Home » Viren, Trojaner & Malware Forum » TR/Vundo.gen löschen » Themenansicht

Firefox Tipp: Instantfox - Quick Search Add-On!

Seite(n): 1 2

Antworten

TR/Vundo.gen löschen

29.01.2007, 19:59

Tinwian

Member

Beiträge: 19

#1 Hallo!
Hab mit AntiVir den Trojaner TR/Vundo.gen gefunden, ihn zu löschen hat aber leider nichts gebracht. Ich habs auch mit hijackthis versucht, doch nach dem neustart waren alle dateien wieder da. Jetzt weiß ich nicht was ich machen soll. Ist der PC meiner Eltern und erst ein paar Monate alt.
Hoffe ihr könnt mir helfen. Danke!
Tinwian

Logfile of HijackThis v1.99.1
Scan saved at 19:43:19, on 29.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
F:\Programme\Sygate\SPF\smc.exe
E:\WINDOWS\system32\brsvc01a.exe
E:\WINDOWS\system32\brss01a.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
F:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
E:\WINDOWS\system32\hkcmd.exe
E:\WINDOWS\system32\igfxpers.exe
E:\Programme\Java\jre1.5.0_09\bin\jusched.exe
F:\Programme\Adobe\apdproxy.exe
E:\WINDOWS\system32\ctfmon.exe
F:\Programme\Adobe\PhotoshopElementsFileAgent.exe
F:\Programme\Microsoft Office\Office\FINDFAST.EXE
F:\Programme\Microsoft Office\Office\OSA.EXE
F:\Programme\AntiVir PersonalEdition Classic\sched.exe
F:\Programme\AntiVir PersonalEdition Classic\avguard.exe
E:\WINDOWS\system32\svchost.exe
E:\Programme\OpenOffice.org 2.0\program\soffice.exe
E:\Programme\OpenOffice.org 2.0\program\soffice.BIN
F:\Programme\Mozilla Firefox\firefox.exe
F:\Programme\AntiVir PersonalEdition Classic\avcenter.exe
E:\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {C505F4FA-0AFD-4E83-B73E-5084E813154A} - E:\WINDOWS\system32\ddccayw.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [avgnt] "F:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [igfxtray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] E:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programme\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Programme\Adobe\apdproxy.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Programme\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = F:\Programme\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = F:\Programme\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programme\Java\jre1.5.0_09\bin\ssv.dll
O20 - Winlogon Notify: ddccayw - E:\WINDOWS\SYSTEM32\ddccayw.dll
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winxtx32 - E:\WINDOWS\SYSTEM32\winxtx32.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - F:\Programme\Adobe\PhotoshopElementsFileAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - F:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - F:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - E:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - F:\Programme\Sygate\SPF\smc.exe

"Keáler" - 07-01-29 19:44:49 Service Pack 2
ComboFix 07-01-25 - Running from: "F:\Programme\Mozilla Firefox"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

E:\WINDOWS\system32\unsvchosts.lzma
E:\Programme\Gemeinsame Dateien\{2055E~1
E:\Programme\Gemeinsame Dateien\{3055E~1

((((((((((((((((((((((((((((((( Files Created from 2006-12-29 to 2007-01-29 ))))))))))))))))))))))))))))))))))

2007-01-29 19:42 <DIR> d-------- E:\Hijackthis
2007-01-29 19:11 <DIR> d-------- E:\backups
2007-01-21 18:07 <DIR> d-------- E:\Programme\The Panorama Factory
2007-01-21 11:32 22,029 ---hs---- E:\WINDOWS\system32\ddccayw.dll
2007-01-21 11:32 18,432 --a------ E:\WINDOWS\system32\winxtx32.dll
2007-01-20 20:55 <DIR> d-------- E:\Programme\Avanquest update
2007-01-20 20:54 25,600 --a------ E:\WINDOWS\system32\drivers\usbser.sys
2007-01-20 20:54 24,192 --a------ E:\DOKUME~1\KELER~1\usbsermptxp.sys
2007-01-20 20:54 22,768 --a------ E:\WINDOWS\system32\drivers\usbsermpt.sys
2007-01-20 20:54 22,768 --a------ E:\DOKUME~1\KELER~1\usbsermpt.sys
2007-01-20 20:54 <DIR> d-------- E:\Programme\Motorola Phone Tools
2007-01-20 20:54 <DIR> d-------- E:\DOKUME~1\ALLUSE~1\Anwendungsdaten\BVRP Software

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-29 19:13 -------- d-------- E:\DOKUME~1\KELER~1\Anwendungsdaten\openoffice.org2
2007-01-27 14:18 -------- d-------- E:\DOKUME~1\KELER~1\Anwendungsdaten\canon
2007-01-20 20:55 -------- d--h----- E:\Programme\installshield installation information
2006-12-27 12:55 -------- d-------- E:\Programme\speedfan
2006-12-11 19:55 -------- d-------- E:\DOKUME~1\KELER~1\Anwendungsdaten\opera
2006-12-11 19:49 -------- d-------- E:\DOKUME~1\KELER~1\Anwendungsdaten\adobe
2006-12-11 19:41 -------- d-------- E:\Programme\Gemeinsame Dateien\adobe
2006-12-11 19:39 20640 --------- E:\WINDOWS\system32\drivers\PxHelp20.sys
2006-12-11 19:39 109568 --------- E:\WINDOWS\system32\pxinsi64.exe
2006-12-11 19:39 108544 --------- E:\WINDOWS\system32\pxcpyi64.exe
2006-12-11 17:53 -------- d-------- E:\Programme\hmonitor
2006-12-09 22:21 -------- d-------- E:\Programme\hugin
2006-12-09 21:02 -------- d-------- E:\Programme\albatross
2006-12-07 19:41 -------- d-------- E:\Programme\gimp-2.0
2006-12-07 06:29 2374472 --a------ E:\WINDOWS\system32\wmvcore.dll
2006-12-05 09:26 7188 --a------ E:\WINDOWS\system32\drivers\Hmonitor.sys
2006-12-03 10:22 -------- d---s---- E:\DOKUME~1\KELER~1\Anwendungsdaten\microsoft
2006-11-14 18:39 62 --ahs---- E:\DOKUME~1\KELER~1\Anwendungsdaten\desktop.ini
2006-11-08 06:06 679424 --a------ E:\WINDOWS\system32\inetcomm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="E:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="F:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"avgnt"="\"F:\\Programme\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
"igfxtray"="E:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="E:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="E:\\WINDOWS\\system32\\igfxpers.exe"
"SunJavaUpdateSched"="\"E:\\Programme\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"Adobe Photo Downloader"="\"F:\\Programme\\Adobe\\apdproxy.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"="F:\\Programme\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C505F4FA-0AFD-4E83-B73E-5084E813154A}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccayw
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxtx32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Completion time: 07-01-29 19:46:59

Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: 2055-E2D5

Verzeichnis von E:\WINDOWS\system32

29.01.2007 19:13 21.061 FFASTLOG.TXT
26.01.2007 20:44 12.620 wpa.dbl
22.01.2007 09:13 149.992 FNTCACHE.DAT
21.01.2007 11:32 22.029 ddccayw.dll
21.01.2007 11:32 18.432 winxtx32.dll
03.01.2007 00:19 10.980.776 MRT.exe
11.12.2006 19:39 28.672 vxblock.dll
11.12.2006 19:39 405.504 px.dll

Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: 2055-E2D5

Verzeichnis von E:\DOKUME~1\KELER~1\LOKALE~1\Temp

29.01.2007 19:47 289 datFind.zip
1 Datei(en) 289 Bytes
0 Verzeichnis(se), 9.490.386.944 Bytes frei

Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: 2055-E2D5

Verzeichnis von E:\WINDOWS

29.01.2007 19:13 157 wiadebug.log
29.01.2007 19:13 1.907.341 WindowsUpdate.log
29.01.2007 19:13 50 wiaservc.log
29.01.2007 19:13 0 0.log
29.01.2007 19:13 2.048 bootstat.dat
28.01.2007 12:13 486 win.ini
25.01.2007 15:06 430.533 setupapi.log
20.01.2007 21:11 26.596 ModemLog_Motorola USB Modem.txt
11.01.2007 18:39 70.190 iis6.log
11.01.2007 18:39 95.760 ntdtcsetup.log
11.01.2007 18:39 175.052 tsoc.log
11.01.2007 18:39 1.374 imsins.log
11.01.2007 18:39 159.010 comsetup.log
11.01.2007 18:39 25.443 ocmsn.log
11.01.2007 18:39 10.709 KB929969.log
11.01.2007 18:39 227.990 ocgen.log
11.01.2007 18:39 22.364 msgsocm.log
11.01.2007 18:39 442.972 FaxSetup.log

Verzeichnis von E:\

29.01.2007 19:50 0 sys.txt
29.01.2007 19:50 296 down.txt
29.01.2007 19:50 117 tmp.txt
29.01.2007 19:49 8.458 system.txt
29.01.2007 19:49 294 systemtemp.txt
29.01.2007 19:48 95.470 system32.txt
29.01.2007 19:46 4.994 ComboFix.txt
29.01.2007 19:43 3.980 hijackthis.log
29.01.2007 19:12 1.598.029.824 pagefile.sys
28.01.2007 13:59 4.398 ffastun.ffa
28.01.2007 13:59 49.152 ffastun.ffo
28.01.2007 13:59 163.840 ffastun.ffl
28.01.2007 13:59 2.088.960 ffastun0.ffx
14.11.2006 19:38 210 boot.ini

Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: 2055-E2D5

Verzeichnis von E:\WINDOWS\temp

Volume in Laufwerk E: hat keine Bezeichnung.
Volumeseriennummer: 2055-E2D5

Verzeichnis von E:\WINDOWS\Downloaded Program Files

14.11.2006 18:51 65 desktop.ini
1 Datei(en) 65 Bytes
0 Verzeichnis(se), 9.490.374.656 Bytes frei

30.01.2007, 01:32

Sabina

Ehrenmitglied

Beiträge: 29434

#2 Tinwian

Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

Registry values to delete:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{C1B4DEC2-2623-438e-9CA2-C9043AB28508}
HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{C505F4FA-0AFD-4E83-B73E-5084E813154A}

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccayw
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxtx32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1B4DEC2-2623-438e-9CA2-C9043AB28508}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C505F4FA-0AFD-4E83-B73E-5084E813154A}
HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C505F4FA-0AFD-4E83-B73E-5084E813154A}

Files to delete:
E:\WINDOWS\system32\ddccayw.dll
E:\WINDOWS\system32\winxtx32.dll

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten
__________
MfG Sabina

rund um die PC-Sicherheit

30.01.2007, 18:22

Tinwian

Member

Themenstarter

Beiträge: 19

#3 Also ich weiß nich, ob das Logfile noch benötigt wird, aber ich post es mal:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ngfyvjtm

*******************

Script file located at: \??\E:\WINDOWS\qsfkncvd.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

File E:\WINDOWS\system32\ddccayw.dll deleted successfully.

File E:\WINDOWS\system32\winxtx32.dll not found!
Deletion of file E:\WINDOWS\system32\winxtx32.dll failed!

Could not process line:
E:\WINDOWS\system32\winxtx32.dll
Status: 0xc0000034

Could not delete registry value HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{C1B4DEC2-2623-438e-9CA2-C9043AB28508}
Deletion of registry value HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{C1B4DEC2-2623-438e-9CA2-C9043AB28508} failed!
Status: 0xc0000034

Registry value HKLM\software\microsoft\windows\currentversion\explorer\shellexecutehooks|{C505F4FA-0AFD-4E83-B73E-5084E813154A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccayw deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winxtx32 deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1B4DEC2-2623-438e-9CA2-C9043AB28508} not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1B4DEC2-2623-438e-9CA2-C9043AB28508} failed!
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C505F4FA-0AFD-4E83-B73E-5084E813154A} deleted successfully.

Registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C505F4FA-0AFD-4E83-B73E-5084E813154A} not found!
Deletion of registry key HKLM\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C505F4FA-0AFD-4E83-B73E-5084E813154A} failed!
Status: 0xc0000034

Completed script processing.

*******************

Finished! Terminate.

Hab mit AntiVir mal durchlaufen lassen und kam nix.
Also vielen Dank für die Hilfe und Mühe.

19.10.2009, 10:21

DCR911

...neu hier

Beiträge: 9

#4 Hallo, habe auch das Problem, kann mir bitte jemand weiterhelfen?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:31, on 19.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Programme\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Programme\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programme\Microsoft SQL Server\MSSQL$PP40\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\WAGO Software\CoDeSys ENI Server\ENI.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\ATK Hotkey\HcontrolUser.exe
C:\Programme\ATK Hotkey\Hcontrol.exe
C:\Programme\ATK Hotkey\MsgTranAgt.exe
C:\Programme\ASUS\ATK Media\DMEDIA.EXE
C:\Programme\ATKOSD2\ATKOSD2.exe
C:\Programme\Wireless Console 2\wcourier.exe
C:\Programme\ASUS\Splendid\ACMON.exe
C:\Programme\ASUS\Net4Switch\Net4Switch.exe
C:\Programme\ASUS\ASUS Live Update\ALU.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\ATK Hotkey\ATKOSD.exe
C:\Programme\WAGO Software\CoDeSys ENI Server\ENISysTray.exe
C:\Programme\3S CoDeSys\GatewayPLC\GatewaySysTray.exe
C:\Programme\3S CoDeSys\GatewayPLC\CoDeSysSPSysTray.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\ATK Hotkey\WDC.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Unlocker\UnlockerAssistant.exe
C:\Programme\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\Programme\openoffice\OpenOffice.org 3\program\soffice.exe
C:\Programme\openoffice\OpenOffice.org 3\program\soffice.bin
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\logger.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Programme\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Programme\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Programme\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Programme\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inhaus-gmbh.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Programme\AskSearch\bin\DefaultSearch.dll
O1 - Hosts: 89.163.145.235 www.party-games.org
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HControlUser] "C:\Programme\ATK Hotkey\HcontrolUser.exe"
O4 - HKLM\..\Run: [ATKHOTKEY] "C:\Programme\ATK Hotkey\Hcontrol.exe"
O4 - HKLM\..\Run: [MsgTranAgt] "C:\Programme\ATK Hotkey\MsgTranAgt.exe"
O4 - HKLM\..\Run: [ATKMEDIA] C:\Programme\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ATKOSD2] "C:\Programme\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [Wireless Console 2] "C:\Programme\Wireless Console 2\wcourier.exe"
O4 - HKLM\..\Run: [ACMON] "C:\Programme\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Net4Switch] C:\Programme\ASUS\Net4Switch\Net4Switch.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programme\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\WINDOWS\ASScrProlog.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ENISysTray] C:\Programme\WAGO Software\CoDeSys ENI Server\ENISysTray.exe
O4 - HKLM\..\Run: [GatewaySysTray] "C:\Programme\3S CoDeSys\GatewayPLC\GatewaySysTray.exe"
O4 - HKLM\..\Run: [CoDeSysSPSysTray] "C:\Programme\3S CoDeSys\GatewayPLC\CoDeSysSPSysTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Programme\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Programme\openoffice\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Text To Wave.lnk = C:\Programme\TextToMp3\TextToWave.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = inHausGmbH.local
O17 - HKLM\Software\..\Telephony: DomainName = inHausGmbH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = inHausGmbH.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Programme\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Programme\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: ENI Server - 3S-Smart Software Solutions GmbH - C:\Programme\WAGO Software\CoDeSys ENI Server\ENI.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9d551191fa16d) (gupdate1c9d551191fa16d) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Programme\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: RT Service 3S KM (RTService) - 3S-Smart Software Solutions GmbH - C:\Programme\WAGO Software\CoDeSys SP RTE\RTService.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 13157 bytes

19.10.2009, 11:41

Swisstreasure

Moderator

Beiträge: 5694

#5 >>
Da einige Programme und Anti-Spy-Programme uns u. U. bei der Bereinigung behindern (z. B. durch ständig laufende Hintergrundwächter), unnötig oder schädlich sind oder einfach nicht mehr gebraucht werden, bitte ich darum, die folgenden Programme über Systemsteuerung => Software komplett zu deinstallieren.

Code

Ask Toolbar
Ask.com Search Assistant 1.0.1
AskSearch

Berichte mir, falls sich ein Programm nicht deinstallieren lässt. Nach Beendigung der Bereinigung können wir schauen, welche davon Du wieder installieren kannst/sollest.

>>
Dateien löschen

Gehe in den abgesicherten Modus (Link bitte unbedingt anklicken & lesen!) von windows

Drücke beim Hochfahren des rechners [F8] (bei win xp) solange, bis du eine auswahlmöglichkeit hast.
Wähle hier:Abgesicherter Modus mit Netzwerktreibern

Dann lösche folgenden Ordner im Explorer:
C:\Programme\AskSearch

>>
Nun arbeite bitte zuerst den Link aus meiner SIgnatur durch.

20.10.2009, 10:22

DCR911

...neu hier

Beiträge: 9

#6 Ok, vielen Dank erstmal.

DIe Software ist deinstalliert und der Ordner im abgesicherten Modus gelöscht worden.

Mein Problem ist, dass mir AntiVir folgenden Virus meldet, wenn ich mich mit unserem Server synchronisieren will: TR/Vundo.Gen
Ich habe jetzt Malewarebytes drüberlaufen lassen, mit folgendem Report:

Malwarebytes' Anti-Malware 1.41
Datenbank Version: 2996
Windows 5.1.2600 Service Pack 3

20.10.2009 08:47:13
mbam-log-2009-10-20 (08-47-13).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 153717
Laufzeit: 6 minute(s), 10 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

Scheint also nichts gefunden zu haben.

Ich werd jetzt mit Gmer weitermachen und dann berichten.

20.10.2009, 14:42

DCR911

...neu hier

Beiträge: 9

#7 So habe jetzt 2x versucht den Gmer durchlaufen zu lassen, allerdings stürzt dieser nach ca. 1,5h mit einem Blue Screen ab. Was kann ich weiterhin machen? Vielen Dank schonmal.

20.10.2009, 18:16

DCR911

...neu hier

Beiträge: 9

#8 Habe es jetzt mit Hijackthis gemacht, da kommt folgendes:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:15:07, on 20.10.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Programme\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Programme\ATKGFNEX\GFNEXSrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Programme\Microsoft SQL Server\MSSQL$PP40\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\WAGO Software\CoDeSys ENI Server\ENI.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\ATK Hotkey\HcontrolUser.exe
C:\Programme\ATK Hotkey\Hcontrol.exe
C:\Programme\ATK Hotkey\MsgTranAgt.exe
C:\Programme\ASUS\ATK Media\DMEDIA.EXE
C:\Programme\ATKOSD2\ATKOSD2.exe
C:\Programme\Wireless Console 2\wcourier.exe
C:\Programme\ASUS\Splendid\ACMON.exe
C:\Programme\ASUS\Net4Switch\Net4Switch.exe
C:\Programme\ASUS\ASUS Live Update\ALU.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\WAGO Software\CoDeSys ENI Server\ENISysTray.exe
C:\WINDOWS\system32\ACEngSvr.exe
C:\Programme\3S CoDeSys\GatewayPLC\GatewaySysTray.exe
C:\Programme\3S CoDeSys\GatewayPLC\CoDeSysSPSysTray.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jre6\bin\jusched.exe
C:\Programme\Unlocker\UnlockerAssistant.exe
C:\Programme\HTC\HTC Sync\Application Launcher\Application Launcher.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\CapabilityManager.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Teleca Shared\logger.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\Programme\openoffice\OpenOffice.org 3\program\soffice.exe
C:\Programme\openoffice\OpenOffice.org 3\program\soffice.bin
C:\Programme\Gemeinsame Dateien\Teleca Shared\Generic.exe
C:\Programme\ATK Hotkey\ATKOSD.exe
C:\Programme\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
C:\Programme\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
C:\Programme\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
C:\Programme\ATK Hotkey\WDC.exe
C:\Programme\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
C:\Programme\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Trend Micro\Kopie von HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xxx.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Programme\AskSearch\bin\DefaultSearch.dll (file missing)
O1 - Hosts: 89.163.145.235 www.party-games.org
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HControlUser] "C:\Programme\ATK Hotkey\HcontrolUser.exe"
O4 - HKLM\..\Run: [ATKHOTKEY] "C:\Programme\ATK Hotkey\Hcontrol.exe"
O4 - HKLM\..\Run: [MsgTranAgt] "C:\Programme\ATK Hotkey\MsgTranAgt.exe"
O4 - HKLM\..\Run: [ATKMEDIA] C:\Programme\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [ATKOSD2] "C:\Programme\ATKOSD2\ATKOSD2.exe"
O4 - HKLM\..\Run: [Wireless Console 2] "C:\Programme\Wireless Console 2\wcourier.exe"
O4 - HKLM\..\Run: [ACMON] "C:\Programme\ASUS\Splendid\ACMON.exe"
O4 - HKLM\..\Run: [Net4Switch] C:\Programme\ASUS\Net4Switch\Net4Switch.exe
O4 - HKLM\..\Run: [ASUS Live Update] C:\Programme\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\WINDOWS\ASScrProlog.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [ENISysTray] C:\Programme\WAGO Software\CoDeSys ENI Server\ENISysTray.exe
O4 - HKLM\..\Run: [GatewaySysTray] "C:\Programme\3S CoDeSys\GatewayPLC\GatewaySysTray.exe"
O4 - HKLM\..\Run: [CoDeSysSPSysTray] "C:\Programme\3S CoDeSys\GatewayPLC\CoDeSysSPSysTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Programme\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Mobile Connectivity Suite] "C:\Programme\HTC\HTC Sync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Programme\Gemeinsame Dateien\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Programme\openoffice\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Text To Wave.lnk = C:\Programme\TextToMp3\TextToWave.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = C:\Programme\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxx.local
O17 - HKLM\Software\..\Telephony: DomainName = xxx.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = xxx.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Programme\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Programme\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: ENI Server - 3S-Smart Software Solutions GmbH - C:\Programme\WAGO Software\CoDeSys ENI Server\ENI.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c9d551191fa16d) (gupdate1c9d551191fa16d) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Programme\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: RT Service 3S KM (RTService) - 3S-Smart Software Solutions GmbH - C:\Programme\WAGO Software\CoDeSys SP RTE\RTService.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 13102 bytes

Dieser Beitrag wurde am 20.10.2009 um 18:19 Uhr von DCR911 editiert.

20.10.2009, 18:43

Swisstreasure

Moderator

Beiträge: 5694

#9 >>
Download:
HostsXpert.zip
http://www.funkytoad.com/download/HostsXpert.zip
Starte
Klicke: 'Restore MS Hosts File' - und klicke 'OK'
Exit Program.

>>
Rootkitscan mit RootRepeal
• Gehe hierhin, scrolle runter und downloade RootRepeal.zip.
• Entpacke die Datei auf Deinen Desktop.
• Doppelklicke die RootRepeal.exe, um den Scanner zu starten.
• Klicke auf den Reiter Report und dann auf den Button Scan.
• Mache einen Haken bei den folgenden Elementen und klicke Ok.
.
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT
.
• Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.
• Wähle C:\ und klicke wieder Ok.
• Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.
• Wenn der Suchlauf beendet ist, klicke auf Save Report.
• Speichere das Logfile als RootRepeal.txt auf dem Desktop.
• Kopiere den Inhalt hier in den Thread.

Nun das Logfile posten.

20.10.2009, 19:22

DCR911

...neu hier

Beiträge: 9

#10 Alles klar.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/20 18:50
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9AA3000 Size: 851968 File Visible: No Signed: -
Status: -

Name: PCI_PNP2058
Image Path: \Driver\PCI_PNP2058
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9E48E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sphe.sys
Image Path: sphe.sys
Address: 0xBA6A6000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\ADSM_PData_0150
Status: Invisible to the Windows API!

Path: \\?\C:\ADSM_PData_0150\*
Status: Could not enumerate files with the Windows API (0x00000006)!

Path: C:\ADSM_PData_0150\DB
Status: Invisible to the Windows API!

Path: C:\ADSM_PData_0150\DragWait.exe
Status: Invisible to the Windows API!

Path: C:\ADSM_PData_0150\_avt
Status: Invisible to the Windows API!

Path: \\?\C:\ADSM_PData_0150\DB\*
Status: Could not enumerate files with the Windows API (0x00000006)!

Path: C:\ADSM_PData_0150\DB\SI.db
Status: Invisible to the Windows API!

Path: C:\ADSM_PData_0150\DB\UL.db
Status: Invisible to the Windows API!

Path: C:\ADSM_PData_0150\DB\VL.db
Status: Invisible to the Windows API!

Path: C:\ADSM_PData_0150\DB\_avt
Status: Invisible to the Windows API!

Path: C:\Dokumente und Einstellungen\_DELET\Gesichertes Dokument
Status: Invisible to the Windows API!

Path: C:\Dokumente und Einstellungen\_DELET\Gesicherte Musik
Status: Invisible to the Windows API!

Path: C:\Dokumente und Einstellungen\_DELET\Gesichertes Video
Status: Invisible to the Windows API!

Path: \\?\C:\Dokumente und Einstellungen\_DELET\Gesichertes Dokument\*
Status: Could not enumerate files with the Windows API (0x00000006)!

Path: C:\Dokumente und Einstellungen\_DELET\Gesichertes Dokument\_avt
Status: Invisible to the Windows API!

Path: C:\Dokumente und Einstellungen\_DELET\Gesichertes Dokument\_lit
Status: Invisible to the Windows API!

Path: \\?\C:\Dokumente und Einstellungen\_DELET\Gesicherte Musik\*
Status: Could not enumerate files with the Windows API (0x00000006)!

Path: C:\Dokumente und Einstellungen\_DELET\Gesicherte Musik\_avt
Status: Invisible to the Windows API!

Path: C:\Dokumente und Einstellungen\_DELET\Gesicherte Musik\_lit
Status: Invisible to the Windows API!

Path: \\?\C:\Dokumente und Einstellungen\_DELET\Gesichertes Video\*
Status: Could not enumerate files with the Windows API (0x00000006)!

Path: C:\Dokumente und Einstellungen\_DELET\Gesichertes Video\_avt
Status: Invisible to the Windows API!

Path: C:\Dokumente und Einstellungen\_DELET\Gesichertes Video\_lit
Status: Invisible to the Windows API!

Path: C:\Programme\ASUS\ASUS Data Security Manager\driver\x86
Status: Invisible to the Windows API!

Path: \\?\C:\Programme\ASUS\ASUS Data Security Manager\driver\x86\*
Status: Could not enumerate files with the Windows API (0x00000006)!

Path: C:\Programme\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys
Status: Invisible to the Windows API!

Path: C:\Programme\ASUS\ASUS Data Security Manager\driver\x86\_avt
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xbaebfd06

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xbaebfcfc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xbaebfd0b

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xbaebfd15

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sphe.sys" at address 0xba6c5ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sphe.sys" at address 0xba6c6032

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xbaebfd1a

#: 119 Function Name: NtOpenKey
Status: Hooked by "sphe.sys" at address 0xba6a70c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xbaebfce8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xbaebfced

#: 160 Function Name: NtQueryKey
Status: Hooked by "sphe.sys" at address 0xba6c610a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sphe.sys" at address 0xba6c5f8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xbaebfd24

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xbaebfd1f

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xbaebfd10

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xbaebfcf7

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x850b1020, TID: 7868]
Process: firefox.exe (PID: 4532) Address: 0x03b5e2cb Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8ab091f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89ecb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89e6a500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8ab0b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89f701f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89f701f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f701f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f701f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89f701f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f701f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89f701f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8aa991f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89ead1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89ead1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ead1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89ead1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89ead1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89ead1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89f581f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89f581f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f581f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f581f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89f581f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f581f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89f581f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x898921f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_CREATE]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_CLOSE]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_READ]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_CLEANUP]
Process: System Address: 0x89ec31f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆냀귘싀, IRP_MJ_PNP]
Process: System Address: 0x89ec31f8 Size: 121

==EOF==

20.10.2009, 20:25

Swisstreasure

Moderator

Beiträge: 5694

#11 >>
Lade Dir Registry Search by Bobbi Flekman

und doppelklicken, um zu starten.
in das Feld: "Enter search strings" (reinschreiben oder reinkopieren)

sphe

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

>>
Sophos Antirootkit Scanner

• Gehe zu Sophos und lade dir ihren Rootkitescanner herunter. Du bekommst eine Installationsdatei sarsfx.exe.
• Starte diese, akzeptiere die Lizenz und lass das Programm installieren, ändere den Pfad C:\SOPHTEMP nicht.
• Gehe mit dem Explorer in diesen Ordner und starte sargui.exe, schließe danach alle anderen Programme.
• Lass unter Area alles angehalt und starte den Scan mit "Start scan". Der Scan dauert einige Zeit, wenn er fertig ist poppt ein Fenster auf mit einer Zusammenfassung, klicke dort "Ok". Beende den Sophos Rootkitscanner, dieser Scan dient nur der Analyse.
• Starte den Explorer und gib in der Adresszeile "%temp%" ein (ohne Anführungsstriche), dort gibt es eine Datei sarscan.log, deren Inhalt bitte posten.

>>
wende bitte RSIT an + poste die zwei Logs
http://virus-protect.org/artikel/tools/random.html

20.10.2009, 20:35

DCR911

...neu hier

Beiträge: 9

#12 So das sagt mir Registry Search by Bobbi Flekman:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "sphe" 20.10.2009 20:32:56

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E4D4F1C-2AEE-11D1-9D3D-00C04FC30DF6}\ProgID]
@="OlePrn.AspHelp.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3E4D4F1C-2AEE-11D1-9D3D-00C04FC30DF6}\VersionIndependentProgID]
@="OlePrn.AspHelp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\00002109E60070400000000000F01FEC]
"MSPHELPIntl_1031"="MSOfficeDocumentImagingIntl_1031"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\68AB67CA7DA71301B7449A0100000010]
"Atmosphere_3D"="Reader_Big_Features"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3E4D4F1B-2AEE-11D1-9D3D-00C04FC30DF6}]
@="Iasphelp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OlePrn.AspHelp]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OlePrn.AspHelp\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OlePrn.AspHelp\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OlePrn.AspHelp\CurVer]
@="OlePrn.AspHelp.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OlePrn.AspHelp.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OlePrn.AspHelp.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\HTC\HTC Sync\Mobile Phone Monitor\DbgOut\ECSPHEXT]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\064DC8258C400D8666E5F138C8732AFB]
"12F610CC0793ED118B87000565084666"="C:\\Programme\\Google\\Google Earth\\shaders\\atmosphere_common.ini"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\12EA8F814DB70AB41B898B561C3AAAB1]
"00002109E60070400000000000F01FEC"="C:\\Programme\\Microsoft Office\\Office12\\1031\\MSPHELP.CHM"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\33D1215A636390BE311CF4975ED6128B]
"163D42EF8E3AED11883F000565084666"="C:\\Programme\\Google\\Google Earth\\plugin\\shaders\\atmosphere_common.ini"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\51AE916FE0731F148BB211C570801A7C]
"F238E42F4B447CA4AA88E89FB47967CB"="C:\\Programme\\HTC\\HTC Sync\\Mobile Phone Monitor\\ecsphext.dll"

"MSOfficeDocumentImagingIntl_1031"="e@PwA{cAS?O5Bud0_].CPLM9k[TI0?8+nGS9p3&c8=Su5@U0Q=8eX'[G!T.w"
"MSPHELPIntl_1031"="_94%+e`&B@7.vcHScnt+MSOfficeDocumentImagingIntl_1031"

"Atmosphere_3D"="d33*h_E![=*b5gTGiv$aZY4FfL$GK?%m_xV!&KMn^X)x8c*bF9uX[Yk=h*t02=eUxr-88=X[^'-qu[uWuq35L?Q0o8]jc!1GgjE*u?zcG%.hX?W4c98w2^aD10_ByZ$2=@2dw0e74ry9`=HG4M'zU9NN5fuuFLci(a.6-RP!j?*{-[jrF7ZpReader_Big_Features"

"P"="]n~WD8ikc=y,L.z2A$nZQG4zAU=7j9Fn0,CRpdDrovuY']Tze?W~O0^p3{nD6DaM?6&z8@YG(euQq9}23eUgcex=S@cag_jOM@X?=@^F$9)z-9p0eG[JrSz6H1H'RpXh,AM1EfK(UB6tq='CaJ8(??poHBmyhHTw.R=D@)__5@0IT4?HWHV%z1HRw%Sj39J$&le

5$zT?OX'*G(v=HBl^'*KY!7!pY'J'TJc8%kxd+w'fq'wC!uCoqZF?Z%,`I_4}%j!!3LY$AO?@GSqRN]nG&o(n*wBU..QAr91-0'G`8lJhWHp?5U$@MP'ZjtqlOOM63HqQS@0?q2[1Q]w7JiqI&~MGv)f=!1(WZ5!Ql+g.Md`QzeT9'u_1,3.%Uec7^W.5YQ!?n=Qci!$?KA!ml~1zdG6A1yGY'$u5AhN~tlTyA[t86U$k_e%oKma'.a5EJR`?a(J*@Tb&Z]6,s&ZR4TI?aI[XS1QdL&z=OVR`)~U9*=lqIFFphb?uA$b=5OT?86oJ9iBfvT4F]zPTm$CAhFXmabVgZYls6ukQJcy?1~cdUe8*4F``EzP^lX9A3((n*9)x`Re}Ilw-.}XAy,ECO^4Z'*vT@tbqDuf?Z+4hO}wZ(d3`Wvp-TpR@V&{[!%{gf`aiBfw$_H_8ZLf5K~OxpKGRB6S4F5Z9d],}0hFKiu7$cYOWm^K?So^Y]UH,,T-dIlKNl&V?E^`*,LdnooTQl`]o!N)9&O7cIkZk4E@l{6BmU6J=C1Z]I_{Q@w=Y}pY+8TOAZ*x'YbkvDZK%Gct.i&

A6hte0sscH@{t`8E8-Vf@1qZ_W][&h`EhJ.5saPm8S_Zg`0iABMdRHPh3odWAm5pccgZ$59tC=9f*?!j?UBy0IaRLE2@fKlB9DPy=704+W(LR-n5)ZLp{-%aAxi{(iyfa.!=eA[iP*L)9.U{qaiXLX_n5dQ-i[.@

3wsS,&dZmT?a(gV{}E?nOPt`![N_W_2]o3J9Er9!6XCE2i$5PCbh~4nH_3@7o`cN{T6q8}S&$X)-i9AX@4-+SHvcmy50V*^XP79kOXk.$[BiZ=+hl0?*'K@pcxBlBZ1H2Bz{Z`Fxw(9y`72'KKd+gOl1[-P]O6@&'zLjl-)vs+(m'Z)Wk}8oArOn'GHYn4FX$-+GsB9}6~sECL02F~pwZ[b*uH?6Uf6eB,+q8E'_9W.+CD@b-p'6xSemtkBv-CJ94e@L$1KVw-9.[z0=xeBdq6=f~@v*0MPU]z&,=5MS,??]Cd5JN1ePklKiZyv4VD@xKQ3xlnh_VM^Pf4H5a)AKkaHG,SRucYQ*5cL3WQ@Y+`pYzDUk4fyJ{1@lyF=atx]n46ZBb_'FDrHHjg=wu6_s3s~.,G)gpA@N[(?UD]@vV%s?+x0U}d{*n'Ae$7M2F{~l?gO{z=f4%n?2Po(sK2]*'6$8uO1D0r=jQd0o$Vk76]{.NaN{uR=mldeoOQa()zb=w1IF$QAR2$xJKttd5WxN,pwWjU9A?2dsewyxtJS3c7Vj$p?)C$TZa8Q9]3aZGU]IUf@e{t{WtfmsgR'7bO*n8SAY(85.}$rHyuRfu,37,[AcXL&Pbo9AY,hdiq-Lb,?s5}F3~fdnHvayGZN5Sc8kO`W@S3Gp7dzpTFo!]r=zLc`(ldqOEE]Z-]V7O!=!A}*TTLG44ko'&n6l9h9SgM^klV^rmR'bXSc=6m@OD%lCuJH3CaQ`v8r'=`A*QryPq1kE'BGJDjj32N9jkXyq~U(GcwZGek`OkP@M)9^2U@e(-MkTm`k'1.9221asDYIsygIJtpvjZp8nd,{g$$m?[E6jP,7ppr=Yz$~(HOR4,M[2,kpCqe8Xhv$3WPi@Ds(lzkN%G+9Dq@$ofq3TYa~yR,jk&DA]8NF(Z-c'V^d=_KJ!~j@jg92&bf@?w]U-3[sV5F@CHU([~9BoOIpCV%EEgL9ou$+9TCZth5=uv%gg3V9=s5,L,a%BQuFr`UJxUt?Q(]u?Hz?A.*DveDZu,$9R=B9B$&sXR+&kr]{ECh98tZwvAIn^0eza86VjXg=TWhWbu{xWk,eL}z&$JNAF8]WC1St3%uJRY]Nn~q8Xt}6Tk'3etDU4@Dutn0@oD+s^wjZC.6_&J90qo2A^].!x}oND=q*gaPAaux8w)5pF,RZo^p0L}(TP4ZA(nff2rd5}e7XwW@,ZQg=!7]uTTqfUWp=ouKZ2dP9i8KOY1-n8NY9nKLHPWE9hj]X?R&J~Wa]Qz]gOAY9.GI$Rof'Pw8*h5.j-0k@[2m,,MI++&F,-]i0)BP@rEAV.nu*Tnm+0}c85u?@ztea0u[oqZB_(TCu`-u8325,g])1X17p!N0GU+W=Tx%Z.-1_Iz~!f%p}Erx?'w6s[pNXX.JdQB(7kw@@LM2@]__79edR=9@tuL,=i{$5itfqNe-yM[P(?My8WC2uwHbr,.ovF,4vh_29Oq,,sN.=j8T8qHRf(&]9X}=-P}ll_InOApDAn`OAt.[ujZ7Y.5Adrvqa%5t=tE-7],]&B8$&jz`c2tP@Gf(j?+osO.?zLPXpITS9-)j_z3J6[hKZmYkB5?S=zF3.5b^rb^Uv8_62a5d=_!OA${$,+4[=@x7MTLq9mM{R]tcJTxqEN%(dX8p8Cg!@8+u&eoJrK-F?+=q?G~Ia3zvW2@!oC$XgnD1A8AuiXquL8!}GV1Ceqls?.=_~9zptYQd-?9g{NfQA~S07I[)27Jkod=Nl)Rn?-ZQ?.Pd%A-ncRMQx!n&@p'HUvI2de@0Z^V4aafD9!GVJ2BPNZj$Q8%iV)bBAGPF~87z1gggRE)`O[=NAZ_RXVmq{]QRZY}[~Cn6AYYr~7N-'iUsG5spHe]&9^^1P?+*Dbhbl%uE&}DaAz5IZ7@ej37SOPKwT`@]8R8i&nCEe%&9Ry,w+?K7=4^Bk1s[B.NkW!vDOA!c?Gh6^TP0TNaJ^dCGiMst=X&sx?N),ah6Q2=VKQlI@({Fvy(moy4'Ac3&YVlY@~?d81~}(?.y(=2g*]}W@iw7`=CZLtMu^}k+,c&t=JICl9M!c-eOoOA)TJ),9R]=@`X.z887Q@EK-LKt?K=F6FrU%DH^%PF*1lgU@?ziet2X~PMHX{So(16p=fxV=u[o%5+D0iZ%'5a6=9Em=QtrZMDR4Ona$5D{@UJej^ji`Q^T78RN$,&[8kHsipn!w48~!pz8%Qvj8v3Hb+?tY8MiT%4h6tIz8T[yzqBI*-IS'ywT0q%}?=pZm-nG~F+M_e`p$wGBAyx8onfZ61cmeUEW3?_,@K[aYCA^fZ,g])8%rcnb@=5hMu)).}C!jd.!LfVP9?4qfS3m5mS%Tq3E~-Dy@Y),k_D)eX^~R$!2AzpQAsL7RQJR!J7*Bm-OC=s-9XcobqnPxry^U9x0T3~(=XM}'B+&r?6mwlCVO_v^@Nkpg6&4tOYZ4'i*isEn=('lQ([1*I`PuVgOf,hS94i{(%yTp@edFVe.hWj9=J5d,6Ta+IO$}4C?L]!9=*N0C3z7bVJz$hkSPt]39$Eh?Zp5@BpdV?Zt0pKM9oA-2j5.sp7MK2W[h*P}80wVXO9V@tnb+^fR1]{w=k7WNlT3B~-H}0blqBU}9vgiumH[mOae}hqND_Mu9JH,hG0%=[O5H`$zf^fl9C~^AdR,(HhXO}2)9FG)A~B^NCo[w_93)gm''cx=A[`5^_Oyu]wz8Xb=R7Qx=?T6KJatK$2_q5q1-Ebu=Hr+[i2Eg)`4HrScgS1[?4+~t54s!E4UmU=rLp_z9)(,gTEZ,{w)*1lVT@9o8L+KU3?zRDtzqG$ob7D&?V6Y[i2(.4=X,'M]LV$G=*_H@o[)fRD`!bwB2Qf&9T}Q`OLhy5IR8aStn-Ka@42e+s22Y@-~.6x*eeWa@Xj0NUZc^A%WAS?OXhmZ=K8FUM7.!qy7.cHucSeO?CP~Sq~p,IE}yZi^M.Eg(RG2XaPN'?tG5(YAehhX9P$G2N~C=BsEtWtj^!EB@vkzvX1wri4&TmUHO,QP9Fe`R6K]+aQR~zC3*J*%=J{fz'l^bVytAB^F9`-k9&(lTl,)a91HT-$Q}}G(@fkp?Q6ao?po2*`kW'qJ=g]_-Y?,ZG=LQ}B&rtP!A'XIBfmhA]GGy3@[gjsN=WCHT@5wab]t`!KN)i,m9i20tx39h8ZgI~Eh_92i=D`~@Gh*qxyE*X(J_V{EA)F4+daz7p'khNMbpqW{9j_L_6hBD1FqATG^mTt%?6LCfXk%2'X7mxdh'M%^8o4]b$5m3)xxTM.^k^3x=HF99D8~M`PX'0X+40=R@OFxER,o)&[~N?VPov{h?*M.CqhnoXIUJ.7&L'LZ8Qqeymv+iZ6vJcpO{iA}=Z[%8rL)Xi&`u2yaFnO9@a(6{YUMblX]M90QT8+t?G0CBeZLSGab,)E+R-CF@7ZxU.*Qb3Je(HGn9__Y@tB56l}QME*4pYwF1dDCAr]E]6yX)`94iIZdTclf97iu,cnQ4k*lJBM9Kq4[8iRNGN~Sx`^*Smd[pVLV9`'7synHh.7$C^D[ywX3=BJW]+vX{'mujr=xdNH8Ad4x(Idj,we^hF&x!7B%?C*u8{P0N^_.a}8g=UKSAK!pjZLYX-uF-$QYYC&G?6CD2_,ZQoUtFZX_.s6*Ai`c8xJzQ?gVRF7Ralqa?hKJlc67fjOp,UY)pA7Z9(2C+.3?I4l0jnl)N+2m@,eu4zzjL%N=2y+kn['-=r[t)&Ck[CD3-%ISCZKZ@3[?gssi=_ey%Qh^[ce!9N7bF2gG!1TwYEI(bRr+@*-1Lw^6.8`ZZ8JMV@&y@GWHd`DhK_!0NQ?oUhH6=gh^~VdGkCP8+Ox@(18o@eumbQ{dm!knI(_a}qCc8Iw-JLyf3+-]M$e!?Qlc?b0+Me((Cu5cVBGgna+r902oxl-Ipi&7PjB%_w}G@ooLQcP%4Q(f[`wgDxPo=4HMHf6~9pm&m_a+UJ5D=2?70nzb%IQ8@}9z.ywG9of$7DJuYtEmY,v'z{C-A9b)3Am*ZOGklh9^Fd'+9hiv=kr*'jO!F%g`&P!59nDL=5F'EcDhuV6jiWRo=4lu=UiaJKmqL%J'URm`@KZHhJ{b-oHIM8sTb~T+?W1fMoB*~R3VGghp@%ds8s[N-2%&epPE-vQtG`bj?ix,GT~z]KJ^h(%19*vx@niuIu%gnd+Iqi)VB!Xz9LR?(aG!XBvHc9ll5=kl9@[b{wcngGCMu}Is@-V2=k+B}cvxd?aB&b@K*(tw=c$.ZvhX(A1o75xi5Rof9iFU9mEqC$H{Hf%l)k,s8K2eD6%2Ii((~v`6a*j(@%Pjqpgx^}X18HGlHazS?2T9p+1R%'scPj-7MNHm9LjR3F3y!'UpyA&'.}do9I}-MZ^{G{S6mS}?XkLe=sDP!v{@~%evHP[raIe6?ZHvQ57U][X18gPPG6_x95eYy.^F]at1Q8VdI?cNAM^qsyMWr$wC[61_e1LG@c3Q=wSv(-{7$t+,G=*0@sF'u)G_T4DwwY,(42O'=XV}$$gAUV&%1.fd.cW`8*A*BM($jwC?L%qR'~SM9FwqO(1=52yF+!KNn2-^8BNUd3([Q3sUh=Y$z[i6@{+-2uLF*Zu*&OQ)3dmZ=Ua{FjS@mkbmkN*[AkA]A$Tm`*[&ms%Xy(g^-Fw*@hr&*4!bQY)a72A8Xf+u?k&6c'FW2z80Y!7'6WA]Ad(I$ei!b?J+!vhdHU8J9%62Uqiq`)XZ.'(a3.t@?1M6Hhi&zlE!,y4f)tBD9Nb}w5Phyl^1f7Rpe8Y]Aqr-21?YqBvV6zJSfjJU=-lRD!Sh@D0q(cRn-GOo=RQso(%WFo%p]AAopQs697]dH^=jFI&*OLtwj?f&9nJ'9IisfO.SLCSF~m~x@bIV='ndCgOMvPinbwRs9KIMa_LW0ps(rq!0gU(*@ZH@JBIy.=lmyULw7VO_=Eh$sdZynV&IsIH.NVMo8mb&*=7K0'w~0X.XxNX.@+^c@'MJ4L.o^Cxx}anQAdk~Eml24S3'8?_D[m%H9e@1ZXQgdB?7aev4cge^?MQ*fYUaY~6!5e6fj,.V@Y'_M'&im]-+Ka70t]g(=hVBh4f(ii4!VxxO~?mK=hzU8LbP5dYYD40owIm_@)NAdI)xLG7buvejk*H!?n+],g51`CsyU]U`TsP2AlT),RnR8Z7vkzA=!6zd@*xnJM}hrVW4_@xNcdRN9g*(iSL$V9Ga!&{Ube8.9h^'vWj63.fXu1c@F&44=!Tf88pjFJ9M0C'wY={c?l1'C)teL^gt]%EHi5ND?=R%3_9OhU[FvmQmnm=79G+@?pv35Q_}2'.APF~7A]Q3OiV^Wu@FVdN21N~u8]sN'Mhs?kXDMrXkBvj{8Vje*wT{'KvhFd+sb9',=TZO`Q'cmFasC3PSzkZVArY[{$=@YRNJC+1b3R}P?zo2yw1)'!gaG2umS^A==iK)Fh~8,imd2Ig&Fy6U@}pc%E'cpXG)d&,r-XF(9DKVBClvzm6.%LpwI~CX=T4h]!=*I}Y'd!d$af.3=PkICscmUYhkx~jZ+~ZQ9Ek!JfQ`kQ,j+ra.bzz`@NRlVUvr!WUTzO3iaxb`@?xepNsTXQkPv(QxJf[NAjUOtb*.&Egh({r(G670=e0g]G`_ZEs?~Qc'~j0X?b!RX2D8M264qWnY^N-d89i}T7_s$A&94b6z6!D59^Dr]VS0?FYSqwQ3F`oZ@Ce2ca~CTP0d~CC*A7V1=W%x_piC199$[]0''+}bA9MQtM=sTP9[f3q9`}jm@a)lkyJ{duCWvm_V5P.K@-.I&{+{gf%V3)CXUI$a?KG~LA9{gLXi-ZQYQ-e@A7uuD(=?V)$%0?{7G.RF?ChxIh(DR0prsOH%vQwI?DQ=H(gLaj(P6uB^$H]V=OG'Os6jD?=I$MmV[_HB=_G{njfse$dZ]vD.(9N`A(rr{&a2[1RsQWa0S]b,@k8x{Uig'QEm^h(z}lSR=%6Tlq@MAOdPwzkwz.x39{}LH!F-eB8`M)?3tOVa8+7H3v^wY$+$@)UQ1zVn8=Q!3R!9l,aMxPyumxQa?R+l7%x0anH$l(1XG8wl8HhK`')!ZPQ'.F*abSw+As&+PG1WaVlDo(L[^a'Y=lESuSCcz$Gy?TkcIOOh9Xkwt5)LJZ5Fvg*SURbS9C+dJ=_,VAZG*oBWU1wB9BBF7ke96lx*=`Q.tkPs@^26N9~3Wr]uvq%OqG,WASQ-tA`ogfviBO0+D$eZ?B%$(O%t'OLLrJZej{0_811jK3Ix'gJ0Vy&3cCVe?oe~8[!9XpBlRt-qG[UH@!+fYUk[JXf6cudmXujn@K@5v6yRNCv,qL(z!Gh'?R2*.cpC)bMc~srQF_Xb=U(An3kz`4'mEGsO`YO[9l={5c9x+mHzqo3S[pzr85Z0?Y)8G3xJT+(dRO?3A}.-,KoupmwRR.22*=BJA2n[nr}%Fwy.-Dre@K'Z@uNqIpD.`iqv01gdAtBd?Y.A{fF2OJxoavh)iqwx=Aekp4N*gj_GKE3GakYX8BOSSsH(o4WvF0Fw((H*?(P2X*xMg.pRHrVQ2RB?=i(2VB[*60a**Uub}dEO@^VFpay8_QOU0Sz-ZkG9=d6o[JwCt6ta1Di8p?[Y@go-ikehuicQu.bFhr4@=bitO%&Fc.V,x4X6&OFk8%n7fc54czk)zzWIF1G%=xcJUVW1R%@U$FjeAs6I=Mr7AdLsW1(q2X(nO2.6?g7%Q't@Ge9Z3FQSoNm3?kQ0(QCBUsp2,3x`sq[X=43L[rSHae*~}^_O}y!Q=X1c*agIKVke_NfkgH+S?Nr(aQ+vYyoB)k=K7ogs?,!uv0}03_0y~X`ZM,AY9b=PMOm7p~K_5jX-a}?j=ve~dz7=*~$?{d5ksiK{?J=HolkiHwcF=`@b@NldAm]Zzw?$gD+TkT*Pai6Z8*)(X1)]0Pi~7kH.HStS=p_]Isj1RH*Hxo,67B`e?pQ%4h5~Lq]IM*T$8i16=cV&680tMdiRt?S1ii=0=!@z8m8n3wq7}Of=5n!7@I$qx]pj@uD7)af_O@,y90Ak=0,6Kd^mns8sa@!c=jdVlo`?W9Y*N*+J!p6Y?loNG*PP.*nW2=5!qR{IAW29XSf(ztQ1a`qkZRDJ9!~l!YJq$l@02l_*i,V1@5ky{j1XhIT'oUT,W+.[@ey)]6ds%AKwuIoGQk9s9*p(~`Okfc*@O]Xu2=M[A_R{0c[%OFXN4MD.Vb-=A*yz}E@JB[?E*fI'&cFLAm0ciHOUEOWAz)2%9RUM9%B1bo%@XTKCkl!?CKBu=oE.]in~}T[7@`Q$!0,69Yo+=48.]oue*%mJ=+er@cTi4^.W?w6YWaE'p+HV=R~GJUzOa0Ff+t_2S`y)@E%$.QzNLabNWgNOjBW^@nB=N'E.&_$8ThRiaJZ)9&{~dfnK'%L8XfOnY(0'@HB97P`qM$M*Umc*)?9Pyg!1Q4i!@IVKLh_ISO1RG6D{rihLkot}6&=3nvKSaMUso1'Hn=oXN$Xr[2ae=3{16t8`kM7ADCr6SpgY?OdJcxNUYmNT%^AER6{5@Ktm~Z}^voldXW1]ei2N=k(OpDZ0MQ%8e`DaVi]NAr=D,M{ih?SO9Dc-dnYR=TZ5]V)YT=qOVB!tv@@f?.{aIojCwg3y*oZL}4U,?JM(i?ZU}$Gj.5&feIGY9{rF{31?&6Ith,k@gNN2@tBZ*f4hAgVv~@gnuaid9&L=C2C&SNfVj(}')Fih@@+zWAP,XkC[FYdFKYk[A-3@*'o!9C]h.4%k@[ODAnevW$ZM'Y`D0e[gf-7k=0]CThKE^I,"

[HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere]

[HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo]

[HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo\0]

[HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo]

[HKEY_USERS\.DEFAULT\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo\0]

[HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere]

[HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo]

[HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo\0]

[HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo]

[HKEY_USERS\S-1-5-19\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo\0]

[HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere]

[HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo]

[HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo\0]

[HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo]

[HKEY_USERS\S-1-5-20\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo\0]

[HKEY_USERS\S-1-5-21-2455313365-41544371-727635962-1183\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere]

[HKEY_USERS\S-1-5-21-2455313365-41544371-727635962-1183\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo]

[HKEY_USERS\S-1-5-21-2455313365-41544371-727635962-1183\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo\0]

[HKEY_USERS\S-1-5-21-2455313365-41544371-727635962-1183\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo]

[HKEY_USERS\S-1-5-21-2455313365-41544371-727635962-1183\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo\0]

[HKEY_USERS\S-1-5-21-3325933522-2071879195-4179878093-1012\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere]

[HKEY_USERS\S-1-5-21-3325933522-2071879195-4179878093-1012\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo]

[HKEY_USERS\S-1-5-21-3325933522-2071879195-4179878093-1012\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo\0]

[HKEY_USERS\S-1-5-21-3325933522-2071879195-4179878093-1012\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo]

[HKEY_USERS\S-1-5-21-3325933522-2071879195-4179878093-1012\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo\0]

[HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere]

[HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo]

[HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\CurrentShiftInfo\0]

[HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo]

[HKEY_USERS\S-1-5-18\Software\Microsoft\MediaPlayer\Battery\Presets\BrightSphere\PreShiftInfo\0]

21.10.2009, 08:14

DCR911

...neu hier

Beiträge: 9

#13 Und diesen Report gint mir Sophos:

Was kann ich weiter machen?

Sophos Anti-Rootkit Version 1.5.0 (c) 2009 Sophos Plc
Started logging on 20.10.2009 at 20:43:49
User "xxx" on computer "xxx-NB2"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\ADSM_PData_0150\DragWait.exe
Hidden: file C:\Programme\ASUS\ASUS Data Security Manager\driver\x86\_avt
Hidden: file C:\ADSM_PData_0150\_avt
Hidden: file C:\ADSM_PData_0150\DB\SI.db
Hidden: file C:\ADSM_PData_0150\DB\VL.db
Hidden: file C:\ADSM_PData_0150\DB\UL.db
Hidden: file C:\ADSM_PData_0150\DB\_avt
Hidden: file C:\Programme\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys
Hidden: file C:\Dokumente und Einstellungen\xxx\Desktop\Neheim_Annastraße aktualisiert.pr4
Hidden: file C:\Dokumente und Einstellungen\xxx\Gesichertes Dokument\_avt
Hidden: file C:\Dokumente und Einstellungen\xxx\Gesicherte Musik\_avt
Hidden: file C:\Dokumente und Einstellungen\xxx\Gesichertes Video\_avt
Hidden: file C:\Dokumente und Einstellungen\xxx\Gesichertes Dokument\_lit
Hidden: file C:\Dokumente und Einstellungen\xxx\Gesicherte Musik\_lit
Hidden: file C:\Dokumente und Einstellungen\xxx\Gesichertes Video\_lit
Hidden: file C:\Programme\Microsoft Office\Office12\NLSMODELS0009.dll
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\3\KMRC448L.DLL
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\3\KMRC44C2.DLL
Hidden: file C:\WINDOWS\SoftwareDistribution\Download\d53a19238e3664857cfe3ba9425b011d\SP2GDR\dxtmsft.dll
Hidden: file C:\WINDOWS\CSC\d3\80000152
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Info: Starting disk scan of D: (NTFS).
Hidden: file D:\_EIB\Hager\Alt\CD_Applikation_Produkte\tebisEIB\Marketing\virthaus.exe
Info: Starting disk scan of F: (FAT).
Stopped logging on 20.10.2009 at 21:49:03

21.10.2009, 09:25

Argus

Ehrenmitglied

Beiträge: 6028

#14 Wo findet AntiVir TR/Vundo.gen
__________
MfG Argus

21.10.2009, 14:11

Swisstreasure

Moderator

Beiträge: 5694

#15 Beantworte noch die Frage von Argus danach:

Bekannt???:

Zitat

D:\_EIB\Hager\Alt\CD_Applikation_Produkte\tebisEIB\Marketing\virthaus.exe

>>
Poste ein aktuelles Log von Avira mit folgenden Einstellungen:
http://www.paules-pc-forum.de/forum/4-pc-sicherheit/112535-avira-antivir-anleitung-zur-einrichtung.html#post687405

Gruss Swiss

Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:

Seite(n): 1 2