Trojaner-Board
Seite 2 von 3 1 2 3
100 Beiträge dieses Themas auf einer Seite anzeigen

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Ungewolltes automatisches Herunterfahren in Windows 7 (https://www.trojaner-board.de/90937-ungewolltes-automatisches-herunterfahren-windows-7-a.html)

moddin 23.09.2010 07:38
So, erstmal der GMER-Log, hat nun doch geklappt:

Code:
GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-09-23 08:36:05
Windows 6.1.7600
Running: gtf1x42z.exe; Driver: C:\Users\***\AppData\Local\Temp\pgtyypow.sys


---- System - GMER 1.0.15 ----

SSDT      96F7DBDC                                                                                                            ZwCreateThread
SSDT      96F7DBC8                                                                                                            ZwOpenProcess
SSDT      96F7DBCD                                                                                                            ZwOpenThread
SSDT      96F7DBD7                                                                                                            ZwTerminateProcess

INT 0x1F  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            82032AF8
INT 0x37  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            82032104
INT 0xC1  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            820323F4
INT 0xD1  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            8201A634
INT 0xD2  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            8201A898
INT 0xDF  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            820321DC
INT 0xE1  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            82032958
INT 0xE3  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            820326F8
INT 0xFD  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            82032F2C
INT 0xFE  \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)                            820331A8

---- Kernel code sections - GMER 1.0.15 ----

.text    ntoskrnl.exe!ZwSaveKeyEx + 13B1                                                                                      820848E9 1 Byte  [06]
.text    ntoskrnl.exe!KiDispatchInterrupt + 5A2                                                                              820A43D2 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text    ntoskrnl.exe!KeRemoveQueueEx + 14C3                                                                                  820AB790 4 Bytes  [DC, DB, F7, 96]
.text    ntoskrnl.exe!KeRemoveQueueEx + 165F                                                                                  820AB92C 4 Bytes  [C8, DB, F7, 96] {ENTER 0xf7db, 0x96}
.text    ntoskrnl.exe!KeRemoveQueueEx + 167F                                                                                  820AB94C 4 Bytes  [CD, DB, F7, 96]
.text    ntoskrnl.exe!KeRemoveQueueEx + 192F                                                                                  820ABBFC 4 Bytes  [D7, DB, F7, 96] {XLATB ; FCOMI ST, ST(7); XCHG ESI, EAX}
.text    C:\Windows\system32\DRIVERS\nvlddmkm.sys                                                                            section is writeable [0x8E81D340, 0x3EE1D7, 0xE8000020]
.text    peauth.sys                                                                                                          98DA4C9D 28 Bytes  [D5, 76, 82, 0D, 11, 20, AE, ...]
.text    peauth.sys                                                                                                          98DA4CC1 28 Bytes  [D5, 76, 82, 0D, 11, 20, AE, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT      C:\Windows\system32\rundll32.exe[1328] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]                [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Windows\system32\rundll32.exe[1328] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Windows\system32\rundll32.exe[1328] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]              [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Windows\system32\rundll32.exe[1328] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]              [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Windows\System32\rundll32.exe[2772] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]                [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Windows\System32\rundll32.exe[2772] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]                [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Windows\System32\rundll32.exe[2772] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]              [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Windows\System32\rundll32.exe[2772] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]              [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Program Files\rmclock_235_bin\RMClock.exe[3164] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]  [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Program Files\rmclock_235_bin\RMClock.exe[3164] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]    [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Program Files\rmclock_235_bin\RMClock.exe[3164] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]    [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Program Files\rmclock_235_bin\RMClock.exe[3164] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]  [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Program Files\rmclock_235_bin\RMClock.exe[3164] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress]  [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)
IAT      C:\Program Files\rmclock_235_bin\RMClock.exe[3164] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress]  [75E05E25] C:\Windows\system32\apphelp.dll (Clientbibliothek für Anwendungskompatibilität/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device    \Driver\BTHUSB \Device\0000008e                                                                                      bthport.sys (Bluetooth-Bustreiber/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0016cfdf7235                                         
Reg      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0016cfdf7235@002566b81f67                            0x48 0x53 0x2B 0x3D ...
Reg      HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0016cfdf7235@38e7d83f3269                            0xE8 0x8E 0x23 0x25 ...
Reg      HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0016cfdf7235 (not active ControlSet)                     
Reg      HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0016cfdf7235@002566b81f67                                0x48 0x53 0x2B 0x3D ...
Reg      HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0016cfdf7235@38e7d83f3269                                0xE8 0x8E 0x23 0x25 ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b  0x2E 0xE8 0xE1 0x00 ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b  0x6A 0x9C 0xD6 0x61 ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016  0xFF 0x7C 0x85 0xE0 ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48  0x3E 0x1E 0x9E 0xE0 ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472  0xCD 0x44 0xCD 0xB9 ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d  0x50 0x93 0xE5 0xAB ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b  0x31 0x77 0xE1 0xBA ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d  0x83 0x6C 0x56 0x8B ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3  0x51 0xFA 0x6E 0x91 ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b  0xB1 0xCD 0x45 0x5A ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6  0xF8 0x31 0x0F 0xA9 ...
Reg      HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32                                   
Reg      HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel                    Apartment
Reg      HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@                                  C:\Windows\system32\OLE32.DLL
Reg      HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2  0x05 0x73 0x21 0xDD ...

---- EOF - GMER 1.0.15 ----

moddin 23.09.2010 09:02
Und der OSAM-Log:

Code:
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 10:00:08 on 23.09.2010

OS: Windows 7  (Build 7600), 32-bit
Default Browser: Mozilla Corporation Firefox 3.6.10

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"MagicKBD.cpl" - "SAMSUNG Electronics Co., Ltd." - C:\Windows\system32\MagicKBD.cpl
"PhysX.cpl" - "NVIDIA Corporation" - C:\Windows\system32\PhysX.cpl

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"adfs" (adfs) - ? - C:\Windows\system32\drivers\adfs.sys  (File not found)
"avgio" (avgio) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avgio.sys
"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys
"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys
"catchme" (catchme) - ? - C:\Users\***\AppData\Local\Temp\catchme.sys  (File not found)
"Dazzle DVC Audio Device" (emAudio) - "Pinnacle Systems GmbH" - C:\Windows\System32\drivers\emAudio.sys
"Dazzle DVC Video Device" (DCamUSBEMPIA) - "eMPIA Technology, Inc." - C:\Windows\System32\DRIVERS\emDevice.sys
"MEMIO" (DOSMEMIO) - ? - C:\Windows\system32\MEMIO.SYS  (File found, but it contains no detailed information)
"pgtyypow" (pgtyypow) - ? - C:\Users\***\AppData\Local\Temp\pgtyypow.sys  (Hidden registry entry, rootkit activity | File not found)
"Pinnacle Marvin Bus" (MarvinBus) - "Pinnacle Systems GmbH" - C:\Windows\System32\DRIVERS\MarvinBus.sys
"RTCore32" (RTCore32) - ? - C:\Program Files\rmclock_235_bin\RTCore32.sys  (File found, but it contains no detailed information)
"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys
"StarForce Protection Environment Driver (version 1.x)" (sfdrv01) - "Protection Technology (StarForce)" - C:\Windows\System32\drivers\sfdrv01.sys
"StarForce Protection Helper Driver (version 2.x)" (sfhlp02) - "Protection Technology (StarForce)" - C:\Windows\System32\drivers\sfhlp02.sys
"StarOpen" (StarOpen) - ? - C:\Windows\system32\drivers\StarOpen.sys  (File found, but it contains no detailed information)
"USB Device Lower Filter" (FiltUSBEMPIA) - "eMPIA Technology, Inc." - C:\Windows\System32\DRIVERS\emFilter.sys
"USB Still Image Capture Device" (ScanUSBEMPIA) - "eMPIA Technology, Inc." - C:\Windows\System32\DRIVERS\emScan.sys
"zlportio" (zlportio) - ? - C:\Program Files\UltraStar Deluxe\zlportio.sys  (File not found)

[Explorer]
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
{B2F55D43-C7A4-4B7C-90D7-7A860DFA9F2A} "PXCInfoShlExt Class" - "Tracker Software Products Ltd." - C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
-----( HKLM\Software\Classes\Protocols\Handler )-----
{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----
{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" - ? - C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
{CF822AB4-6DB5-4FDA-BC28-E61DF36D2583} "PDF-XChange PDF Preview Provider" - "Tracker Software Products Ltd." - C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll
{67EB453C-1BE1-48EC-AAF3-23B10277FCC1} "PDF-XChange PDF Property Handler" - "Tracker Software Products Ltd." - C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll
{EBD0B8F4-A9A0-41B7-9695-030CD264D9C8} "PDF-XChange PDF Thumbnail Provider" - "Tracker Software Products Ltd." - C:\Program Files\Tracker Software\Shell Extensions\XCShInfo.dll
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll
{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoGallery.exe
{00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll
{06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" - "Microsoft Corporation" - C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe
XCShInfo "{B2F55D43-C7A4-4B7C-90D7-7A860DFA9F2A}" - ? -  (File not found | COM-object registry key not found)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
ITBar7Height "ITBar7Height" - ? -  (File not found | COM-object registry key not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" - ? -  (File not found | COM-object registry key not found)

[Logon]
-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----
"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"Power2GoExpress" - ? - NA  (File not found)
"RMClock" - "NGO Science Center "RightMark"" - "C:\Program Files\rmclock_235_bin\RMClockLauncher.exe"
"{EB31E8EB-2A84-7984-E0CB-B9A575D30B4E}" - ? - C:\Users\***\AppData\Roaming\Qievq\kumy.exe  (File not found)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Adobe ARM" - "Adobe Systems Incorporated" - "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher" - "Adobe Systems Incorporated" - "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
"MagicKeyboard" - ? - C:\Programme\SAMSUNG\MagicKBD\PreMKBD.exe
"RemoteControl" - "Cyberlink Corp." - C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
"Start WingMan Profiler" - "Logitech Inc." - C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Redirected Port" - ? - C:\Windows\system32\redmonnt.dll  (File found, but it contains no detailed information)

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"Akamai NetSession Interface" (Akamai) - ? - c:\program files\common files\akamai\netsession_win_062a651.dll  (File found, but it contains no detailed information)
"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe
"Cyberlink RichVideo Service(CRVS)" (RichVideo) - ? - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
"Microsoft .NET Framework NGEN v4.0.30319_X86" (clr_optimization_v4.0.30319_32) - "Microsoft Corporation" - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

moddin 23.09.2010 09:23
Die bootkit-remover.exe (eine remover.exe war da nicht in dem Archiv) sagt:

"[...]
Boot secot MD5 is: e5e88[...]

Size Device Name MBR Status
------------------------------------------------
86 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code [...]
Done;
Press any key to quit..."

cosinus 23.09.2010 09:25
Downloade Dir bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.
  • Doppelklick auf die MBRCheck.exe.
    Vista und Win7 User mit Rechtsklick "als Administrator starten"
  • Das Tool braucht nur eine Sekunde.
  • Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.
Poste mir bitte den Inhalt des .txt Dokumentes

moddin 23.09.2010 11:52
Also stimmt was mit dem Rootkit nicht? Hier der Log von MBRCheck.exe:


Code:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:           
Windows Version:        Windows 7 Professional
Windows Information:        (build 7600), 32-bit
Logical Drives Mask:        0x0000001c

Kernel Drivers (total 184):
  0x82012000 \SystemRoot\system32\ntoskrnl.exe
  0x82412000 \SystemRoot\system32\halmacpi.dll
  0x80B9C000 \SystemRoot\system32\kdcom.dll
  0x89832000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
  0x898AA000 \SystemRoot\system32\PSHED.dll
  0x898BB000 \SystemRoot\system32\BOOTVID.dll
  0x898C3000 \SystemRoot\system32\CLFS.SYS
  0x89905000 \SystemRoot\system32\CI.dll
  0x899B0000 \SystemRoot\system32\drivers\Wdf01000.sys
  0x89A21000 \SystemRoot\system32\drivers\WDFLDR.SYS
  0x89A2F000 \SystemRoot\system32\DRIVERS\ACPI.sys
  0x89A77000 \SystemRoot\system32\DRIVERS\WMILIB.SYS
  0x89A80000 \SystemRoot\system32\DRIVERS\msisadrv.sys
  0x89A88000 \SystemRoot\system32\DRIVERS\pci.sys
  0x89AB2000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
  0x89ABD000 \SystemRoot\System32\drivers\partmgr.sys
  0x89ACE000 \SystemRoot\system32\DRIVERS\compbatt.sys
  0x89AD6000 \SystemRoot\system32\DRIVERS\BATTC.SYS
  0x89AE1000 \SystemRoot\system32\DRIVERS\volmgr.sys
  0x89AF1000 \SystemRoot\System32\drivers\volmgrx.sys
  0x89B3C000 \SystemRoot\system32\DRIVERS\intelide.sys
  0x89B43000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
  0x89B51000 \SystemRoot\system32\DRIVERS\pcmcia.sys
  0x89B7F000 \SystemRoot\System32\drivers\mountmgr.sys
  0x89B95000 \SystemRoot\system32\DRIVERS\atapi.sys
  0x89B9E000 \SystemRoot\system32\DRIVERS\ataport.SYS
  0x89BC1000 \SystemRoot\system32\DRIVERS\amdxata.sys
  0x89BCA000 \SystemRoot\system32\drivers\fltmgr.sys
  0x89800000 \SystemRoot\system32\drivers\fileinfo.sys
  0x89C3D000 \SystemRoot\System32\Drivers\Ntfs.sys
  0x89D6C000 \SystemRoot\System32\Drivers\msrpc.sys
  0x89D97000 \SystemRoot\System32\Drivers\ksecdd.sys
  0x89DAA000 \SystemRoot\System32\Drivers\cng.sys
  0x89E07000 \SystemRoot\System32\drivers\pcw.sys
  0x89E15000 \SystemRoot\System32\Drivers\Fs_Rec.sys
  0x89E1E000 \SystemRoot\system32\drivers\ndis.sys
  0x89ED5000 \SystemRoot\system32\drivers\NETIO.SYS
  0x89F13000 \SystemRoot\System32\Drivers\ksecpkg.sys
  0x8A004000 \SystemRoot\System32\drivers\tcpip.sys
  0x8A14D000 \SystemRoot\System32\drivers\fwpkclnt.sys
  0x8A17E000 \SystemRoot\system32\DRIVERS\vmstorfl.sys
  0x8A187000 \SystemRoot\system32\DRIVERS\volsnap.sys
  0x8A1C6000 \SystemRoot\System32\Drivers\spldr.sys
  0x8A1CE000 \SystemRoot\System32\drivers\sfhlp02.sys
  0x8A1D6000 \SystemRoot\System32\drivers\sfdrv01.sys
  0x8A1E9000 \SystemRoot\System32\drivers\rdyboost.sys
  0x8A216000 \SystemRoot\System32\Drivers\mup.sys
  0x8A226000 \SystemRoot\System32\drivers\hwpolicy.sys
  0x8A22E000 \SystemRoot\System32\DRIVERS\fvevol.sys
  0x8A260000 \SystemRoot\system32\DRIVERS\disk.sys
  0x8A271000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
  0x8A2C8000 \SystemRoot\system32\DRIVERS\cdrom.sys
  0x8A2E7000 \SystemRoot\System32\Drivers\Null.SYS
  0x8A2EE000 \SystemRoot\System32\Drivers\Beep.SYS
  0x8A2F5000 \SystemRoot\System32\drivers\vga.sys
  0x8A301000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
  0x8A322000 \SystemRoot\System32\drivers\watchdog.sys
  0x8A32F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
  0x8A337000 \SystemRoot\system32\drivers\rdpencdd.sys
  0x8A33F000 \SystemRoot\system32\drivers\rdprefmp.sys
  0x8A347000 \SystemRoot\System32\Drivers\Msfs.SYS
  0x8A352000 \SystemRoot\System32\Drivers\Npfs.SYS
  0x8A360000 \SystemRoot\system32\DRIVERS\tdx.sys
  0x8A377000 \SystemRoot\system32\DRIVERS\TDI.SYS
  0x8A382000 \SystemRoot\system32\drivers\afd.sys
  0x89F38000 \SystemRoot\System32\DRIVERS\netbt.sys
  0x8A3DC000 \SystemRoot\system32\DRIVERS\wfplwf.sys
  0x89F6A000 \SystemRoot\system32\DRIVERS\pacer.sys
  0x8A3E3000 \SystemRoot\system32\DRIVERS\netbios.sys
  0x89F89000 \SystemRoot\system32\DRIVERS\serial.sys
  0x8A3F1000 \SystemRoot\System32\Drivers\StarOpen.SYS
  0x89FA3000 \SystemRoot\system32\DRIVERS\wanarp.sys
  0x89FB6000 \SystemRoot\system32\DRIVERS\termdd.sys
  0x8A3F7000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
  0x8CC31000 \SystemRoot\system32\DRIVERS\rdbss.sys
  0x8CC72000 \SystemRoot\system32\drivers\nsiproxy.sys
  0x8CC7C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
  0x8CC86000 \SystemRoot\System32\drivers\discache.sys
  0x8CC92000 \SystemRoot\system32\drivers\csc.sys
  0x8CCF6000 \SystemRoot\System32\Drivers\dfsc.sys
  0x8CD0E000 \SystemRoot\system32\DRIVERS\blbdrive.sys
  0x8CD1C000 \SystemRoot\system32\DRIVERS\avipbb.sys
  0x8CD38000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
  0x8CD3A000 \SystemRoot\system32\DRIVERS\tunnel.sys
  0x8CD5B000 \SystemRoot\system32\DRIVERS\intelppm.sys
  0x8CD6D000 \SystemRoot\system32\DRIVERS\CmBatt.sys
  0x8E831000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
  0x8CD71000 \SystemRoot\System32\drivers\dxgkrnl.sys
  0x8EF63000 \SystemRoot\System32\drivers\dxgmms1.sys
  0x8EF9C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
  0x8F426000 \SystemRoot\system32\DRIVERS\netw5v32.sys
  0x8F839000 \SystemRoot\system32\DRIVERS\b57nd60x.sys
  0x8F875000 \SystemRoot\system32\DRIVERS\usbuhci.sys
  0x8F880000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
  0x8F8CB000 \SystemRoot\system32\DRIVERS\usbehci.sys
  0x8F8DA000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
  0x8F8EB000 \SystemRoot\system32\DRIVERS\1394ohci.sys
  0x8F917000 \SystemRoot\system32\DRIVERS\sdbus.sys
  0x8F930000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
  0x8F938000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
  0x8F945000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
  0x8F996000 \SystemRoot\system32\DRIVERS\serenum.sys
  0x8F9A0000 \SystemRoot\system32\DRIVERS\parport.sys
  0x8F9B8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
  0x8F9D0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
  0x8F9DD000 \SystemRoot\system32\DRIVERS\mouclass.sys
  0x8F9EA000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
  0x8F9F7000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
  0x8FA09000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
  0x8FA21000 \SystemRoot\system32\DRIVERS\ndistapi.sys
  0x8FA2C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
  0x8FA4E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
  0x8FA66000 \SystemRoot\system32\DRIVERS\raspptp.sys
  0x8FA7D000 \SystemRoot\system32\DRIVERS\rassstp.sys
  0x8FA94000 \SystemRoot\system32\DRIVERS\rdpbus.sys
  0x8FA9E000 \SystemRoot\system32\DRIVERS\swenum.sys
  0x8FAA0000 \SystemRoot\system32\DRIVERS\ks.sys
  0x8FAD4000 \SystemRoot\system32\drivers\WmBEnum.sys
  0x8FAD8000 \SystemRoot\system32\drivers\WmXlCore.sys
  0x8FAE7000 \SystemRoot\system32\DRIVERS\umbus.sys
  0x8FAF5000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
  0x8FAFE000 \SystemRoot\system32\DRIVERS\usbhub.sys
  0x8FB42000 \SystemRoot\System32\Drivers\NDProxy.SYS
  0x8FB53000 \SystemRoot\system32\drivers\ADIHdAud.sys
  0x8FBA8000 \SystemRoot\system32\drivers\portcls.sys
  0x8FBD7000 \SystemRoot\system32\drivers\drmk.sys
  0x8CE28000 \SystemRoot\system32\DRIVERS\AGRSM.sys
  0x8FBF0000 \SystemRoot\system32\DRIVERS\USBD.SYS
  0x8FBF2000 \SystemRoot\system32\drivers\modem.sys
  0x8E460000 \SystemRoot\System32\win32k.sys
  0x8F400000 \SystemRoot\System32\drivers\Dxapi.sys
  0x8F40A000 \SystemRoot\System32\Drivers\BTHUSB.sys
  0x8CF2E000 \SystemRoot\System32\Drivers\bthport.sys
  0x8EFBB000 \SystemRoot\System32\Drivers\crashdmp.sys
  0x8EFC8000 \SystemRoot\System32\Drivers\dump_dumpata.sys
  0x8F41C000 \SystemRoot\System32\Drivers\dump_atapi.sys
  0x8EFD3000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
  0x8E800000 \SystemRoot\system32\DRIVERS\rfcomm.sys
  0x8E824000 \SystemRoot\system32\DRIVERS\BthEnum.sys
  0x8EFE4000 \SystemRoot\system32\DRIVERS\bthpan.sys
  0x8CF92000 \SystemRoot\system32\DRIVERS\bthmodem.sys
  0x8CFA4000 \SystemRoot\system32\DRIVERS\usbccgp.sys
  0x8CFBB000 \SystemRoot\System32\Drivers\LUsbFilt.Sys
  0x8CFC1000 \SystemRoot\system32\DRIVERS\hidusb.sys
  0x8CFCC000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
  0x8CFDF000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
  0x8CFE6000 \SystemRoot\system32\DRIVERS\kbdhid.sys
  0x8CFF2000 \SystemRoot\system32\DRIVERS\mouhid.sys
  0x8CC00000 \SystemRoot\system32\DRIVERS\monitor.sys
  0x8E6C0000 \SystemRoot\System32\TSDDD.dll
  0x8E6F0000 \SystemRoot\System32\cdd.dll
  0x8E710000 \SystemRoot\System32\ATMFD.DLL
  0x8CC0B000 \SystemRoot\system32\drivers\luafv.sys
  0x8A296000 \SystemRoot\system32\DRIVERS\avgntflt.sys
  0x8A2AA000 \SystemRoot\system32\drivers\WudfPf.sys
  0x8F425000 \??\C:\Windows\system32\MEMIO.SYS
  0x89FC6000 \SystemRoot\system32\DRIVERS\lltdio.sys
  0x99018000 \SystemRoot\system32\DRIVERS\nwifi.sys
  0x9905E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
  0x9906E000 \SystemRoot\system32\DRIVERS\rspndr.sys
  0x99081000 \SystemRoot\system32\drivers\HTTP.sys
  0x99106000 \SystemRoot\system32\DRIVERS\bowser.sys
  0x9911F000 \SystemRoot\System32\drivers\mpsdrv.sys
  0x99131000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
  0x99154000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
  0x9918F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
  0x991AA000 \SystemRoot\system32\DRIVERS\parvdm.sys
  0x991B1000 \SystemRoot\system32\drivers\peauth.sys
  0x99248000 \SystemRoot\System32\Drivers\secdrv.SYS
  0x99252000 \SystemRoot\System32\DRIVERS\srvnet.sys
  0x99273000 \SystemRoot\System32\drivers\tcpipreg.sys
  0x99280000 \SystemRoot\System32\DRIVERS\srv2.sys
  0x992CF000 \SystemRoot\System32\DRIVERS\srv.sys
  0x99320000 \SystemRoot\System32\drivers\rdpdr.sys
  0x99345000 \SystemRoot\system32\drivers\tdtcp.sys
  0x9934F000 \SystemRoot\System32\DRIVERS\tssecsrv.sys
  0x9935C000 \SystemRoot\System32\Drivers\RDPWD.SYS
  0x9938D000 \??\C:\Program Files\rmclock_235_bin\RTCore32.sys
  0x9938F000 \SystemRoot\system32\drivers\WmVirHid.sys
  0x99000000 \SystemRoot\system32\DRIVERS\asyncmac.sys
  0x77D50000 \Windows\System32\ntdll.dll
  0x47630000 \Windows\System32\smss.exe
  0x77F90000 \Windows\System32\apisetschema.dll
  0x005E0000 \Windows\System32\autochk.exe

Processes (total 53):
      0 System Idle Process
      4 System
    260 C:\Windows\System32\smss.exe
    408 csrss.exe
    472 C:\Windows\System32\wininit.exe
    484 csrss.exe
    528 C:\Windows\System32\services.exe
    544 C:\Windows\System32\lsass.exe
    552 C:\Windows\System32\lsm.exe
    608 C:\Windows\System32\winlogon.exe
    696 C:\Windows\System32\svchost.exe
    780 C:\Windows\System32\nvvsvc.exe
    816 C:\Windows\System32\svchost.exe
    888 C:\Windows\System32\svchost.exe
    976 C:\Windows\System32\svchost.exe
    1004 C:\Windows\System32\svchost.exe
    1156 C:\Windows\System32\svchost.exe
    1240 C:\Windows\System32\rundll32.exe
    1332 C:\Windows\System32\svchost.exe
    1496 C:\Windows\System32\spoolsv.exe
    1524 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1544 C:\Windows\System32\svchost.exe
    1668 C:\Windows\System32\svchost.exe
    1688 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1780 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    1820 C:\Windows\System32\svchost.exe
    648 C:\Windows\System32\taskhost.exe
    2100 C:\Windows\System32\dwm.exe
    2108 C:\Windows\explorer.exe
    2268 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2288 C:\Program Files\Analog Devices\Core\smax4pnp.exe
    2320 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    2464 C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
    2568 C:\Windows\vsnpstd3.exe
    2588 C:\Windows\System32\rundll32.exe
    2684 C:\Program Files\Logitech\Gaming Software\LWEMon.exe
    2780 C:\Windows\System32\svchost.exe
    2916 C:\Program Files\rmclock_235_bin\RMClock.exe
    3128 C:\Windows\System32\svchost.exe
    3400 C:\Windows\System32\SearchIndexer.exe
    3432 C:\Windows\System32\svchost.exe
    3736 C:\Program Files\Windows Media Player\wmpnetwk.exe
    1808 C:\Windows\System32\svchost.exe
    3608 C:\Windows\System32\svchost.exe
    2968 WmiPrvSE.exe
    3040 C:\Windows\System32\audiodg.exe
    1792 C:\Program Files\Mozilla Firefox\firefox.exe
    2456 C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    400 C:\Windows\System32\SearchProtocolHost.exe
    3364 C:\Windows\System32\SearchFilterHost.exe
    2972 C:\Users\***\Desktop\MBRCheck.exe
    3572 C:\Windows\System32\conhost.exe
    4080 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`db25fe00  (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00  (NTFS)

PhysicalDrive0 Model Number: FUJITSUMHV2100AHPL, Rev: 004200A0

      Size  Device Name          MBR Status
  --------------------------------------------
    86 GB  \\.\PhysicalDrive0  Unknown MBR code
            SHA1: 6D61FEAC602504E395BE6E8D05DCA1B7696845F7


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

cosinus 23.09.2010 12:02
Edit: gelöscht, da moddin Ubuntu parallel installiert hat :)

moddin 23.09.2010 12:08
OK, mach ich gleich. Kurze Frage vorher noch: Den Bootloader, der von Ubuntu stammt und der meines Wissens auch im MBR steht, verliere ich dadurch? Oder wird daran nichts geändert?

cosinus 23.09.2010 12:12
Oh, Du hast ein Ubuntu parallel installiert? Dann darfste den MBR-Fix natürlich nicht machen, das erklärt auch einen unbekannten MBR! Ignorier die Anleitung mit dem MBR-Fix!

Der Rest sieht soweit ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SASW und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!

moddin 23.09.2010 13:54
So, ein paar Sachen hat Anti-Malware wieder gefunden. Was nun? Trotzdem SUPERAntispyware anwerfen?

Code:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Datenbank Version: 4675

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

23.09.2010 14:52:46
mbam-log-2010-09-23 (14-52-46).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|)
Durchsuchte Objekte: 380558
Laufzeit: 1 Stunde(n), 36 Minute(n), 40 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{eb31e8eb-2a84-7984-e0cb-b9a575d30b4e} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Qoobox\Quarantine\C\Users\***\AppData\Roaming\Qievq\kumy.exe.vir (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Users\***\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\75f6fc65-675bdeee (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

cosinus 23.09.2010 15:11
Ein Fund war ein Überrest in der Registry, einer im Quarantäneordner von CF (das ist folgerichtig und in der Quarantäne sind die Dinger harmlos weil isoliert) und ein harmloser im Javacache.

Mach mit SASW bitte weiter.

moddin 23.09.2010 17:50
Alles klar, also jetzt der Log von SUPERAntiSpyware:

Code:
SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com

Generated 09/23/2010 at 06:32 PM

Application Version : 4.43.1000

Core Rules Database Version : 5564
Trace Rules Database Version: 3376

Scan type      : Complete Scan
Total Scan Time : 02:13:49

Memory items scanned      : 631
Memory threats detected  : 0
Registry items scanned    : 8952
Registry threats detected : 0
File items scanned        : 234828
File threats detected    : 1

Adware.Tracking Cookie
    secure-us.imrworldwide.com [ C:\Users\***\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\MBH5GAUA ]

cosinus 23.09.2010 19:15
Sieht ok aus, da wurden nur Cookies gefunden.
Noch Probleme oder weitere Funde in der Zwischenzeit?

moddin 24.09.2010 10:30
Bisher nichts, toi toi toi! Ich warte nochmal ein paar Tage ab, ob der ursprüngliche Fehler wieder auftritt und mach zwischendurch immer mal wieder Scans mit Anti-Malware.

cosinus 24.09.2010 11:02
Wir sind dann durch! :)

Bitte abschließend die Updates prüfen, unten mein Leitfaden dazu.
Für noch mehr Sicherheit solltest Du nach der beseitigten Infektion auch möglichst alle Passwörter ändern.


Microsoftupdate

Windows XP: Besuch mit dem IE die MS-Updateseite und lass Dir alle wichtigen Updates installieren.

Windows Vista/7: Anleitung Windows-Update



PDF-Reader aktualisieren
Dein Adobe Reader ist nicht aktuell, was ein großes Sicherheitsrisiko darstellt. Du solltest daher besser die alte Version über Systemsteuerung => Software deinstallieren, indem Du dort auf "Adobe Reader x.0" klickst und das Programm entfernst.

Ich empfehle einen alternativen PDF-Reader wie SumatraPDF oder Foxit PDF Reader, beide sind sehr viel schlanker und flotter als der AdobeReader.

Bitte überprüf bei der Gelegenheit auch die Aktualität des Flashplayers, hier der direkte Downloadlink => http://filepony.de/?q=Flash+Player


Java-Update
Veraltete Java-Installationen sind ein Sicherheitsrisiko, daher solltest Du die alten Versionen löschen (falls vorhanden, am besten mit JavaRa) und auf die neuste aktualisieren. Beende dazu alle Programme (v.a. die Browser), klick danach auf Start, Systemsteuerung, Software und deinstalliere darüber alle aufgelisteten Java-Versionen. Lad Dir danach von hier das aktuelle Java SE Runtime Environment (JRE) herunter und installiere es.

moddin 24.09.2010 11:56
Die Ordner C:\_OTL_ und C:\Qoobox brauch ich dann auch nicht mehr, oder sollte man die vorsichtshalber behalten?


Alle Zeitangaben in WEZ +1. Es ist jetzt 17:11 Uhr.
Seite 2 von 3 1 2 3
100 Beiträge dieses Themas auf einer Seite anzeigen

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131