01 20:11 2176640 ----a-w- c:\windows\system32\ativvaxx.dll
2010-02-03 03:34 . 2008-12-01 20:11 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-02-03 03:34 . 2008-12-01 20:11 3 ----a-w- c:\windows\system32\ativva5x.dat
2010-02-03 03:32 . 2008-12-01 19:50 397312 ----a-w- c:\windows\system32\atiok3x2.dll
2010-02-03 03:23 . 2008-12-01 20:41 208896 ----a-w- c:\windows\system32\atipdlxx.dll
2010-02-03 03:23 . 2008-12-01 20:40 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-02-03 03:23 . 2008-12-01 20:40 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-02-03 03:23 . 2008-12-01 20:40 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-02-03 03:22 . 2008-12-01 20:40 159744 ----a-w- c:\windows\system32\ati2evxx.dll
2010-02-03 03:21 . 2008-12-01 20:38 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-02-03 03:19 . 2008-12-01 20:37 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-02-03 03:19 . 2010-02-18 11:00 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-02-03 03:18 . 2009-05-16 02:38 65024 ----a-w- c:\windows\system32\atimpc32.dll
2010-02-03 03:18 . 2008-12-01 19:57 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-03 03:17 . 2008-12-01 19:51 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-02-03 03:15 . 2008-12-01 19:53 565248 ----a-w- c:\windows\system32\atikvmag.dll
2010-02-03 03:12 . 2008-12-01 19:52 180224 ----a-w- c:\windows\system32\atiadlxx.dll
2010-02-03 03:12 . 2008-12-01 19:52 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-02-03 03:06 . 2008-12-01 19:45 638976 ----a-w- c:\windows\system32\ati2cqag.dll
2010-02-01 18:20 . 2010-04-06 21:51 165240 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2010-01-16 11:07 . 2009-12-14 19:43 7829 ----a-w- c:\documents and settings\All Users\Application Data\xmlF1.tmp
2010-01-16 11:07 . 2009-12-14 19:43 1629 ----a-w- c:\documents and settings\All Users\Application Data\xmlF3.tmp
2010-01-16 11:07 . 2009-12-14 19:43 13739 ----a-w- c:\documents and settings\All Users\Application Data\xmlF2.tmp
2010-01-13 20:48 . 2008-12-18 22:23 54376 ----a-w- c:\documents and settings\Devilgb\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-10 12:24 . 2010-01-10 12:23 1956528 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-03-31 20:47 . 2008-12-18 23:23 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser"="c:\program files\Eraser\eraser.exe" [2009-06-10 334224]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-23 1809648]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-06-17 85160]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-23 12:58 352256 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 06:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ----a-r- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-29 23:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2009-06-23 10:48 19456 ----a-w- c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 00:12 169984 ----a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 03:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 14:44 3883840 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaOviSuite2]
2009-12-10 14:05 401728 ----a-w- c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
c:\program files\PeerGuardian2\pg2.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 22:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2009-11-04 08:52 98304 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-31 13:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwiftToDoListLite]
2009-07-09 16:01 761856 ----a-w- c:\program files\Swift To-Do List\Swift To-Do List Lite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-12-02 15:00 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 23:00 90112 ----a-w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VF0060 STISvc]
2004-11-01 08:00 36864 ----a-w- c:\windows\system32\V0060Pin.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinsysMon]
c:\documents and settings\Devilgb\Application Data\Microsoft\GoogleUpdate.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XM2002]
c:\program files\IPPS\XM2002®\XM2002.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StarWindServiceAE"=2 (0x2)
"TVersityMediaServer"=3 (0x3)
"idsvc"=3 (0x3)
"wlidsvc"=2 (0x2)
"gusvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Adobe Version Cue CS4"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\ar3\\Data\\ra3_1.4.game"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"j:\\Vegas2\\Binaries\\R6Vegas2_Game.exe"=
"j:\\Vegas2\\Binaries\\R6Vegas2_Launcher.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"k:\\BFME2\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"k:\\Prototype\\prototypef.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\sandra.07.mui"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2010\\WNt500x86\\RpcSandraSrv.exe"=
"i:\\steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"d:\\Sacred 2\\system\\s2gs.exe"=
"d:\\Sacred 2\\system\\sacred2.exe"=
"j:\\Anno1404\\Anno4.exe"=
"j:\\Anno1404\\tools\\Anno4Web.exe"=
"i:\\steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"i:\\steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"j:\\Anno1404\\Addon.exe"=
"j:\\Anno1404\\tools\\AddonWeb.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-08-18 685816]
R3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.SYS [2009-06-23 99352]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-21 79360]
R3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.SYS [2009-06-23 555032]
R3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.SYS [2009-06-23 100888]
R3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.SYS [2009-06-23 100888]
R3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.SYS [2009-06-23 566296]
R4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2008-08-15 284016]
R4 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [2008-05-07 57344]
R4 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\ESSVR.EXE [2009-02-05 68136]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SYMEFA.SYS [2009-08-22 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\N360\0308000.029\BHDrvx86.sys [2009-08-22 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\N360\0308000.029\ccHPx86.sys [2009-08-22 482432]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20100402.001\IDSxpx86.sys [2009-10-28 329592]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
S2 AAV UpdateService;AAV UpdateService;c:\program files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe [2008-10-24 128296]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [2009-08-22 117640]
S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.SYS [2009-06-23 99352]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.SYS [2009-06-23 555032]
S3 ctgame;Game Port;c:\windows\system32\DRIVERS\ctgame.sys [2002-12-30 12160]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.SYS [2009-06-23 566296]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-12-16 102448]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2009-09-28 14424]
S3 SaiH8000;SaiH8000;c:\windows\system32\DRIVERS\SaiH8000.sys [2008-04-04 136832]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S3 V0060VID;Creative WebCam Live! Ultra;c:\windows\system32\DRIVERS\V0060Vid.sys [2005-02-02 196409]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mWindow Title =
IE: An vorhandene PDF-Datei anfügen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{ECC5777A-6E88-BFCE-13CE-81F134789E7B} - c:\program files\IPPS\XM2002®\XM2002.exe
FF - ProfilePath - c:\documents and settings\Devilgb\Application Data\Mozilla\Firefox\Profiles\0vh5bdno.default\
FF - prefs.js: browser.search.selectedEngine - Kiwee Live Search
FF - prefs.js: browser.startup.homepage - www.google.de
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Devilgb\Application Data\Mozilla\Firefox\Profiles\0vh5bdno.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Devilgb\Local Settings\Application Data\Yahoo!\BrowserPlus\2.6.0\Plugins\npybrowserplus_2.6.0.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\TabletPlugins\npwacom.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "hxxp://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
AddRemove-Web ImageGrabber 2 - c:\windows\cadkasdeinst01e.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-04-06 23:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, hxxp://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll tsk4.tmp pciide.sys >>UNKNOWN [0x8ADC08B4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> tsk4.tmp @ 0xb9e0f852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xb9cb9bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9cc6a21
SendHandler -> NDIS.sys @ 0xb9ca487b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\atapi]
"ImagePath"="system32\drivers\tsk4.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1450960922-1417001333-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:69,73,59,4e,25,67,75,48,54,ec,22,5b,27,40,b5,59,da,5f,a6,70,7b,16,cf,
42,27,7f,87,55,9b,10,f1,82,04,fc,ee,f5,27,d9,ab,28,0b,da,68,c1,3b,59,a6,11,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1547161642-1450960922-1417001333-1004\Software\SecuROM\License information*]
"datasecu"=hex:b9,b6,2a,33,ff,7f,0f,d3,bb,8a,1d,53,0f,2b,fc,af,cf,ab,74,ea,1d,
a4,0b,7f,a5,ee,08,0c,b3,88,19,96,99,ba,f5,4a,45,8e,6a,09,22,54,c7,7d,46,4e,\
"rkeysecu"=hex:6f,4c,84,de,7c,8f,c7,3d,2c,57,24,45,f8,8b,f9,ac
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1104)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Devilgb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
c:\documents and settings\Devilgb\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(1164)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1596)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-04-07 00:04:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-06 22:03

Pre-Run: 30.928.560.128 bytes free
Post-Run: 30.939.951.104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 8370D55AB9BF45E8F244774AF3A4F761

Hi,

hast Du eine Boot-CD für XP? die atapi.sys muss per Hand ersetzt werden, wenn es weder ComboFix noch der TDSS-Killer schaffen...
(Rettungskonsole: http://support.microsoft.com/kb/307654/de)

Dazu von CD booten, in die Rettungskonsole wechseln (CMD) und per Hand kopieren:

Wobei "X" Dein CD/DVD-Laufwerk ist!

Wichtig dabei ist, auf jeden Fall von CD booten, damit der Treiber nicht läuft!

Weiterhin musst Du die "frische" atapi.sys" dann noch auf die "c:\windows\system32\drivers\tsk4.tmp" kopieren, das hat der TDSS-Killer verbrochen (muss dann noch in der Reg gerade gebogen werden). Das nicht vergessen, sonst startet ev. das System nicht mehr (letzter funktionierender Stand ist damit nicht lauffähig)...

Nach der Korrektur normal booten und sofort die gesamte Fesplatte scannen und bereinigen lassen (am Besten vorher offline gehen!)..

chris

Danke Chris für die anleitung. Leider hat mein rechner nach allem gestreikt und ich musste neu installieren. Ich frage mich wo diese Trojaner immer her kommen.

Hi,

das haben wir auch noch nicht in Erfahrung gebracht, wahrscheinlich Drive-by-download...

Die atapi.sys ist ein Festplattentreiber von Windows, d.h. läuft der nicht mehr (richtig), dann startet auch Windows nicht...

chris

Der neue Trojaner der den HTTP TIDSERV REQUEST 1 oder 2 nutzt infiltriert zwar die atapi.sys über den eigenen Code wir aber danach nicht von NORTON Internet Security 2010 erkannt.
Norton fängt nur die Internetverbindung ab, ebenso wie zB. Malewarebytes.
Auf der Website von Norton kann man nach Backdoor.Tidserv suchen um Infos zu finden. Auch bei Avira heisst der Trojaner TDSS.
Hilfe bekommt Ihr von Kaspersky mit der TDSSKiller.exe (TDSS rootkit removing tool). Wenn Ihr dieses Tool auf den Desktop legt, führt folgendes aus: "%userprofile%\Desktop\TDSSKiller.exe" -v

Leider kann der TDSKILLER nur helfen wenn ausschliesslich die atapi.sys infiziert wurde. Aktuell wird im XP im Win\System32 aber eine rpd***.sys infiziert, die bei jedem Neustart die atapi.sys neu umschreibt.
Eine XP Reparatur Installation hilft deshalb auch nicht. Trotz der SARDU Antiviren CD konnte ich das Problem nicht fixen. Erst der Ausbau der Platte und der VirenScan aus XP heraus in einem anderen Rechner hat dann kurzen Prozess gemacht. Unbedingt chkdsk danach laufen lassen.

Grundsätzlich bei Befall, Ihr muesst zu allererst die Systemwiederherstellung abstellen.

Aktuelle Quelle der Infektion ist eine license.exe die angeblich für die Installation eines fehlenden Codecs nötig sein soll.

Ash Phoenix :-)

Hi,

kommst Du an die "license.exe" ran?
Bitte hier im Trojanerboard hochladen (mit Passwort packen, Passwort im Kommentar ablegen -> http://www.trojaner-board.de/54791-a...ner-board.html)...

Die atapi.sys wird im Speicher "infiziert", darin involviert ist ein anderer Treiber (z.B. redbook.sys etc.)... Daher müssen alle befallenen Treiber gleichzeitig "ersetzt" werden (das ist in einem laufenden System generell "schwierig"). Der TDSS-Killer findet die atapi.sys nur noch als im Speicher infiziertes Objekt, die Datei selbst scheint sauber zu sein... (in einem meiner letzten Threads war das so...)

chris

Die "license.exe" kann ich leider nicht hochladen, kann mich partout nicht an die Website erinnern wo der Download stattfindet. Die Verlaufsdaten in meinen Browsern geben auch nichts her, ich hab ja groß reine gemacht, sorry.

Auf jeden Fall hatte die Site die Form xx.com\*

Soviel zu meinem Gedächtnisprotokoll.
Gruss Ash

Schade...
Danke&Gruß,
chris