Trojaner-Board - tr/crypt.zpack.gen2

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - tr/crypt.zpack.gen2 (https://www.trojaner-board.de/97536-tr-crypt-zpack-gen2.html)

Dann bitte jetzt CF ausführen:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

http://saved.im/mtm0nzyzmzd5/cofi.jpg

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Erstmal vielen Dank, dass du immer noch Geduld hierfür hast!! :) :dankeschoen:

Hier das Combofix Log. Allerdings findet Malwarebytes immer noch die zwei Trojaner...könnte es sich denn dabei um einen Fehlalarm handeln? Denn Malwarebytes findet die Dinger ja nur wenn es NICHT als Admin ausführe (Logs wie vorher gepostet)...

Combofix Logfile:

Code:

ComboFix 11-04-21.02 - Admin 21.04.2011  21:28:44.1.2 - x86

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.2813.1825 [GMT 2:00]

ausgeführt von:: c:\users\Stewen\Documents\Desktop\cofi.exe

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Admin\AppData\Roaming\inst.exe

c:\windows\system32\drivers\FSC__RC__AMILO Notebook Pa 3515  __FUJITSU SIEMENS_P1   __Ver 1.00PARTTBL_FSC - 6040000_V1.13   .MRK

c:\windows\system32\Ijl11.dll

c:\windows\system32\Temp

.

.

(((((((((((((((((((((((   Dateien erstellt von 2011-03-21 bis 2011-04-21  ))))))))))))))))))))))))))))))

.

.

2011-04-21 19:15 . 2011-04-21 19:15        --------        d-----w-        c:\program files\CCleaner

2011-04-21 19:12 . 2011-04-21 19:14        --------        d-----w-        c:\users\Admin\AppData\Local\Google

2011-04-21 09:30 . 2011-04-21 17:26        --------        d-----w-        c:\programdata\Skype Extras

2011-04-21 09:30 . 2011-04-21 09:30        --------        d-----w-        c:\program files\Common Files\Skype

2011-04-21 09:30 . 2011-04-21 09:30        --------        d-----r-        c:\program files\Skype

2011-04-20 16:57 . 2011-04-20 16:57        --------        d-----w-        C:\_OTL

2011-04-19 19:44 . 2010-12-20 16:09        38224        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-19 19:43 . 2010-12-20 16:08        20952        ----a-w-        c:\windows\system32\drivers\mbam.sys

2011-04-19 19:12 . 2011-04-19 19:12        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin4.dll

2011-04-19 19:12 . 2011-04-19 19:12        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin3.dll

2011-04-19 19:12 . 2011-04-19 19:12        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin2.dll

2011-04-19 19:12 . 2011-04-19 19:12        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin.dll

2011-04-19 19:10 . 2011-04-19 19:10        --------        d-----w-        c:\programdata\Apple Computer

2011-04-19 19:06 . 2011-04-19 19:06        --------        d-----w-        c:\users\Admin\AppData\Local\Apple

2011-04-19 19:06 . 2011-04-19 19:06        --------        d-----w-        c:\program files\Apple Software Update

2011-04-19 18:14 . 2011-04-19 18:14        --------        d-----w-        c:\program files\Common Files\Java

2011-04-18 01:05 . 2011-04-18 01:05        --------        d-----w-        c:\users\Default\AppData\Local\Microsoft Help

2011-04-17 15:37 . 2011-04-21 17:16        --------        d-----w-        c:\users\Stewen\Tracing

2011-04-17 15:36 . 2011-04-17 15:36        --------        d-----w-        c:\program files\Microsoft

2011-04-17 15:36 . 2011-04-17 15:36        --------        d-----w-        c:\program files\Windows Live SkyDrive

2011-04-17 15:04 . 2011-04-17 15:06        --------        dcsh--w-        c:\program files\Common Files\WindowsLiveInstaller

2011-04-17 15:03 . 2011-04-17 15:35        --------        d-----w-        c:\program files\Windows Live

2011-04-17 15:03 . 2011-04-17 15:03        --------        d-----w-        c:\programdata\WLInstaller

2011-04-15 19:18 . 2011-04-15 19:18        --------        d-----w-        c:\users\Admin\AppData\Roaming\skypePM

2011-04-15 17:26 . 2011-04-15 17:26        --------        d-----w-        c:\users\Admin\AppData\Roaming\Avira

2011-04-14 20:08 . 2011-04-14 20:08        --------        d-----w-        c:\program files\Common Files\Deterministic Networks

2011-04-14 20:08 . 2011-04-14 20:08        --------        d-----w-        c:\program files\Cisco Systems

2011-04-11 19:22 . 2011-04-11 19:22        --------        d-----w-        c:\program files\Common Files\Windows Live

2011-04-03 23:31 . 2009-10-23 17:10        714240        ----a-w-        c:\windows\system32\timedate.cpl

2011-04-03 23:31 . 2010-08-26 16:34        1696256        ----a-w-        c:\windows\system32\gameux.dll

2011-04-03 23:31 . 2010-08-26 16:33        28672        ----a-w-        c:\windows\system32\Apphlpdm.dll

2011-04-03 23:31 . 2010-08-26 14:23        4240384        ----a-w-        c:\windows\system32\GameUXLegacyGDFs.dll

2011-04-03 23:31 . 2011-01-06 10:51        2409784        ----a-w-        c:\program files\Windows Mail\OESpamFilter.dat

2011-04-03 23:30 . 2009-09-10 14:58        1418752        ----a-w-        c:\program files\Windows Media Player\setup_wm.exe

2011-04-03 23:30 . 2009-09-10 14:58        310784        ----a-w-        c:\windows\system32\unregmp2.exe

2011-04-03 23:29 . 2011-02-22 13:33        1068544        ----a-w-        c:\windows\system32\DWrite.dll

2011-04-03 23:29 . 2011-02-22 13:33        797696        ----a-w-        c:\windows\system32\FntCache.dll

2011-04-03 23:29 . 2011-01-20 16:08        160768        ----a-w-        c:\windows\system32\d3d10_1.dll

2011-04-03 23:29 . 2011-01-20 16:08        1029120        ----a-w-        c:\windows\system32\d3d10.dll

2011-04-03 23:29 . 2011-01-20 14:12        1172480        ----a-w-        c:\windows\system32\d3d10warp.dll

2011-04-03 23:29 . 2011-01-20 13:47        683008        ----a-w-        c:\windows\system32\d2d1.dll

2011-04-03 23:29 . 2011-02-22 14:13        288768        ----a-w-        c:\windows\system32\XpsGdiConverter.dll

2011-04-03 23:29 . 2011-01-20 16:08        219648        ----a-w-        c:\windows\system32\d3d10_1core.dll

2011-04-03 23:29 . 2011-01-20 16:08        189952        ----a-w-        c:\windows\system32\d3d10core.dll

2011-04-03 23:29 . 2011-01-20 14:11        486400        ----a-w-        c:\windows\system32\d3d10level9.dll

2011-04-01 12:13 . 2011-04-01 12:13        --------        d-----w-        c:\programdata\Tunngle

2011-04-01 11:30 . 2011-04-01 11:32        --------        d-----w-        c:\windows\system32\ca-ES

2011-04-01 11:30 . 2011-04-01 11:31        --------        d-----w-        c:\windows\system32\eu-ES

2011-04-01 11:30 . 2011-04-01 11:31        --------        d-----w-        c:\windows\system32\vi-VN

2011-04-01 11:21 . 2011-04-01 11:21        --------        d-----w-        c:\windows\system32\SPReview

2011-04-01 11:06 . 2009-04-10 21:28        928768        ----a-w-        c:\windows\system32\scavenge.dll

2011-04-01 11:04 . 2009-04-10 21:28        97792        ----a-w-        c:\windows\system32\oleprn.dll

2011-04-01 11:03 . 2009-04-10 21:28        87040        ----a-w-        c:\windows\system32\mssitlb.dll

2011-04-01 10:51 . 2011-04-01 10:51        --------        d-----w-        c:\windows\system32\EventProviders

2011-03-29 20:16 . 2011-03-29 20:16        --------        d-----w-        c:\users\Admin\AppData\Roaming\CheckPoint

2011-03-25 17:34 . 2011-03-25 17:36        --------        d-----w-        c:\users\Stewen\AppData\Local\Microsoft Games

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-23 23:25 . 2010-03-26 10:29        137656        ----a-w-        c:\windows\system32\drivers\avipbb.sys

2011-02-18 16:28 . 2010-08-03 21:34        46592        ----a-w-        c:\windows\system32\vsutil_loc0407.dll

2011-02-02 19:40 . 2010-07-24 06:22        472808        ----a-w-        c:\windows\system32\deployJava1.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-10 2153472]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-18 15146376]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2008-03-26 188416]

"WisKeyState"="c:\program files\Launch Manager\WisKeyState.exe" [2008-03-07 208896]

"LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2008-03-03 258048]

"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2007-12-25 241664]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 09:44        31072        ----a-w-        c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2010-12-20 16:08        963976        ----a-w-        d:\programme\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 15:38        421888        ----a-w-        d:\programme\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-04-18 15:30        15146376        ----a-r-        c:\program files\Skype\Phone\Skype.exe

.

R2 gupdate1c9ae33210dd6d0;Google Update Service (gupdate1c9ae33210dd6d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 133104]

R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]

R3 naecd;naecd;c:\users\Stewen\AppData\Local\Temp\naecd.sys [x]

R4 avmike;AVM FRITZ!Fernzugang IKE Service;c:\program files\FRITZ!Fernzugang\avmike.exe [2010-03-30 254328]

R4 certsrv;AVM FRITZ!Fernzugang Cert Service;c:\program files\FRITZ!Fernzugang\certsrv.exe [2010-03-30 121720]

R4 nwtsrv;AVM FRITZ!Fernzugang Client;c:\program files\FRITZ!Fernzugang\nwtsrv.exe [2010-03-30 153464]

S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]

S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]

S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2008-01-15 118784]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs        REG_MULTI_SZ           BthServ

getPlusHelper        REG_MULTI_SZ           getPlusHelper

LocalServiceAndNoImpersonation        REG_MULTI_SZ           FontCache

.

Inhalt des "geplante Tasks" Ordners

.

2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 16:51]

.

2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 16:51]

.

2011-04-21 c:\windows\Tasks\User_Feed_Synchronization-{6B2082CD-3395-4E15-9AF9-67CFF8F30DCC}.job

- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]

.

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = 

uInternet Settings,ProxyOverride = *.local

IE: Free YouTube to Mp3 Converter - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm

IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g3zy0f3f.default\

FF - prefs.js: browser.search.defaulturl - 

FF - prefs.js: browser.search.selectedEngine - 

FF - prefs.js: browser.startup.homepage - 

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\programme\FireFox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - d:\programme\FireFox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - d:\programme\FireFox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - d:\programme\FireFox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -

.

SafeBoot-klmdb.sys

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe

MSConfigStartUp-DAEMON Tools Lite - d:\programme\DAEMON Tools Lite\DTLite.exe

MSConfigStartUp-iTunesHelper - d:\programme\iTunes\iTunesHelper.exe

MSConfigStartUp-LogMeIn Hamachi Ui - d:\programme\LogMeIn Hamachi\hamachi-2-ui.exe

MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

MSConfigStartUp-NPCTray - c:\program files\Norman\npc\bin\npc_tray.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net

Rootkit scan 2011-04-21 21:34

Windows 6.0.6002 Service Pack 2 NTFS

.

Scanne versteckte Prozesse... 

.

Scanne versteckte Autostarteinträge... 

.

Scanne versteckte Dateien... 

.

Scan erfolgreich abgeschlossen

versteckte Dateien: 0

.

**************************************************************************

.

--------------------- Gesperrte Registrierungsschluessel ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{0b5772c4-acb9-4fa9-8686-c1fec3a56197}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:21000000

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{1032bb47-9997-40c1-94a9-3d2f2a0fc58d}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:10001644

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{15a279ca-9e0c-4ebc-8eec-87889a471e6f}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:1e7a79a4

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{51a2cc42-5e82-4339-ae78-072076eb0502}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:1c000000

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{61c6a677-c5d2-4919-b05f-ebedaa7ffb4a}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:217a79d3

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{620a8f2a-4ee1-4335-a09e-80bc02e630c3}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:2200059a

"Dhcpv6State"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{76886e0b-6cd8-4b18-a9ab-6e9bb56a0ccb}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:10001644

"Dhcpv6State"=dword:00000001

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{79378425-a8f9-40c8-86be-7e74c6a5f819}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:10001644

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{97a2e9f3-ba0d-4aef-af73-a71ab3297d64}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:2400ff97

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{9c642153-bfe0-4511-a0b6-e778ddd5ea9e}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:07001422

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{a96beefc-ff41-43e6-b9fa-e33514212ce3}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:19020054

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ba32a50a-3d27-4fae-8591-5916311409be}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:0c001422

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{c1db65e0-69ac-4236-b747-a539fcc39fa1}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:1e00ffc1

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{de3fda98-6d9e-4d9e-9ebc-f5adf8fc3949}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:0a001f16

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f50c0996-5b4a-4c6a-a322-6e991d4caa0e}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:06001422

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f70a361f-6437-4fcc-91a4-cd88d468d91b}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:0e001422

"Dhcpv6State"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ff989a81-4cdf-4a6e-9a7a-c837051ff748}]

@DACL=(02 0000)

"Dhcpv6Iaid"=dword:20000000

"Dhcpv6State"=dword:00000000

.

Zeit der Fertigstellung: 2011-04-21  21:36:23

ComboFix-quarantined-files.txt  2011-04-21 19:36

.

Vor Suchlauf: 9 Verzeichnis(se), 62.985.457.664 Bytes frei

Nach Suchlauf: 13 Verzeichnis(se), 66.800.730.112 Bytes frei

.

- - End Of File - - 08AB5E2F3BDEA61B4AE14A3E7CF6A010

--- --- ---

Combofix - Scripten

1. Starte das Notepad (Start / Ausführen / notepad[Enter])

2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein.

Code:

File::

c:\users\Stewen\AppData\Local\Temp\naecd.sys
 

Driver::

naecd

3. Speichere im Notepad als CFScript.txt auf dem Desktop.

4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
(Auch Guards von Ad-, Spyware Programmen und den Tea Timer (wenn vorhanden) !)

5. Dann ziehe die CFScript.txt auf die cofi.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.

http://users.pandora.be/bluepatchy/m...s/CFScript.gif

6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien:
Combofix.txt

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann!

Combofix Logfile:

Code:

ComboFix 11-04-21.02 - Admin 21.04.2011  23:11:37.2.2 - x86

Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.49.1031.18.2813.1864 [GMT 2:00]

ausgeführt von:: c:\users\Stewen\Documents\Desktop\cofi.exe

Benutzte Befehlsschalter :: c:\users\Stewen\Documents\Desktop\CFScript.txt

AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}

SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\users\Stewen\AppData\Local\Temp\naecd.sys"

.

.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.

.

.

(((((((((((((((((((((((((((((((((((((((   Treiber/Dienste   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_naecd

.

.

(((((((((((((((((((((((   Dateien erstellt von 2011-03-21 bis 2011-04-21  ))))))))))))))))))))))))))))))

.

.

2011-04-21 21:20 . 2011-04-21 21:23        --------        d-----w-        c:\users\Admin\AppData\Local\temp

2011-04-21 21:20 . 2011-04-21 21:23        --------        d-----w-        c:\users\Stewen\AppData\Local\temp

2011-04-21 21:20 . 2011-04-21 21:20        --------        d-----w-        c:\users\Default\AppData\Local\temp

2011-04-21 21:01 . 2011-04-21 21:01        --------        d-----w-        C:\Neuer Ordner

2011-04-21 19:27 . 2011-04-21 19:36        --------        d-----w-        C:\cofi

2011-04-21 19:15 . 2011-04-21 19:15        --------        d-----w-        c:\program files\CCleaner

2011-04-21 19:12 . 2011-04-21 19:14        --------        d-----w-        c:\users\Admin\AppData\Local\Google

2011-04-21 09:30 . 2011-04-21 17:26        --------        d-----w-        c:\programdata\Skype Extras

2011-04-21 09:30 . 2011-04-21 09:30        --------        d-----w-        c:\program files\Common Files\Skype

2011-04-21 09:30 . 2011-04-21 09:30        --------        d-----r-        c:\program files\Skype

2011-04-20 16:57 . 2011-04-20 16:57        --------        d-----w-        C:\_OTL

2011-04-19 19:44 . 2010-12-20 16:09        38224        ----a-w-        c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-19 19:43 . 2010-12-20 16:08        20952        ----a-w-        c:\windows\system32\drivers\mbam.sys

2011-04-19 19:12 . 2011-04-19 19:12        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin4.dll

2011-04-19 19:12 . 2011-04-19 19:12        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin3.dll

2011-04-19 19:12 . 2011-04-19 19:12        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin2.dll

2011-04-19 19:12 . 2011-04-19 19:12        159744        ----a-w-        c:\program files\Internet Explorer\Plugins\npqtplugin.dll

2011-04-19 19:10 . 2011-04-19 19:10        --------        d-----w-        c:\programdata\Apple Computer

2011-04-19 19:06 . 2011-04-19 19:06        --------        d-----w-        c:\users\Admin\AppData\Local\Apple

2011-04-19 19:06 . 2011-04-19 19:06        --------        d-----w-        c:\program files\Apple Software Update

2011-04-19 18:14 . 2011-04-19 18:14        --------        d-----w-        c:\program files\Common Files\Java

2011-04-18 01:05 . 2011-04-18 01:05        --------        d-----w-        c:\users\Default\AppData\Local\Microsoft Help

2011-04-17 15:37 . 2011-04-21 17:16        --------        d-----w-        c:\users\Stewen\Tracing

2011-04-17 15:36 . 2011-04-17 15:36        --------        d-----w-        c:\program files\Microsoft

2011-04-17 15:36 . 2011-04-17 15:36        --------        d-----w-        c:\program files\Windows Live SkyDrive

2011-04-17 15:04 . 2011-04-17 15:06        --------        dcsh--w-        c:\program files\Common Files\WindowsLiveInstaller

2011-04-17 15:03 . 2011-04-17 15:35        --------        d-----w-        c:\program files\Windows Live

2011-04-17 15:03 . 2011-04-17 15:03        --------        d-----w-        c:\programdata\WLInstaller

2011-04-15 19:18 . 2011-04-15 19:18        --------        d-----w-        c:\users\Admin\AppData\Roaming\skypePM

2011-04-15 17:26 . 2011-04-15 17:26        --------        d-----w-        c:\users\Admin\AppData\Roaming\Avira

2011-04-14 20:08 . 2011-04-14 20:08        --------        d-----w-        c:\program files\Common Files\Deterministic Networks

2011-04-14 20:08 . 2011-04-14 20:08        --------        d-----w-        c:\program files\Cisco Systems

2011-04-11 19:22 . 2011-04-11 19:22        --------        d-----w-        c:\program files\Common Files\Windows Live

2011-04-03 23:31 . 2009-10-23 17:10        714240        ----a-w-        c:\windows\system32\timedate.cpl

2011-04-03 23:31 . 2010-08-26 16:34        1696256        ----a-w-        c:\windows\system32\gameux.dll

2011-04-03 23:31 . 2010-08-26 16:33        28672        ----a-w-        c:\windows\system32\Apphlpdm.dll

2011-04-03 23:31 . 2010-08-26 14:23        4240384        ----a-w-        c:\windows\system32\GameUXLegacyGDFs.dll

2011-04-03 23:31 . 2011-01-06 10:51        2409784        ----a-w-        c:\program files\Windows Mail\OESpamFilter.dat

2011-04-03 23:30 . 2009-09-10 14:58        1418752        ----a-w-        c:\program files\Windows Media Player\setup_wm.exe

2011-04-03 23:30 . 2009-09-10 14:58        310784        ----a-w-        c:\windows\system32\unregmp2.exe

2011-04-03 23:29 . 2011-02-22 13:33        1068544        ----a-w-        c:\windows\system32\DWrite.dll

2011-04-03 23:29 . 2011-02-22 13:33        797696        ----a-w-        c:\windows\system32\FntCache.dll

2011-04-03 23:29 . 2011-01-20 16:08        160768        ----a-w-        c:\windows\system32\d3d10_1.dll

2011-04-03 23:29 . 2011-01-20 16:08        1029120        ----a-w-        c:\windows\system32\d3d10.dll

2011-04-03 23:29 . 2011-01-20 14:12        1172480        ----a-w-        c:\windows\system32\d3d10warp.dll

2011-04-03 23:29 . 2011-01-20 13:47        683008        ----a-w-        c:\windows\system32\d2d1.dll

2011-04-03 23:29 . 2011-02-22 14:13        288768        ----a-w-        c:\windows\system32\XpsGdiConverter.dll

2011-04-03 23:29 . 2011-01-20 16:08        219648        ----a-w-        c:\windows\system32\d3d10_1core.dll

2011-04-03 23:29 . 2011-01-20 16:08        189952        ----a-w-        c:\windows\system32\d3d10core.dll

2011-04-03 23:29 . 2011-01-20 14:11        486400        ----a-w-        c:\windows\system32\d3d10level9.dll

2011-04-01 12:13 . 2011-04-01 12:13        --------        d-----w-        c:\programdata\Tunngle

2011-04-01 11:30 . 2011-04-01 11:32        --------        d-----w-        c:\windows\system32\ca-ES

2011-04-01 11:30 . 2011-04-01 11:31        --------        d-----w-        c:\windows\system32\eu-ES

2011-04-01 11:30 . 2011-04-01 11:31        --------        d-----w-        c:\windows\system32\vi-VN

2011-04-01 11:21 . 2011-04-01 11:21        --------        d-----w-        c:\windows\system32\SPReview

2011-04-01 11:06 . 2009-04-10 21:28        928768        ----a-w-        c:\windows\system32\scavenge.dll

2011-04-01 11:04 . 2009-04-10 21:28        97792        ----a-w-        c:\windows\system32\oleprn.dll

2011-04-01 11:03 . 2009-04-10 21:28        87040        ----a-w-        c:\windows\system32\mssitlb.dll

2011-04-01 10:51 . 2011-04-01 10:51        --------        d-----w-        c:\windows\system32\EventProviders

2011-03-29 20:16 . 2011-03-29 20:16        --------        d-----w-        c:\users\Admin\AppData\Roaming\CheckPoint

2011-03-25 17:34 . 2011-03-25 17:36        --------        d-----w-        c:\users\Stewen\AppData\Local\Microsoft Games

.

.

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-23 23:25 . 2010-03-26 10:29        137656        ----a-w-        c:\windows\system32\drivers\avipbb.sys

2011-02-18 16:28 . 2010-08-03 21:34        46592        ----a-w-        c:\windows\system32\vsutil_loc0407.dll

2011-02-02 19:40 . 2010-07-24 06:22        472808        ----a-w-        c:\windows\system32\deployJava1.dll

.

.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-10 2153472]

"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-16 3872080]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-04-18 15146376]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"HotkeyApp"="c:\program files\Launch Manager\HotkeyApp.exe" [2008-03-26 188416]

"WisKeyState"="c:\program files\Launch Manager\WisKeyState.exe" [2008-03-07 208896]

"LMgrVolOSD"="c:\program files\Launch Manager\OSD.exe" [2008-03-03 258048]

"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2007-12-25 241664]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"=wdmaud.drv

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Admin^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]

path=c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk

backup=c:\windows\pss\MagicDisc.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2008-10-25 09:44        31072        ----a-w-        c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]

2010-12-20 16:08        963976        ----a-w-        d:\programme\Malwarebytes' Anti-Malware\mbam.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-11-29 15:38        421888        ----a-w-        d:\programme\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-04-18 15:30        15146376        ----a-r-        c:\program files\Skype\Phone\Skype.exe

.

R2 gupdate1c9ae33210dd6d0;Google Update Service (gupdate1c9ae33210dd6d0);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 133104]

R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [x]

R4 avmike;AVM FRITZ!Fernzugang IKE Service;c:\program files\FRITZ!Fernzugang\avmike.exe [2010-03-30 254328]

R4 certsrv;AVM FRITZ!Fernzugang Cert Service;c:\program files\FRITZ!Fernzugang\certsrv.exe [2010-03-30 121720]

R4 nwtsrv;AVM FRITZ!Fernzugang Client;c:\program files\FRITZ!Fernzugang\nwtsrv.exe [2010-03-30 153464]

S2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-02-24 185472]

S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-11-02 135336]

S3 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2008-01-15 118784]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs        REG_MULTI_SZ           BthServ

getPlusHelper        REG_MULTI_SZ           getPlusHelper

LocalServiceAndNoImpersonation        REG_MULTI_SZ           FontCache

.

Inhalt des "geplante Tasks" Ordners

.

2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 16:51]

.

2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 16:51]

.

2011-04-21 c:\windows\Tasks\User_Feed_Synchronization-{6B2082CD-3395-4E15-9AF9-67CFF8F30DCC}.job

- c:\windows\system32\msfeedssync.exe [2008-01-21 02:24]

.

.

------- Zusätzlicher Suchlauf -------

.

uStart Page = 

uInternet Settings,ProxyOverride = *.local

IE: Free YouTube to Mp3 Converter - c:\users\Admin\AppData\Roaming\DVDVideoSoftIEHelpers\youtubetomp3.htm

IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g3zy0f3f.default\

FF - prefs.js: browser.search.defaulturl - 

FF - prefs.js: browser.search.selectedEngine - 

FF - prefs.js: browser.startup.homepage - 

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - d:\programme\FireFox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - d:\programme\FireFox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - d:\programme\FireFox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - d:\programme\FireFox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net

Rootkit scan 2011-04-21 23:25

Windows 6.0.6002 Service Pack 2 NTFS

.

Scanne versteckte Prozesse... 

.

Scanne versteckte Autostarteinträge... 

.

Scanne versteckte Dateien... 

.

Scan erfolgreich abgeschlossen

versteckte Dateien: 0

.

**************************************************************************

.

--------------------- Gesperrte Registrierungsschluessel ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

------------------------ Weitere laufende Prozesse ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Avira\AntiVir Desktop\avshadow.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\windows\ehome\ehtray.exe

c:\program files\Windows Media Player\wmpnscfg.exe

c:\windows\ehome\ehmsas.exe

c:\windows\servicing\TrustedInstaller.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

c:\windows\system32\conime.exe

.

**************************************************************************

.

Zeit der Fertigstellung: 2011-04-21  23:28:46 - PC wurde neu gestartet

ComboFix-quarantined-files.txt  2011-04-21 21:28

.

Vor Suchlauf: 14 Verzeichnis(se), 66.661.097.472 Bytes frei

Nach Suchlauf: 15 Verzeichnis(se), 66.408.071.168 Bytes frei

.

- - End Of File - - A6A6B96CA87DABA3303072D16E4251AE

--- --- ---

Ok. Bitte nun Logs mit GMER und OSAM erstellen und posten.
GMER stürzt häufiger ab, wenn das Tool auch beim 2. Mal nicht will, lass es einfach weg und führ nur OSAM aus - die Online-Abfrage durch OSAM bitte überspringen.
Bei OSAM bitte darauf auch achten, dass Du das Log auch als *.log und nicht *.html oder so abspeicherst.

Downloade Dir danach bitte MBRCheck (by a_d_13) und speichere die Datei auf dem Desktop.

Doppelklick auf die MBRCheck.exe.
Vista und Win7 User mit Rechtsklick "als Administrator starten"
Das Tool braucht nur wenige Sekunden.
Danach solltest du eine MBRCheck_<Datum>_<Uhrzeit>.txt auf dem Desktop finden.

Poste mir bitte den Inhalt des .txt Dokumentes

GMER Logfile:

Code:

GMER 1.0.15.15570 - hxxp://www.gmer.net

Rootkit scan 2011-04-22 17:36:11

Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000062 ST925082 rev.3.AA

Running: of0cbw84.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uxdiqpob.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

.text  C:\Windows\system32\DRIVERS\atikmdag.sys                                                         section is writeable [0x8DA0E000, 0x1FB12A, 0xE8000020]

.vmp2  C:\Windows\system32\drivers\acedrv11.sys                                                         entry point in ".vmp2" section [0x9B92C69D]
 

---- Registry - GMER 1.0.15 ----
 

Reg    HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f810002dd                      

Reg    HKLM\SYSTEM\ControlSet030\Services\BTHPORT\Parameters\Keys\001f810002dd (not active ControlSet)  
 

---- EOF - GMER 1.0.15 ----

--- --- ---

OSAM Logfile:

Code:

Report of OSAM: Autorun Manager v5.0.11926.0

hxxp://www.online-solutions.ru/en/

Saved at 15:13:12 on 22.04.2011
 

OS: Windows Vista Home Premium Edition Service Pack 2 (Build 6002), 32-bit

Default Browser: Unable to get information
 

Scanner Settings

[x] Rootkits detection (hidden registry)

[x] Rootkits detection (hidden files)

[x] Retrieve files information

[x] Check Microsoft signatures
 

Filters

[ ] Trusted entries

[ ] Empty entries

[x] Hidden registry entries (rootkit activity)

[x] Exclusively opened files

[x] Not found files

[x] Files without detailed information

[x] Existing files

[ ] Non-startable services

[ ] Non-startable drivers

[x] Active entries

[x] Disabled entries
 
 

[Common]

-----( %SystemRoot%\Tasks )-----

"GoogleUpdateTaskMachineCore.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe

"GoogleUpdateTaskMachineUA.job" - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe
 

[Control Panel Objects]

-----( %SystemRoot%\system32 )-----

"PhysX.cpl" - ? - C:\Windows\system32\PhysX.cpl

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----

"mlcfg32.cpl" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLCFG32.CPL

"QuickTime" - "Apple Inc." - D:\Programme\QuickTime\QTSystem\QuickTime.cpl
 

[Drivers]

-----( HKLM\SYSTEM\CurrentControlSet\Services )-----

"acedrv11" (acedrv11) - "Protect Software GmbH" - C:\Windows\system32\drivers\acedrv11.sys

"avgntflt" (avgntflt) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avgntflt.sys

"avipbb" (avipbb) - "Avira GmbH" - C:\Windows\System32\DRIVERS\avipbb.sys

"catchme" (catchme) - ? - C:\cofi31965c\catchme.sys  (File not found)

"Cisco Systems Inc. IPSec Driver" (CVPNDRVA) - "Cisco Systems, Inc." - C:\Windows\system32\Drivers\CVPNDRVA.sys

"Driver for MagicISO SCSI Host Controller" (mcdbus) - ? - C:\Windows\System32\DRIVERS\mcdbus.sys  (File not found)

"Hamachi Network Interface" (hamachi) - "LogMeIn, Inc." - C:\Windows\System32\DRIVERS\hamachi.sys

"Hotkey" (Hotkey) - ? - C:\Windows\system32\drivers\Hotkey.sys  (File found, but it contains no detailed information)

"IP in IP Tunnel Driver" (IpInIp) - ? - C:\Windows\System32\DRIVERS\ipinip.sys  (File not found)

"IPX Traffic Filter Driver" (NwlnkFlt) - ? - C:\Windows\System32\DRIVERS\nwlnkflt.sys  (File not found)

"IPX Traffic Forwarder Driver" (NwlnkFwd) - ? - C:\Windows\System32\DRIVERS\nwlnkfwd.sys  (File not found)

"PnkBstrK" (PnkBstrK) - ? - C:\Windows\system32\drivers\PnkBstrK.sys  (File found, but it contains no detailed information)

"ssmdrv" (ssmdrv) - "Avira GmbH" - C:\Windows\System32\DRIVERS\ssmdrv.sys

"ZTE Diagnostic Port" (ZTEusbser6k) - ? - C:\Windows\System32\DRIVERS\ZTEusbser6k.sys  (File not found)

"ZTE Mass Storage Filter Driver" (massfilter) - ? - C:\Windows\System32\drivers\massfilter.sys  (File not found)

"ZTE NMEA Port" (ZTEusbnmea) - ? - C:\Windows\System32\DRIVERS\ZTEusbnmea.sys  (File not found)

"ZTE Proprietary USB Driver" (ZTEusbmdm6k) - ? - C:\Windows\System32\DRIVERS\ZTEusbmdm6k.sys  (File not found)
 

[Explorer]

-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----

{C9E60ED7-FEAE-477b-B6A6-7D62103A0C6B} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll

-----( HKLM\Software\Classes\Protocols\Filter )-----

{807563E5-5146-11D5-A672-00B0D022E945} "Microsoft Office InfoPath XML Mime Filter" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

-----( HKLM\Software\Classes\Protocols\Handler )-----

{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" - "Skype Technologies" - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

{828030A1-22C1-4009-854F-8E305202313F} "livecall" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

{88FED34C-F0CA-4636-A375-3CB6248B04CD} "Local Groove Web Services Protocol" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

{828030A1-22C1-4009-854F-8E305202313F} "msnim" - "Microsoft Corporation" - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks )-----

{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{AEB6717E-7E19-11d0-97EE-00C04FD91972} "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" - ? -   (File not found | COM-object registry key not found)

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----

{911051fa-c21c-4246-b470-070cd8df6dc4} ".cab or .zip files" - ? -   (File not found | COM-object registry key not found)

{1b24a030-9b20-49bc-97ac-1be4426f9e59} "ActiveDirectory Folder" - ? -   (File not found | COM-object registry key not found)

{34449847-FD14-4fc8-A75A-7432F5181EFB} "ActiveDirectory Folder" - ? -   (File not found | COM-object registry key not found)

{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} "Contacts folder" - ? -   (File not found | COM-object registry key not found)

{2C2577C2-63A7-40e3-9B7F-586602617ECB} "Explorer Query Band" - ? -   (File not found | COM-object registry key not found)

{99FD978C-D287-4F50-827F-B2C658EDA8E7} "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} "Groove Explorer Icon Overlay 2 (GFS Stub)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{920E6DB1-9907-4370-B3A0-BAFC03D81399} "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{16F3DD56-1AF5-4347-846D-7C10C4192619} "Groove Explorer Icon Overlay 3 (GFS Folder)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{2A541AE1-5BF6-4665-A8A3-CFA9672E4291} "Groove Folder Synchronization" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{6C467336-8281-4E60-8204-430CED96822D} "Groove GFS Context Menu Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{B5A7F190-DDA6-4420-B3BA-52453494E6CD} "Groove GFS Stub Execution Hook" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{A449600E-1DC6-4232-B948-9BD794D62056} "Groove GFS Stub Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{387E725D-DC16-4D76-B310-2C93ED4752A0} "Groove XML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\msohevi.dll

{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} "Microsoft Office Metadata Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll

{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C} "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL

{00020d75-0000-0000-c000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL

{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} "Microsoft Office Thumbnail Handler" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll

{C9E60ED7-FEAE-477b-B6A6-7D62103A0C6B} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll

{1CA6BBC9-E9FA-4021-822B-075DF1837B63} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll

{4FBFFA8D-F390-471a-AE46-FEB93623AD63} "NeroDigitalInfoHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll

{846083A4-BFC6-4447-985C-6578B466A7D7} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll

{EDCC595A-F0EE-4d81-B554-D5D01C7AFB87} "NeroDigitalThumbnailHandler Class" - "Nero AG" - C:\Program Files\Common Files\Nero\SMC\NeroDigitalExt.dll

{0006F045-0000-0000-C000-000000000046} "Outlook File Icon Extension" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL

{C8494E42-ACDD-4739-B0FB-217361E4894F} "Sam Account Folder" - ? -   (File not found | COM-object registry key not found)

{E29F9716-5C08-4FCD-955A-119FDB5A522D} "Sam Account Folder" - ? -   (File not found | COM-object registry key not found)

{45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\shlext.dll

{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "Shell Extensions for RealOne Player" - ? -   (File not found | COM-object registry key not found)

{5E2121EE-0300-11D4-8D3B-444553540000} "SimpleShlExt Class" - ? - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{da67b8ad-e81b-4c70-9b91b417b5e33527} "Windows Search Shell Service" - ? -   (File not found | COM-object registry key not found)

{B41DB860-8EE4-11D2-9906-E49FADC173CA} "WinRAR" - ? - D:\Programme\WinRar\rarext.dll
 

[Internet Explorer]

-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----

<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)

-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----

{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_24" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} "Java Plug-in 1.6.0_24" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2iexp.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_24" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\npjpi160_24.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} "{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" - ? -   (File not found | COM-object registry key not found) / hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----

{48E73304-E1D6-4330-914C-F5F514E3486C} "An OneNote senden" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Research" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} "Groove GFS Browser Helper" - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

{DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" - "Sun Microsystems, Inc." - C:\Program Files\Java\jre6\bin\jp2ssv.dll

{9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

{5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" - ? -   (File not found | COM-object registry key not found)
 

[Logon]

-----( %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup )-----

"desktop.ini" - ? - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

-----( %AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\Startup )-----

"desktop.ini" - ? - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----

"MsnMsgr" - "Microsoft Corporation" - "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

"Skype" - "Skype Technologies S.A." - "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

-----( HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd )-----

"StartupPrograms" - ? - rdpclip  (File not found)

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----

"avgnt" - "Avira GmbH" - "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

"HotkeyApp" - "Wistron" - "C:\Program Files\Launch Manager\HotkeyApp.exe"

"LMgrOSD" - ? - "C:\Program Files\Launch Manager\OSDCtrl.exe"

"LMgrVolOSD" - "Wistron Corp." - "C:\Program Files\Launch Manager\OSD.exe"

"StartCCC" - "Advanced Micro Devices, Inc." - "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

"SunJavaUpdateSched" - "Sun Microsystems, Inc." - "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

"WisKeyState" - "Wistron Corp." - "C:\Program Files\Launch Manager\WisKeyState.exe"
 

[Print Monitors]

-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----

"Send To Microsoft OneNote Monitor" - "Microsoft Corporation" - C:\Windows\system32\msonpmon.dll
 

[Services]

-----( HKLM\SYSTEM\CurrentControlSet\Services )-----

"@C:\Program Files\NOS\bin\getPlus_Helper.dll,-101" (getPlusHelper) - "NOS Microsystems Ltd." - C:\Program Files\NOS\bin\getPlus_Helper.dll

"Avira AntiVir Guard" (AntiVirService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

"Avira AntiVir Planer" (AntiVirSchedulerService) - "Avira GmbH" - C:\Program Files\Avira\AntiVir Desktop\sched.exe

"Cisco Systems, Inc. VPN Service" (CVPND) - "Cisco Systems, Inc." - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

"Google Update Service (gupdate1c9ae33210dd6d0)" (gupdate1c9ae33210dd6d0) - "Google Inc." - C:\Program Files\Google\Update\GoogleUpdate.exe

"InstallDriver Table Manager" (IDriverT) - "Macrovision Corporation" - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

"Microsoft Office Diagnostics Service" (odserv) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE

"Microsoft Office Groove Audit Service" (Microsoft Office Groove Audit Service) - "Microsoft Corporation" - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe

"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"WisLMSvc" (WisLMSvc) - "Wistron Corp." - C:\Program Files\Launch Manager\WisLMSvc.exe
 

[Winsock Providers]

-----( HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries )-----

"mdnsNSP" - "Apple Inc." - C:\Program Files\Bonjour\mdnsNSP.dll
 

===[ Logfile end ]=========================================[ Logfile end ]===

--- --- ---

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: FUJITSU SIEMENS
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: FUJITSU SIEMENS
System Product Name: AMILO Notebook Pa 3515
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 138):
0x82403000 \SystemRoot\system32\ntkrnlpa.exe
0x827BD000 \SystemRoot\system32\hal.dll
0x8040E000 \SystemRoot\system32\kdcom.dll
0x80415000 \SystemRoot\system32\PSHED.dll
0x80426000 \SystemRoot\system32\BOOTVID.dll
0x8042E000 \SystemRoot\system32\CLFS.SYS
0x8046F000 \SystemRoot\system32\CI.dll
0x8054F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x805CB000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80602000 \SystemRoot\system32\drivers\acpi.sys
0x80648000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80651000 \SystemRoot\system32\drivers\msisadrv.sys
0x80659000 \SystemRoot\system32\drivers\pci.sys
0x80680000 \SystemRoot\System32\drivers\partmgr.sys
0x8068F000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80692000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8069C000 \SystemRoot\system32\drivers\volmgr.sys
0x806AB000 \SystemRoot\System32\drivers\volmgrx.sys
0x806F5000 \SystemRoot\System32\drivers\mountmgr.sys
0x80705000 \SystemRoot\system32\drivers\nvraid.sys
0x80720000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80741000 \SystemRoot\system32\drivers\fltmgr.sys
0x80773000 \SystemRoot\system32\drivers\fileinfo.sys
0x80783000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82A0E000 \SystemRoot\system32\drivers\ndis.sys
0x82B19000 \SystemRoot\system32\drivers\msrpc.sys
0x82B44000 \SystemRoot\system32\drivers\NETIO.SYS
0x89C05000 \SystemRoot\System32\drivers\tcpip.sys
0x89CF2000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x89E03000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89F13000 \SystemRoot\system32\drivers\volsnap.sys
0x89F4C000 \SystemRoot\System32\Drivers\spldr.sys
0x89F54000 \SystemRoot\System32\Drivers\mup.sys
0x89F63000 \SystemRoot\System32\drivers\ecache.sys
0x89F8A000 \SystemRoot\system32\drivers\disk.sys
0x89F9B000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
0x89FA3000 \SystemRoot\system32\drivers\crcdisk.sys
0x89FAC000 \SystemRoot\system32\drivers\ahcix86s.sys
0x89D0D000 \SystemRoot\system32\drivers\storport.sys
0x89D98000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x89DA3000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x89DAC000 \SystemRoot\system32\DRIVERS\processr.sys
0x89DBB000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8DA0D000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x8DEDC000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8DF7B000 \SystemRoot\System32\drivers\watchdog.sys
0x8D608000 \SystemRoot\system32\DRIVERS\athr.sys
0x8D72D000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8D76E000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8D788000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8D7A0000 \SystemRoot\system32\DRIVERS\usbohci.sys
0x8D7AA000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8D7E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8E00C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8E099000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8E09D000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8E0B0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8E0BB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8E0C6000 \SystemRoot\system32\DRIVERS\dne2000.sys
0x8E0E5000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8E114000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8E11F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8E136000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8E141000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8E164000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8E173000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8E187000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8E19C000 \SystemRoot\System32\Drivers\pcouffin.sys
0x8E1A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8E1B8000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8E1BA000 \SystemRoot\system32\DRIVERS\ks.sys
0x8E1E4000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8E1EE000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8DF87000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8DFBC000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x82B7F000 \SystemRoot\system32\drivers\HdAudio.sys
0x8DFCD000 \SystemRoot\system32\drivers\portcls.sys
0x89DC4000 \SystemRoot\system32\drivers\drmk.sys
0x8E000000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D7F7000 \SystemRoot\System32\Drivers\Null.SYS
0x8D600000 \SystemRoot\System32\Drivers\Beep.SYS
0x89FF9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8DA00000 \SystemRoot\System32\drivers\vga.sys
0x82BBE000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x89DE9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x89DF1000 \SystemRoot\system32\drivers\rdpencdd.sys
0x82BDF000 \SystemRoot\System32\Drivers\Msfs.SYS
0x82BEA000 \SystemRoot\System32\Drivers\Npfs.SYS
0x82A00000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x805D8000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8E404000 \SystemRoot\system32\DRIVERS\smb.sys
0x8E418000 \SystemRoot\system32\drivers\afd.sys
0x8E460000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8E492000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8E4A8000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8E4B6000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8E4C9000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0x8E4CF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8E50B000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8E515000 \SystemRoot\System32\Drivers\Hotkey.SYS
0x8E518000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E52F000 \SystemRoot\system32\DRIVERS\avipbb.sys
0x8E555000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8E55E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E56E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8E570000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8E578000 \SystemRoot\system32\DRIVERS\udfs.sys
0x8E5B3000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8E5C0000 \SystemRoot\System32\Drivers\dump_diskdump.sys
0x89D4E000 \SystemRoot\System32\Drivers\dump_ahcix86s.sys
0x96A50000 \SystemRoot\System32\win32k.sys
0x8E5CA000 \SystemRoot\System32\drivers\Dxapi.sys
0x8E5D4000 \SystemRoot\system32\DRIVERS\monitor.sys
0x96C70000 \SystemRoot\System32\TSDDD.dll
0x96C90000 \SystemRoot\System32\cdd.dll
0x8E5E3000 \SystemRoot\system32\drivers\luafv.sys
0x99004000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0x99019000 \SystemRoot\system32\drivers\spsys.sys
0x990C9000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x990D9000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x99103000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9910D000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x99120000 \SystemRoot\system32\drivers\HTTP.sys
0x9918D000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x991AA000 \SystemRoot\system32\DRIVERS\bowser.sys
0x991C3000 \SystemRoot\System32\drivers\mpsdrv.sys
0x991D8000 \SystemRoot\system32\drivers\mrxdav.sys
0x9B806000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x9B825000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x9B85E000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x9B876000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9B89E000 \SystemRoot\System32\DRIVERS\srv.sys
0x9B905000 \??\C:\Windows\system32\drivers\acedrv11.sys
0x9B931000 \??\C:\Windows\system32\Drivers\CVPNDRVA.sys
0x9C40E000 \SystemRoot\system32\drivers\peauth.sys
0x9C4EC000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9C4F6000 \SystemRoot\System32\drivers\tcpipreg.sys
0x77AF0000 \Windows\System32\ntdll.dll

Processes (total 58):
0 System Idle Process
4 System
404 C:\Windows\System32\smss.exe
532 csrss.exe
592 csrss.exe
600 C:\Windows\System32\wininit.exe
636 C:\Windows\System32\services.exe
652 C:\Windows\System32\lsass.exe
664 C:\Windows\System32\lsm.exe
692 C:\Windows\System32\winlogon.exe
848 C:\Windows\System32\svchost.exe
928 C:\Windows\System32\svchost.exe
1084 C:\Windows\System32\Ati2evxx.exe
1108 C:\Windows\System32\svchost.exe
1144 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\svchost.exe
1272 C:\Windows\System32\audiodg.exe
1308 C:\Windows\System32\SLsvc.exe
1344 C:\Windows\System32\svchost.exe
1436 C:\Windows\System32\Ati2evxx.exe
1520 C:\Windows\System32\svchost.exe
1728 C:\Windows\System32\spoolsv.exe
1736 C:\Windows\System32\taskeng.exe
1760 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1784 C:\Windows\System32\svchost.exe
512 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
524 C:\Windows\System32\svchost.exe
708 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1336 C:\Windows\System32\svchost.exe
284 C:\Windows\System32\svchost.exe
836 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
2080 C:\Windows\System32\svchost.exe
2112 C:\Windows\System32\SearchIndexer.exe
2636 C:\Windows\System32\dwm.exe
2664 C:\Windows\System32\taskeng.exe
2720 C:\Windows\explorer.exe
2932 C:\Program Files\Launch Manager\HotkeyApp.exe
2940 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2960 C:\Program Files\Launch Manager\WisKeyState.exe
2988 C:\Program Files\Launch Manager\OSD.exe
3016 C:\Program Files\Launch Manager\OSDCtrl.exe
3052 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3068 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3176 C:\Windows\ehome\ehtray.exe
3192 C:\Windows\servicing\TrustedInstaller.exe
3284 C:\Program Files\Launch Manager\WisLMSvc.exe
3296 C:\Program Files\Windows Media Player\wmpnscfg.exe
3372 WmiPrvSE.exe
3492 C:\Program Files\Windows Media Player\wmpnetwk.exe
3500 ehmsas.exe
3956 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3380 D:\Programme\FireFox\firefox.exe
1216 C:\Windows\System32\svchost.exe
3604 WmiPrvSE.exe
4012 C:\Windows\System32\SearchProtocolHost.exe
3428 C:\Windows\System32\SearchFilterHost.exe
2872 C:\Users\Stewen\Documents\Desktop\MBRCheck.exe
4088 C:\Windows\System32\conime.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001d`0d900000 (NTFS)

PhysicalDrive0 Model Number: ST9250827AS, Rev: 3.AA

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 RE: Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

Sieht ok aus. Mach bitte zur Kontrolle Vollscans mit Malwarebytes und SASW und poste die Logs.
Denk dran beide Tools zu updaten vor dem Scan!!

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Datenbank Version: 6426

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

23.04.2011 20:20:02
mbam-log-2011-04-23 (20-20-02).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 329279
Laufzeit: 1 Stunde(n), 39 Minute(n), 57 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

das andere scannt noch...

SUPERAntiSpyware hat leider was gefunden :(
Warum werden mir die Tracking Cookies nicht vom Firefox unter "Datenschutz" angezeigt?? Da lösche ich nämlich öfters die Cookies..

SUPERAntiSpyware Scan Log
hxxp://www.superantispyware.com

Generated 04/23/2011 at 11:30 PM

Application Version : 4.51.1000

Core Rules Database Version : 6905
Trace Rules Database Version: 4717

Scan type : Complete Scan
Total Scan Time : 02:30:57

Memory items scanned : 734
Memory threats detected : 0
Registry items scanned : 9127
Registry threats detected : 1
File items scanned : 167475
File threats detected : 10

Malware.Trace
HKU\S-1-5-21-2200215878-2621078103-1342345800-1000\Software\NtWqIVLZEWZU

Adware.Tracking Cookie
acvs.mediaonenetwork.net [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\FMRU2G33 ]
assets.bravenet.com [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\FMRU2G33 ]
atdmt.com [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\FMRU2G33 ]
googleads.g.doubleclick.net [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObject
m.de.2mdn.net [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\FMRU2G33 ]
oddcast.com [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\FMRU2G33 ]
orders.webpower.com [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\FMRU2G33 ]
spe.atdmt.com [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\FMRU2G33 ]
yieldmanager.edgesuite.net [ C:\Users\Stefan\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\FMRU2G33 ]

Trojan.Agent/Gen-FakeAV
D:\PROGRAMME\WINRAR\DEFAULT.SFX

Mach dir kein Kopf um die Cookies! Die sind harmlos!
Noch Probleme oder ist nun alles ok?

SUPERAntiSpyware hatte ja neben den Cookies noch diese beiden Dinger gefunden:

Malware.Trace
HKU\S-1-5-21-2200215878-2621078103-1342345800-1000\Software\NtWqIVLZEWZU

Trojan.Agent/Gen-FakeAV
D:\PROGRAMME\WINRAR\DEFAULT.SFX

Winrar ist wohl Fehlalarm, aber was ist mit dem anderen?

Ansonsten alles ok! :)

1. ist ein Überrest, 2. ein Fehlalarm!

Ok! Dann vielen Dank für deine Hilfe!! :dankeschoen:

Dann wären wir durch! :abklatsch:

Bitte abschließend die Updates prüfen, unten mein Leitfaden dazu.
Für noch mehr Sicherheit solltest Du nach der beseitigten Infektion auch möglichst alle Passwörter ändern.

Microsoftupdate

Windows XP: Besuch mit dem IE die MS-Updateseite und lass Dir alle wichtigen Updates installieren.

Windows Vista/7: Anleitung Windows-Update

PDF-Reader aktualisieren
Dein Adobe Reader ist nicht aktuell, was ein großes Sicherheitsrisiko darstellt. Du solltest daher besser die alte Version über Systemsteuerung => Software deinstallieren, indem Du dort auf "Adobe Reader x.0" klickst und das Programm entfernst.

Ich empfehle einen alternativen PDF-Reader wie SumatraPDF oder Foxit PDF Reader, beide sind sehr viel schlanker und flotter als der AdobeReader.

Bitte überprüf bei der Gelegenheit auch die Aktualität des Flashplayers, hier der direkte Downloadlink:

Mozilla und andere Browser => http://filepony.de/?q=Flash+Player
Internet Explorer => http://fpdownload.adobe.com/get/flas..._player_ax.exe

Java-Update
Veraltete Java-Installationen sind ein Sicherheitsrisiko, daher solltest Du die alten Versionen löschen (falls vorhanden, am besten mit JavaRa) und auf die neuste aktualisieren. Beende dazu alle Programme (v.a. die Browser), klick danach auf Start, Systemsteuerung, Software und deinstalliere darüber alle aufgelisteten Java-Versionen. Lad Dir danach von hier das aktuelle Java SE Runtime Environment (JRE) herunter und installiere es.