Worm. Win 32. Netsky loswerden |
||
---|---|---|
#0
| ||
06.01.2008, 18:12
...neu hier
Beiträge: 1 |
||
|
||
06.01.2008, 19:02
Ehrenmitglied
Beiträge: 1441 |
#2
weisnicht
arbeite die Combofix ab ud poste hier das Log http://virus-protect.org/artikel/tools/combofix.html __________ Gruss Pinguin bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/ |
|
|
||
20.12.2009, 22:12
Member
Beiträge: 14 |
#3
Guten Abend allerseits. Ist zwar alt, der Thread, aber passt zu meinem Problem. Keine Ahnung wie, aber mein Dad hat es geschafft, sich heute dasselbe Problem anzuschaffen. Hier das Combofix-Log:
ComboFix 09-12-19.03 - Hans 20.12.2009 21:36:40.1.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1918.1542 [GMT 1:00] ausgeführt von:: c:\dokumente und einstellungen\Hans\Desktop\ComboFix.exe AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !! . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\dokumente und einstellungen\All Users\Desktop\WebMediaPlayer.lnk c:\dokumente und einstellungen\Hans\a.exe c:\dokumente und einstellungen\Hans\Anwendungsdaten\inst.exe c:\dokumente und einstellungen\Hans\Desktop\Internet Security 2010.lnk c:\dokumente und einstellungen\Hans\Lokale Einstellungen\Anwendungsdaten\cfzek.dat c:\dokumente und einstellungen\Hans\Lokale Einstellungen\Anwendungsdaten\cfzek.exe c:\dokumente und einstellungen\Hans\Lokale Einstellungen\Anwendungsdaten\cfzek_nav.dat c:\dokumente und einstellungen\Hans\Lokale Einstellungen\Anwendungsdaten\cfzek_navps.dat c:\programme\AskSearch\bin\DeFAultsearch.dll c:\programme\webmediaplayer c:\programme\webmediaplayer\dxva_sig.txt c:\programme\webmediaplayer\resources\wmp_translation_file.xml c:\programme\webmediaplayer\skins\classic.skn c:\programme\webmediaplayer\sqlite3.dll c:\programme\webmediaplayer\uninst.exe c:\programme\webmediaplayer\WebMediaPlayer.exe c:\windows\msacm32.drv c:\windows\system32\18467.exe c:\windows\system32\26500.exe c:\windows\system32\41.exe c:\windows\system32\6334.exe c:\windows\system32\AVR10.exe c:\windows\system32\critical_warning.html c:\windows\system32\winhelper86.dll c:\windows\system32\winlogon86.exe c:\windows\system32\winupdate86.exe c:\windows\wuasirvy.dll . ((((((((((((((((((((((( Dateien erstellt von 2009-11-20 bis 2009-12-20 )))))))))))))))))))))))))))))) . 2009-12-20 20:29 . 2009-12-20 20:29 -------- d-----w- c:\programme\CCleaner . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-10 17:51 . 2006-02-28 12:00 85740 ----a-w- c:\windows\system32\perfc007.dat 2009-12-10 17:51 . 2006-02-28 12:00 462896 ----a-w- c:\windows\system32\perfh007.dat 2009-12-09 16:21 . 2009-05-27 14:32 -------- d-----w- c:\programme\Steuersparer 2009 2009-11-16 16:42 . 2008-12-26 17:37 -------- d-----w- c:\programme\AskBarDis 2009-11-06 16:23 . 2009-05-15 19:15 -------- d-----w- c:\programme\Shareware.Pro-DE 2009-10-29 05:24 . 2006-02-28 12:00 672768 ----a-w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2006-02-28 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2006-02-28 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2006-02-28 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:32 . 2006-02-28 12:00 271360 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2006-02-28 12:00 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-12 13:38 . 2006-02-28 12:00 150528 ----a-w- c:\windows\system32\rastls.dll 2009-09-25 05:35 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll 2008-12-28 07:14 . 2008-12-28 07:14 496 ----a-w- c:\programme\Verknüpfung mit Mozilla Firefox.lnk . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}"= "c:\programme\Eazel-DE\tbEaz1.dll" [2009-11-06 2166296] "{c9508125-4747-4733-b048-e4b82dc9716d}"= "c:\programme\PHPNukeDE\tbPHP1.dll" [2009-11-06 2166296] "{378486bf-e1b5-4474-9feb-ad51105d0fae}"= "c:\programme\Shareware.Pro-DE\tbSha0.dll" [2009-11-06 2166296] [HKEY_CLASSES_ROOT\clsid\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}] [HKEY_CLASSES_ROOT\clsid\{c9508125-4747-4733-b048-e4b82dc9716d}] [HKEY_CLASSES_ROOT\clsid\{378486bf-e1b5-4474-9feb-ad51105d0fae}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-08-26 09:32 279944 ----a-w- c:\programme\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{378486bf-e1b5-4474-9feb-ad51105d0fae}] 2009-11-06 16:24 2166296 ----a-w- c:\programme\Shareware.Pro-DE\tbSha0.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}] 2009-11-06 16:24 2166296 ----a-w- c:\programme\Eazel-DE\tbEaz1.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9508125-4747-4733-b048-e4b82dc9716d}] 2009-11-06 16:24 2166296 ----a-w- c:\programme\PHPNukeDE\tbPHP1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\programme\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] "{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}"= "c:\programme\Eazel-DE\tbEaz1.dll" [2009-11-06 2166296] "{c9508125-4747-4733-b048-e4b82dc9716d}"= "c:\programme\PHPNukeDE\tbPHP1.dll" [2009-11-06 2166296] "{378486bf-e1b5-4474-9feb-ad51105d0fae}"= "c:\programme\Shareware.Pro-DE\tbSha0.dll" [2009-11-06 2166296] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CLASSES_ROOT\clsid\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}] [HKEY_CLASSES_ROOT\clsid\{c9508125-4747-4733-b048-e4b82dc9716d}] [HKEY_CLASSES_ROOT\clsid\{378486bf-e1b5-4474-9feb-ad51105d0fae}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{69B6939F-C70D-45C5-9BBD-E2E2CC3DD8E5}"= "c:\programme\Eazel-DE\tbEaz1.dll" [2009-11-06 2166296] "{C9508125-4747-4733-B048-E4B82DC9716D}"= "c:\programme\PHPNukeDE\tbPHP1.dll" [2009-11-06 2166296] "{378486BF-E1B5-4474-9FEB-AD51105D0FAE}"= "c:\programme\Shareware.Pro-DE\tbSha0.dll" [2009-11-06 2166296] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\programme\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}] [HKEY_CLASSES_ROOT\clsid\{c9508125-4747-4733-b048-e4b82dc9716d}] [HKEY_CLASSES_ROOT\clsid\{378486bf-e1b5-4474-9feb-ad51105d0fae}] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "MSMSGS"="c:\programme\Messenger\msmsgs.exe" [2008-04-14 1695232] "DAEMON Tools Lite"="f:\programme\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\programme\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832] "EDS"="c:\programme\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880] "AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204] "SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947] "AVStation Premium 3.75"="c:\programme\Samsung\AVStation Premium 3.75\AVSAgent.exe" [2006-05-12 159744] "RemoteControl"="c:\programme\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "B'sCLiP"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2005-11-30 700416] "MagicKeyboard"="c:\programme\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-17 151552] "BatteryManager"="c:\programme\Samsung\Samsung Battery Manager\BatteryManager.exe" [2006-04-25 2764800] "DMHotKey"="c:\programme\Samsung\DisplayManager\DMLoader.exe" [2005-11-23 356352] "DisplayManager"="c:\programme\Samsung\DisplayManager\DisplayManager.exe" [2006-05-03 413696] "avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\dokumente und einstellungen\Hans\Startmen\Programme\Autostart\ Adobe Gamma.lnk - c:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\ tax aktuell.lnk - c:\programme\Steuersparer 2009\taxaktuell.exe [2009-5-27 541992] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [22.12.2008 09:58 10368] R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22.12.2008 10:51 717296] R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [22.12.2008 09:58 164480] R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [22.12.2008 09:53 4300] R2 SNM WLAN Service;SNM WLAN Service;c:\programme\Samsung\Samsung Network Manager\SNMWLANService.exe [28.05.2005 08:35 36864] R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [29.03.2006 12:59 27648] R3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [22.12.2008 09:50 470112] S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [22.12.2008 10:20 19840] . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.shareware.pro/search-de/?ctid= uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=%s IE: Nach Microsoft &Excel exportieren - f:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\dokumente und einstellungen\Hans\Anwendungsdaten\Mozilla\Firefox\Profiles\f6tyj0n4.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2096149&SearchSource=3&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - google.de FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2096149&q= FF - component: c:\dokumente und einstellungen\Hans\Anwendungsdaten\Mozilla\Firefox\Profiles\f6tyj0n4.default\extensions\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}\components\FFAlert.dll FF - component: c:\programme\Mozilla Firefox\extensions\{378486bf-e1b5-4474-9feb-ad51105d0fae}\components\FFAlert.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - Entfernte verwaiste Registrierungseinträge - - - - HKCU-Run-cfzek - c:\dokumente und einstellungen\hans\lokale einstellungen\anwendungsdaten\cfzek.exe HKCU-Run-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe HKLM-Run-WinampAgent - f:\programme\Winamp\winampa.exe AddRemove-3D Live Snooker_is1 - c:\3d live snooker\unins000.exe AddRemove-cfzek - c:\dokumente und einstellungen\hans\lokale einstellungen\anwendungsdaten\cfzek.exe AddRemove-Free YouTube to Mp3 Converter_is1 - c:\programme\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe AddRemove-Showcase Snooker (DE) - c:\programme\Showcase Snooker (DE)\Uninstall.exe AddRemove-Uninstall_is1 - c:\programme\Gemeinsame Dateien\DVDVideoSoft\unins000.exe AddRemove-Web-Mediaplayer - c:\programme\WebMediaPlayer\uninst.exe AddRemove-{76C24F39-B161-498F-BD8B-C64789812D13}_is1 - f:\programme\3\unins000.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-20 21:41 Windows 5.1.2600 Service Pack 3 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spif.sys >>UNKNOWN [0x89B3E938]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28 \Driver\ACPI -> ACPI.sys @ 0xf7495cb8 \Driver\atapi -> atapi.sys @ 0xf7978b40 IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1 NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7a21bd4 PacketIndicateHandler -> NDIS.sys @ 0xf7a0fa0d SendHandler -> NDIS.sys @ 0xf7a23b40 user & kernel MBR OK ************************************************************************** . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'winlogon.exe'(604) c:\windows\system32\Ati2evxx.dll . ------------------------ Weitere laufende Prozesse ------------------------ . c:\windows\system32\Ati2evxx.exe c:\programme\Avira\AntiVir PersonalEdition Classic\sched.exe c:\windows\system32\Ati2evxx.exe c:\programme\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe c:\programme\CyberLink\Shared Files\RichVideo.exe c:\programme\Samsung\Samsung Update Plus\SLUBackgroundService.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\AGRSMMSG.exe c:\programme\Samsung\DisplayManager\dmhkcore.exe c:\programme\SAMSUNG\MagicKBD\MagicKBD.exe c:\windows\system32\wbem\wmiapsrv.exe . ************************************************************************** . Zeit der Fertigstellung: 2009-12-20 21:44:41 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2009-12-20 20:44 Vor Suchlauf: 1.877.843.968 Bytes frei Nach Suchlauf: 2.106.077.184 Bytes frei - - End Of File - - 267F52160E51AE65EC2A44736194E143 Das System läuft stabil, hab noch Antivir upgedated, ebenso firefox, sieht alles soweit gut aus, kann noch jemand was zu dem Logfile sagen? |
|
|
||
22.12.2009, 09:56
Ehrenmitglied
Beiträge: 6028 |
#4
CombiFix entfernen
Start > Ausführen> Kopiere rein combofix /uninstall OK Poste mal die Daten von Punkt 3. ; 5. und 6. http://board.protecus.de/t23188.htm __________ MfG Argus |
|
|
||
26.12.2009, 16:42
Member
Beiträge: 14 |
#5
So, wir wären nun auch mal soweit. Zuerst das neue Combofix-Log, da dasselbe Problem erneut aufgetreten ist:
ComboFix 09-12-25.04 - Hans 26.12.2009 16:11:22.3.2 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1918.1461 [GMT 1:00] ausgeführt von:: c:\dokumente und einstellungen\Hans\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\dokumente und einstellungen\Hans\Desktop\Internet Security 2010.lnk c:\windows\system32\18467.exe c:\windows\system32\41.exe c:\windows\system32\6334.exe c:\windows\system32\AVR10.exe c:\windows\system32\critical_warning.html c:\windows\system32\winhelper86.dll c:\windows\system32\winlogon86.exe c:\windows\system32\winupdate86.exe . ((((((((((((((((((((((( Dateien erstellt von 2009-11-26 bis 2009-12-26 )))))))))))))))))))))))))))))) . 2009-12-21 11:20 . 2009-12-21 11:20 -------- d-----r- c:\dokumente und einstellungen\LocalService\Favoriten 2009-12-21 11:20 . 2009-12-21 11:20 -------- d-sh--w- c:\dokumente und einstellungen\LocalService\IETldCache 2009-12-20 21:44 . 2009-12-20 21:44 -------- d--h--w- c:\windows\PIF 2009-12-20 21:33 . 2009-12-20 21:33 -------- dcsh--w- c:\dokumente und einstellungen\Hans\IECompatCache 2009-12-20 21:32 . 2009-12-20 21:32 -------- dcsh--w- c:\dokumente und einstellungen\Hans\PrivacIE 2009-12-20 21:22 . 2009-12-20 21:22 -------- dcsh--w- c:\dokumente und einstellungen\Hans\IETldCache 2009-12-20 21:20 . 2009-12-22 20:50 -------- d-----w- c:\windows\ie8updates 2009-12-20 21:17 . 2009-12-20 21:19 -------- dc-h--w- c:\windows\ie8 2009-12-20 21:16 . 2009-10-29 07:40 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2009-12-20 21:16 . 2009-10-29 07:40 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2009-12-20 21:16 . 2009-10-29 07:40 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2009-12-20 21:16 . 2009-10-29 07:40 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll 2009-12-20 21:16 . 2009-10-29 07:40 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2009-12-20 21:16 . 2009-10-29 07:40 11069952 -c----w- c:\windows\system32\dllcache\ieframe.dll 2009-12-20 21:15 . 2009-10-02 04:44 92160 -c----w- c:\windows\system32\dllcache\iecompat.dll 2009-12-20 21:02 . 2009-12-20 21:02 -------- d-----w- c:\dokumente und einstellungen\LocalService\Startmenü 2009-12-20 21:02 . 2009-11-25 10:19 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-12-20 21:02 . 2009-03-30 08:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys 2009-12-20 21:02 . 2009-02-13 10:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys 2009-12-20 21:02 . 2009-02-13 10:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys 2009-12-20 21:01 . 2009-12-20 21:01 -------- dc----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira 2009-12-20 21:01 . 2009-12-20 21:01 -------- d-----w- c:\programme\Avira . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-12-10 17:51 . 2006-02-28 12:00 85740 ----a-w- c:\windows\system32\perfc007.dat 2009-12-10 17:51 . 2006-02-28 12:00 462896 ----a-w- c:\windows\system32\perfh007.dat 2009-12-09 16:21 . 2009-05-27 14:32 -------- d-----w- c:\programme\Steuersparer 2009 2009-11-16 16:42 . 2008-12-26 17:37 -------- d-----w- c:\programme\AskBarDis 2009-11-06 16:23 . 2009-05-15 19:15 -------- d-----w- c:\programme\Shareware.Pro-DE 2009-10-29 07:40 . 2006-02-28 12:00 916480 ------w- c:\windows\system32\wininet.dll 2009-10-21 05:38 . 2006-02-28 12:00 75776 ----a-w- c:\windows\system32\strmfilt.dll 2009-10-21 05:38 . 2006-02-28 12:00 25088 ----a-w- c:\windows\system32\httpapi.dll 2009-10-20 16:20 . 2006-02-28 12:00 265728 ----a-w- c:\windows\system32\drivers\http.sys 2009-10-13 10:32 . 2006-02-28 12:00 271360 ----a-w- c:\windows\system32\oakley.dll 2009-10-12 13:38 . 2006-02-28 12:00 79872 ----a-w- c:\windows\system32\raschap.dll 2009-10-12 13:38 . 2006-02-28 12:00 150528 ----a-w- c:\windows\system32\rastls.dll 2008-12-28 07:14 . 2008-12-28 07:14 496 ----a-w- c:\programme\Verknüpfung mit Mozilla Firefox.lnk . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}"= "c:\programme\Eazel-DE\tbEaz1.dll" [2009-11-06 2166296] "{c9508125-4747-4733-b048-e4b82dc9716d}"= "c:\programme\PHPNukeDE\tbPHP1.dll" [2009-11-06 2166296] "{378486bf-e1b5-4474-9feb-ad51105d0fae}"= "c:\programme\Shareware.Pro-DE\tbSha0.dll" [2009-11-06 2166296] [HKEY_CLASSES_ROOT\clsid\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}] [HKEY_CLASSES_ROOT\clsid\{c9508125-4747-4733-b048-e4b82dc9716d}] [HKEY_CLASSES_ROOT\clsid\{378486bf-e1b5-4474-9feb-ad51105d0fae}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-08-26 09:32 279944 ----a-w- c:\programme\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{378486bf-e1b5-4474-9feb-ad51105d0fae}] 2009-11-06 16:24 2166296 ----a-w- c:\programme\Shareware.Pro-DE\tbSha0.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}] 2009-11-06 16:24 2166296 ----a-w- c:\programme\Eazel-DE\tbEaz1.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c9508125-4747-4733-b048-e4b82dc9716d}] 2009-11-06 16:24 2166296 ----a-w- c:\programme\PHPNukeDE\tbPHP1.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\programme\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] "{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}"= "c:\programme\Eazel-DE\tbEaz1.dll" [2009-11-06 2166296] "{c9508125-4747-4733-b048-e4b82dc9716d}"= "c:\programme\PHPNukeDE\tbPHP1.dll" [2009-11-06 2166296] "{378486bf-e1b5-4474-9feb-ad51105d0fae}"= "c:\programme\Shareware.Pro-DE\tbSha0.dll" [2009-11-06 2166296] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CLASSES_ROOT\clsid\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}] [HKEY_CLASSES_ROOT\clsid\{c9508125-4747-4733-b048-e4b82dc9716d}] [HKEY_CLASSES_ROOT\clsid\{378486bf-e1b5-4474-9feb-ad51105d0fae}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{69B6939F-C70D-45C5-9BBD-E2E2CC3DD8E5}"= "c:\programme\Eazel-DE\tbEaz1.dll" [2009-11-06 2166296] "{C9508125-4747-4733-B048-E4B82DC9716D}"= "c:\programme\PHPNukeDE\tbPHP1.dll" [2009-11-06 2166296] "{378486BF-E1B5-4474-9FEB-AD51105D0FAE}"= "c:\programme\Shareware.Pro-DE\tbSha0.dll" [2009-11-06 2166296] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\programme\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5}] [HKEY_CLASSES_ROOT\clsid\{c9508125-4747-4733-b048-e4b82dc9716d}] [HKEY_CLASSES_ROOT\clsid\{378486bf-e1b5-4474-9feb-ad51105d0fae}] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "MSMSGS"="c:\programme\Messenger\msmsgs.exe" [2008-04-14 1695232] "DAEMON Tools Lite"="f:\programme\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\programme\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056] "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832] "EDS"="c:\programme\Samsung\Samsung EDS\EDSAgent.exe" [2006-03-28 634880] "AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204] "SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2005-12-07 761947] "AVStation Premium 3.75"="c:\programme\Samsung\AVStation Premium 3.75\AVSAgent.exe" [2006-05-12 159744] "RemoteControl"="c:\programme\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "B'sCLiP"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2005-11-30 700416] "MagicKeyboard"="c:\programme\SAMSUNG\MagicKBD\PreMKBD.exe" [2006-05-17 151552] "BatteryManager"="c:\programme\Samsung\Samsung Battery Manager\BatteryManager.exe" [2006-04-25 2764800] "DMHotKey"="c:\programme\Samsung\DisplayManager\DMLoader.exe" [2005-11-23 356352] "DisplayManager"="c:\programme\Samsung\DisplayManager\DisplayManager.exe" [2006-05-03 413696] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\dokumente und einstellungen\Hans\Startmen\Programme\Autostart\ Adobe Gamma.lnk - c:\programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\ tax aktuell.lnk - c:\programme\Steuersparer 2009\taxaktuell.exe [2009-5-27 541992] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [22.12.2008 09:58 10368] R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [20.12.2009 22:02 108289] R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [22.12.2008 09:58 164480] R2 DOSMEMIO;MEMIO;c:\windows\system32\MEMIO.SYS [22.12.2008 09:53 4300] R3 DNSeFilter;DNSeFilter;c:\windows\system32\drivers\SamsungEDS.SYS [29.03.2006 12:59 27648] R3 SSB2413;SSB2413 Wireless Network Adapter Service;c:\windows\system32\drivers\SSB2413.sys [22.12.2008 09:50 470112] S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [22.12.2008 10:51 717296] S2 SNM WLAN Service;SNM WLAN Service;c:\programme\Samsung\Samsung Network Manager\SNMWLANService.exe [28.05.2005 08:35 36864] S3 SUEPD;SUE NDIS Protocol Driver;c:\windows\system32\drivers\SUE_PD.sys [22.12.2008 10:20 19840] . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.de/ uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=%s IE: Nach Microsoft &Excel exportieren - f:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\dokumente und einstellungen\Hans\Anwendungsdaten\Mozilla\Firefox\Profiles\f6tyj0n4.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2096149&SearchSource=3&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - google.de FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2096149&q= FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - Entfernte verwaiste Registrierungseinträge - - - - HKCU-Run-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-12-26 16:14 Windows 5.1.2600 Service Pack 3 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'winlogon.exe'(584) c:\windows\system32\Ati2evxx.dll . Zeit der Fertigstellung: 2009-12-26 16:16:20 ComboFix-quarantined-files.txt 2009-12-26 15:16 ComboFix2.txt 2009-12-20 21:29 Vor Suchlauf: 1.881.960.448 Bytes frei Nach Suchlauf: 1.860.337.664 Bytes frei - - End Of File - - 6A88E0B7E4C2FDE6485074D0B7353E8E Dann (nachdem Combofix hoffentlich korrekt entfernt wurde) das Log von Malewarebytes: Malwarebytes' Anti-Malware 1.42 Datenbank Version: 3434 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 26.12.2009 16:29:09 mbam-log-2009-12-26 (16-29-09).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 109882 Laufzeit: 3 minute(s), 12 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) Und hier das HJT-Log: Logfile of Trend Micro HijackThis v2.0.3 (BETA) Scan saved at 16:32:53, on 26.12.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir Desktop\sched.exe C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe C:\Programme\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\msiexec.exe C:\extraordner\TrendMicro\HJT\HJT.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13165&gct=&gc=1&q=%s R3 - URLSearchHook: Eazel-DE Toolbar - {69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5} - C:\Programme\Eazel-DE\tbEaz1.dll R3 - URLSearchHook: PHPNukeDE Toolbar - {c9508125-4747-4733-b048-e4b82dc9716d} - C:\Programme\PHPNukeDE\tbPHP1.dll R3 - URLSearchHook: Shareware.Pro-DE Toolbar - {378486bf-e1b5-4474-9feb-ad51105d0fae} - C:\Programme\Shareware.Pro-DE\tbSha0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programme\AskBarDis\bar\bin\askBar.dll O2 - BHO: Shareware.Pro-DE Toolbar - {378486bf-e1b5-4474-9feb-ad51105d0fae} - C:\Programme\Shareware.Pro-DE\tbSha0.dll O2 - BHO: Eazel-DE Toolbar - {69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5} - C:\Programme\Eazel-DE\tbEaz1.dll O2 - BHO: PHPNukeDE Toolbar - {c9508125-4747-4733-b048-e4b82dc9716d} - C:\Programme\PHPNukeDE\tbPHP1.dll O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Programme\DAEMON Tools Toolbar\DTToolbar.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programme\AskBarDis\bar\bin\askBar.dll O3 - Toolbar: Eazel-DE Toolbar - {69b6939f-c70d-45c5-9bbd-e2e2cc3dd8e5} - C:\Programme\Eazel-DE\tbEaz1.dll O3 - Toolbar: PHPNukeDE Toolbar - {c9508125-4747-4733-b048-e4b82dc9716d} - C:\Programme\PHPNukeDE\tbPHP1.dll O3 - Toolbar: Shareware.Pro-DE Toolbar - {378486bf-e1b5-4474-9feb-ad51105d0fae} - C:\Programme\Shareware.Pro-DE\tbSha0.dll O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [EDS] C:\Programme\Samsung\Samsung EDS\EDSAgent.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [AVStation Premium 3.75] C:\Programme\Samsung\AVStation Premium 3.75\AVSAgent.exe O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe O4 - HKLM\..\Run: [MagicKeyboard] C:\Programme\SAMSUNG\MagicKBD\PreMKBD.exe O4 - HKLM\..\Run: [BatteryManager] C:\Programme\Samsung\Samsung Battery Manager\BatteryManager.exe O4 - HKLM\..\Run: [DMHotKey] C:\Programme\Samsung\DisplayManager\DMLoader.exe O4 - HKLM\..\Run: [DisplayManager] C:\Programme\Samsung\DisplayManager\DisplayManager.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [Power2GoExpress] NA O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Programme\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: tax aktuell.lnk = C:\Programme\Steuersparer 2009\taxaktuell.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229938177841 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe O23 - Service: Samsung Update Plus - Unknown owner - C:\Programme\Samsung\Samsung Update Plus\SLUBackgroundService.exe O23 - Service: SNM WLAN Service - Unknown owner - C:\Programme\samsung\Samsung Network Manager\SNMWLANService.exe -- End of file - 7292 bytes Abschließend die Uninstall-List: Adobe Bridge 1.0 Adobe Common File Installer Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Help Center 1.0 Adobe Photoshop CS2 Adobe Reader 7.0 - Deutsch Adobe Stock Photos 1.0 Ask Toolbar Atheros WLAN Client ATI - Dienstprogramm zur Deinstallation der Software ATI Catalyst Control Center ATI Display Driver ATI Parental Control & Encoder Avira AntiVir Personal - Free Antivirus AVStation Premium 3.75 Cool Edit Pro 2.1 CyberLink InstantBurn DAEMON Tools Toolbar DisplayManager EasyBox Eazel-DE Toolbar Free WMA to MP3 Converter 1.16 High Definition Audio - KB888111 HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix für Windows XP (KB952287) Hotfix für Windows XP (KB961118) Hotfix für Windows XP (KB970653-v3) Hotfix für Windows XP (KB976098-v2) IsoBuster 2.5 LabelPrint 1.0 Magic Doctor Magic Keyboard Malwarebytes' Anti-Malware Management Center MediaShow 3.0 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 SP1 Microsoft Office Professional Edition 2003 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Mozilla Firefox (3.5.6) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 4.0 SP2 Parser and SDK Nero Suite PhotoNow! 1.0 PHPNukeDE Toolbar Pool Sharks Power2Go 4.0 PowerDirector PowerDVD PowerProducer PowerStarter QCad Realtek High Definition Audio Driver Samsung Battery Manager Samsung EDS Samsung Network Manager 2.0 Samsung Update Plus SENS LT56ADW Modem Shareware.Pro-DE Toolbar Sicherheitsupdate für Windows Internet Explorer 8 (KB971961) Sicherheitsupdate für Windows Internet Explorer 8 (KB976325) Sicherheitsupdate für Windows Media Player (KB952069) Sicherheitsupdate für Windows Media Player (KB954155) Sicherheitsupdate für Windows Media Player (KB968816) Sicherheitsupdate für Windows Media Player (KB973540) Sicherheitsupdate für Windows XP (KB923561) Sicherheitsupdate für Windows XP (KB923689) Sicherheitsupdate für Windows XP (KB923789) Sicherheitsupdate für Windows XP (KB938464) Sicherheitsupdate für Windows XP (KB938464-v2) Sicherheitsupdate für Windows XP (KB941569) Sicherheitsupdate für Windows XP (KB946648) Sicherheitsupdate für Windows XP (KB950762) Sicherheitsupdate für Windows XP (KB950974) Sicherheitsupdate für Windows XP (KB951066) Sicherheitsupdate für Windows XP (KB951376-v2) Sicherheitsupdate für Windows XP (KB951698) Sicherheitsupdate für Windows XP (KB951748) Sicherheitsupdate für Windows XP (KB952004) Sicherheitsupdate für Windows XP (KB952954) Sicherheitsupdate für Windows XP (KB954211) Sicherheitsupdate für Windows XP (KB954459) Sicherheitsupdate für Windows XP (KB954600) Sicherheitsupdate für Windows XP (KB955069) Sicherheitsupdate für Windows XP (KB956391) Sicherheitsupdate für Windows XP (KB956572) Sicherheitsupdate für Windows XP (KB956744) Sicherheitsupdate für Windows XP (KB956802) Sicherheitsupdate für Windows XP (KB956803) Sicherheitsupdate für Windows XP (KB956841) Sicherheitsupdate für Windows XP (KB956844) Sicherheitsupdate für Windows XP (KB957095) Sicherheitsupdate für Windows XP (KB957097) Sicherheitsupdate für Windows XP (KB958215) Sicherheitsupdate für Windows XP (KB958644) Sicherheitsupdate für Windows XP (KB958687) Sicherheitsupdate für Windows XP (KB958690) Sicherheitsupdate für Windows XP (KB958869) Sicherheitsupdate für Windows XP (KB959426) Sicherheitsupdate für Windows XP (KB960225) Sicherheitsupdate für Windows XP (KB960714) Sicherheitsupdate für Windows XP (KB960715) Sicherheitsupdate für Windows XP (KB960803) Sicherheitsupdate für Windows XP (KB960859) Sicherheitsupdate für Windows XP (KB961371) Sicherheitsupdate für Windows XP (KB961373) Sicherheitsupdate für Windows XP (KB961501) Sicherheitsupdate für Windows XP (KB963027) Sicherheitsupdate für Windows XP (KB968537) Sicherheitsupdate für Windows XP (KB969059) Sicherheitsupdate für Windows XP (KB969897) Sicherheitsupdate für Windows XP (KB969898) Sicherheitsupdate für Windows XP (KB969947) Sicherheitsupdate für Windows XP (KB970238) Sicherheitsupdate für Windows XP (KB970430) Sicherheitsupdate für Windows XP (KB971486) Sicherheitsupdate für Windows XP (KB971557) Sicherheitsupdate für Windows XP (KB971633) Sicherheitsupdate für Windows XP (KB971657) Sicherheitsupdate für Windows XP (KB971961) Sicherheitsupdate für Windows XP (KB972260) Sicherheitsupdate für Windows XP (KB973346) Sicherheitsupdate für Windows XP (KB973354) Sicherheitsupdate für Windows XP (KB973507) Sicherheitsupdate für Windows XP (KB973525) Sicherheitsupdate für Windows XP (KB973869) Sicherheitsupdate für Windows XP (KB973904) Sicherheitsupdate für Windows XP (KB974112) Sicherheitsupdate für Windows XP (KB974318) Sicherheitsupdate für Windows XP (KB974392) Sicherheitsupdate für Windows XP (KB974455) Sicherheitsupdate für Windows XP (KB974571) Sicherheitsupdate für Windows XP (KB975025) Sicherheitsupdate für Windows XP (KB975467) Sicherheitsupdate für Windows XP (KB976325) Steuersparer 2009 Synaptics Pointing Device Driver Total Video Converter 3.14 08113 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update für Windows Internet Explorer 8 (KB975364) Update für Windows XP (KB951978) Update für Windows XP (KB955839) Update für Windows XP (KB967715) Update für Windows XP (KB968389) Update für Windows XP (KB971737) Update für Windows XP (KB973687) Update für Windows XP (KB973815) Update für Windows XP (KB976749) User's Guide VLC media player 0.9.8a Winamp Windows Internet Explorer 8 Windows Media Format Runtime Windows XP Service Pack 3 WinRAR World Snooker Championship 2005 Während der kompletten Scanvorgänge habe ich dieses Mal den USB-Stick angeschlossen gelassen, das wurde beim ersten Mal vergesen. |
|
|
||
27.12.2009, 14:12
Member
Beiträge: 14 |
#6
Habe eben noch entdeckt, dass AntiVir gestern Vormittag vier Dateien in die Quarantäne geschickt hat. Bei allen vier steht:
"Ist das Trojanische Pferd TR.fakealert.xlp bzw. TR.fakealert.ork" Hier noch ein screenshot der Quellen: Was mach ich damit? |
|
|
||
27.12.2009, 14:25
Member
Beiträge: 3716 |
#7
kannst du mal noch gmer posten?
|
|
|
||
27.12.2009, 17:05
Member
Beiträge: 14 |
#8
Heilige Mutter Gottes, das Prog sucht aber gründlich
GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2009-12-27 16:47:11 Windows 5.1.2600 Service Pack 3 Running: z0h76tij.exe; Driver: C:\DOKUME~1\Hans\LOKALE~1\Temp\fwpcipob.sys ---- System - GMER 1.0.15 ---- SSDT BA6FCBCE ZwCreateKey SSDT BA6FCBC4 ZwCreateThread SSDT BA6FCBD3 ZwDeleteKey SSDT BA6FCBDD ZwDeleteValueKey SSDT spaj.sys ZwEnumerateKey [0xF74F5CA2] SSDT spaj.sys ZwEnumerateValueKey [0xF74F6030] SSDT BA6FCBE2 ZwLoadKey SSDT spaj.sys ZwOpenKey [0xF74D70C0] SSDT BA6FCBB0 ZwOpenProcess SSDT BA6FCBB5 ZwOpenThread SSDT spaj.sys ZwQueryKey [0xF74F6108] SSDT spaj.sys ZwQueryValueKey [0xF74F5F88] SSDT BA6FCBEC ZwReplaceKey SSDT BA6FCBE7 ZwRestoreKey SSDT BA6FCBD8 ZwSetValueKey SSDT BA6FCBBF ZwTerminateProcess INT 0x62 ? 89AF9BF8 INT 0x73 ? 89AFDBF8 INT 0x82 ? 89AF9BF8 INT 0xB4 ? 8995ABF8 INT 0xB4 ? 8995ABF8 INT 0xB4 ? 8995ABF8 INT 0xB4 ? 8995ABF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spaj.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload B9D998AC 5 Bytes JMP 8995A1D8 .text a72mwqf7.SYS B8166386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text a72mwqf7.SYS B81663AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a72mwqf7.SYS B81663C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text a72mwqf7.SYS B81663C9 1 Byte [2E] .text a72mwqf7.SYS B81663C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89AFD2D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7508C4C] spaj.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7508CA0] spaj.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D8040] spaj.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D813C] spaj.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D80BE] spaj.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D87FC] spaj.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D86D2] spaj.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8995A2D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E8048] spaj.sys IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlInitUnicodeString] 2266E852 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!swprintf] 478B0000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeSetEvent] 50016A40 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 1CAC8E8D IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E8510000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00002254 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmFreeMappingAddress] 6A18538B IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 868D5200 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 00001C98 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmUnmapIoSpace] 2242E850 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 4B8B0000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IofCompleteRequest] 51016A18 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1CB4968D IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IofCallDriver] E8520000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 00002230 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 8A05478A IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoConnectInterrupt] 001CBB8E IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoDetachDevice] 30C48300 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeWaitForSingleObject] 1CBD8688 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeInitializeEvent] 80E90000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeCancelTimer] C6000000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 001CBB86 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlInitAnsiString] 438B0100 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 8E8D5018 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoQueueWorkItem] 00001C90 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmMapIoSpace] 2202E851 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 538B0000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoReportDetectedDevice] 52016A18 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoReportResourceForDetection] 1CAC868D IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] E8500000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000021F0 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!PoRequestPowerIrp] 8A05478A IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CBB8E IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 18C48300 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!sprintf] 1CBD8688 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 43EB0000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ObfDereferenceObject] 320C538A IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 88F93BC0 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 001CBB96 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ZwClose] F6317300 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 74070647 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 75C0841A IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 05578A0B IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 968801B0 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoCreateDevice] 00001CBD IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 57B60F66 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 533B6604 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 03087408 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ZwOpenKey] 72F93B3F IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 8A09EBDA IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoStartTimer] 86880547 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeInitializeTimer] 00001CBD IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoInitializeTimer] 88084B8A IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeInitializeDpc] 001CBE8E IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeInitializeSpinLock] 40578B00 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoInitializeIrp] 8D52006A IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ZwCreateKey] 001CC086 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 81E85000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 8B000021 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ZwSetValueKey] 001CB88E IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeInsertQueueDpc] BC968B00 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 8900001C IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoStartPacket] 001CC48E IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] C8968900 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 8B00001C IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoFreeMdl] 016A4047 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmUnlockPages] CCC68150 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 5600001C IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 002157E8 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 5D5B5E5F IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeSynchronizeExecution] CCCCCCC3 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoStartNextPacket] CCCCCCCC IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeBugCheckEx] CCCCCCCC IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] CCCCCCCC IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeSetTimer] 8BEC8B55 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!_allmul] 00C73445 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmProbeAndLockPages] 00000000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!_except_handler3] 830C458B IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!PoSetPowerState] C0840CEC IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 053C0D74 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B80974 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 8B000000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!_aulldiv] 56C35DE5 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!strstr] 8D08758B IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!_strupr] 8D51FC4D IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeQuerySystemTime] 8D52FD55 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 8D51FE4D IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!KeTickCount] 8D52FF55 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 8D51F84D IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoDeleteDevice] 5052F455 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] EACAE856 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoAllocateWorkItem] C483FFFF IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoAllocateIrp] 0FC08520 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoAllocateMdl] 0001AD85 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 46B70F00 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmLockPagableDataSection] F44D8B48 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] C1815753 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 00002590 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!ExFreePoolWithTag] 467C8D51 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoFreeIrp] 7622E84A IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!IoFreeWorkItem] D88BFFFF IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!InitSafeBootMode] 8504C483 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!RtlCompareMemory] 5F0A75DB IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!PoCallDriver] 5B08438D IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!memmove] 5DE58B5E IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[ntoskrnl.exe!MmHighestUserAddress] 259068C3 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!KeGetCurrentIrql] CB033043 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!KfRaiseIrql] 0673C13B IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!KfLowerIrql] C13B0003 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!HalGetInterruptVector] 8366FA72 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!READ_PORT_USHORT] 83660000 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200 IAT \SystemRoot\System32\Drivers\a72mwqf7.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89AF71F8 Device \FileSystem\Fastfat \FatCdrom 89766500 Device \FileSystem\Udfs \UdfsCdRom 894E1500 Device \FileSystem\Udfs \UdfsCdRom BsUDF.SYS (UDF File System Driver (Windows2000)/CyberLink Corporation.) Device \FileSystem\Udfs \UdfsDisk 894E1500 Device \FileSystem\Udfs \UdfsDisk BsUDF.SYS (UDF File System Driver (Windows2000)/CyberLink Corporation.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\usbohci \Device\USBPDO-0 899591F8 Device \Driver\usbohci \Device\USBPDO-1 899591F8 Device \Driver\usbehci \Device\USBPDO-2 899581F8 Device \Driver\PCI_PNP7318 \Device\00000048 spaj.sys Device \Driver\PCI_PNP7318 \Device\00000048 spaj.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{EA4755B0-5C47-4C46-B4A4-B4D5B85EADCC} 897971F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89AFA1F8 Device \Driver\Cdrom \Device\CdRom0 8995B500 Device \Driver\Ftdisk \Device\HarddiskVolume2 89AFA1F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 89AFA1F8 Device \Driver\Cdrom \Device\CdRom1 8995B500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\USBSTOR \Device\00000082 894B6500 Device \Driver\NetBT \Device\NetBt_Wins_Export 897971F8 Device \Driver\USBSTOR \Device\00000084 894B6500 Device \Driver\NetBT \Device\NetbiosSmb 897971F8 Device \Driver\sptd \Device\2180011068 spaj.sys Device \Driver\usbohci \Device\USBFDO-0 899591F8 Device \Driver\usbohci \Device\USBFDO-1 899591F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8970B500 Device \Driver\usbehci \Device\USBFDO-2 899581F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8970B500 Device \Driver\Ftdisk \Device\FtControl 89AFA1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{74273C48-6729-4BF4-82F7-C7C6BCF17B20} 897971F8 Device \Driver\a72mwqf7 \Device\Scsi\a72mwqf71 89708500 Device \Driver\a72mwqf7 \Device\Scsi\a72mwqf71Port2Path0Target0Lun0 89708500 Device \FileSystem\Fastfat \Fat 89766500 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 8956D500 Device \FileSystem\Cdfs \Cdfs BsUDF.SYS (UDF File System Driver (Windows2000)/CyberLink Corporation.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB4 0xE2 0xCF 0x35 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x17 0x61 0x43 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0x96 0x31 0x98 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB4 0xE2 0xCF 0x35 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x17 0x61 0x43 0x5B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCA 0x96 0x31 0x98 ... ---- EOF - GMER 1.0.15 ---- Kann man anhand der Logs eigentlich sehen, woher mein Dad diesen Trojaner hat? Ich hab nämlich keinen Bock mehr, das Ganze ein weiteres Mal zu machen. Danke übrigens für die Hilfe. |
|
|
||
27.12.2009, 17:15
Member
Beiträge: 3716 |
#9
nein, kann nichts sehen.
keygens, cracks, software aus dubiosen quellen, evtl. dubiose seiten, will niemandem zu nahe treten :-) http://support.kaspersky.com/de/faq/?qid=207620123 ausführen, neu starten, bericht posten. |
|
|
||
27.12.2009, 17:33
Member
Beiträge: 14 |
#10
Na ja, zu nahe treten...Mein Dad und Cracks? Geklaute Software? Eher nicht. Er klickt halt ziemlich ahnungslos in der virtuellen Welt umher, daher kann ich "dubiose" Seiten nicht ausschließen. Wäre halt super zu wissen, wie er sich das einfängt, obwohl die Firewall aktiv und AntiVir auf dem aktuellen Stand ist.
17:26:07:393 2320 TDSSKiller 2.1.1 Dec 20 2009 02:40:02 17:26:07:393 2320 ================================================================================ 17:26:07:393 2320 SystemInfo: 17:26:07:393 2320 OS Version: 5.1.2600 ServicePack: 3.0 17:26:07:393 2320 Product type: Workstation 17:26:07:393 2320 ComputerName: SAMSUNGNOTEBOOK 17:26:07:393 2320 UserName: Hans 17:26:07:393 2320 Windows directory: C:\WINDOWS 17:26:07:393 2320 Processor architecture: Intel x86 17:26:07:393 2320 Number of processors: 2 17:26:07:393 2320 Page size: 0x1000 17:26:07:393 2320 Boot type: Normal boot 17:26:07:393 2320 ================================================================================ 17:26:07:393 2320 ForceUnloadDriver: NtUnloadDriver error 2 17:26:07:393 2320 ForceUnloadDriver: NtUnloadDriver error 2 17:26:07:393 2320 ForceUnloadDriver: NtUnloadDriver error 2 17:26:07:393 2320 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\Drivers\KLMD.sys) returned status 0 17:26:07:393 2320 main: Driver KLMD successfully dropped 17:26:07:408 2320 main: Driver KLMD successfully loaded 17:26:07:408 2320 Scanning Registry ... 17:26:07:408 2320 ScanServices: Searching service UACd.sys 17:26:07:408 2320 ScanServices: Open/Create key error 2 17:26:07:408 2320 ScanServices: Searching service TDSSserv.sys 17:26:07:408 2320 ScanServices: Open/Create key error 2 17:26:07:408 2320 ScanServices: Searching service gaopdxserv.sys 17:26:07:408 2320 ScanServices: Open/Create key error 2 17:26:07:408 2320 ScanServices: Searching service gxvxcserv.sys 17:26:07:408 2320 ScanServices: Open/Create key error 2 17:26:07:408 2320 ScanServices: Searching service MSIVXserv.sys 17:26:07:408 2320 ScanServices: Open/Create key error 2 17:26:07:408 2320 UnhookRegistry: Kernel module file name: C:\windows\system32\ntoskrnl.exe, base addr: 804D7000 17:26:07:408 2320 UnhookRegistry: Kernel local addr: A40000 17:26:07:408 2320 UnhookRegistry: KeServiceDescriptorTable addr: ACB520 17:26:07:408 2320 UnhookRegistry: KiServiceTable addr: A4D8B0 17:26:07:408 2320 UnhookRegistry: NtEnumerateKey service number (local): 47 17:26:07:408 2320 UnhookRegistry: NtEnumerateKey local addr: AE1E14 17:26:07:408 2320 KLMD_OpenDevice: Trying to open KLMD device 17:26:07:408 2320 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey 17:26:07:408 2320 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey 17:26:07:408 2320 KLMD_ReadMem: Trying to ReadMemory 0x804E380F[0x4] 17:26:07:408 2320 UnhookRegistry: NtEnumerateKey service number (kernel): 47 17:26:07:408 2320 KLMD_ReadMem: Trying to ReadMemory 0x804E49CC[0x4] 17:26:07:408 2320 UnhookRegistry: NtEnumerateKey real addr: 80578E14 17:26:07:408 2320 UnhookRegistry: NtEnumerateKey calc addr: 80578E14 17:26:07:408 2320 UnhookRegistry: No SDT hooks found on NtEnumerateKey 17:26:07:408 2320 KLMD_ReadMem: Trying to ReadMemory 0x80578E14[0xA] 17:26:07:408 2320 UnhookRegistry: No splicing found on NtEnumerateKey 17:26:07:408 2320 Scanning Kernel memory ... 17:26:07:408 2320 KLMD_OpenDevice: Trying to open KLMD device 17:26:07:408 2320 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk 17:26:07:408 2320 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 17:26:07:408 2320 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89AE18F8 17:26:07:408 2320 DetectCureTDL3: KLMD_GetDeviceObjectList returned 6 DevObjects 17:26:07:408 2320 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 898545F0 17:26:07:408 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 898545F0 17:26:07:408 2320 KLMD_ReadMem: Trying to ReadMemory 0x898545F0[0x38] 17:26:07:408 2320 DetectCureTDL3: DRIVER_OBJECT addr: 89AE18F8 17:26:07:408 2320 KLMD_ReadMem: Trying to ReadMemory 0x89AE18F8[0xA8] 17:26:07:408 2320 KLMD_ReadMem: Trying to ReadMemory 0xE1435058[0x208] 17:26:07:408 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:26:07:408 2320 DetectCureTDL3: IrpHandler (0) addr: F763DBB0 17:26:07:408 2320 DetectCureTDL3: IrpHandler (1) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (2) addr: F763DBB0 17:26:07:408 2320 DetectCureTDL3: IrpHandler (3) addr: F7637D1F 17:26:07:408 2320 DetectCureTDL3: IrpHandler (4) addr: F7637D1F 17:26:07:408 2320 DetectCureTDL3: IrpHandler (5) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (6) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (7) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (8) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (9) addr: F76382E2 17:26:07:408 2320 DetectCureTDL3: IrpHandler (10) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (11) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (12) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (13) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (14) addr: F76383BB 17:26:07:408 2320 DetectCureTDL3: IrpHandler (15) addr: F763BF28 17:26:07:408 2320 DetectCureTDL3: IrpHandler (16) addr: F76382E2 17:26:07:408 2320 DetectCureTDL3: IrpHandler (17) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (18) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (19) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (20) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (21) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (22) addr: F7639C82 17:26:07:408 2320 DetectCureTDL3: IrpHandler (23) addr: F763E99E 17:26:07:408 2320 DetectCureTDL3: IrpHandler (24) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (25) addr: 804F9739 17:26:07:408 2320 DetectCureTDL3: IrpHandler (26) addr: 804F9739 17:26:07:408 2320 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 17:26:07:408 2320 KLMD_ReadMem: DeviceIoControl error 1 17:26:07:408 2320 TDL3_StartIoHookDetect: Unable to get StartIo handler code 17:26:07:408 2320 TDL3_FileDetect: Processing driver: Disk 17:26:07:408 2320 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk 17:26:07:408 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys 17:26:07:408 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys 17:26:07:440 2320 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 897908C8 17:26:07:440 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 897908C8 17:26:07:440 2320 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 89500890 17:26:07:440 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89500890 17:26:07:440 2320 KLMD_ReadMem: Trying to ReadMemory 0x89500890[0x38] 17:26:07:440 2320 DetectCureTDL3: DRIVER_OBJECT addr: 895F2340 17:26:07:440 2320 KLMD_ReadMem: Trying to ReadMemory 0x895F2340[0xA8] 17:26:07:440 2320 KLMD_ReadMem: Trying to ReadMemory 0xE144F6D0[0x208] 17:26:07:440 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR 17:26:07:440 2320 DetectCureTDL3: IrpHandler (0) addr: 896F6500 17:26:07:440 2320 DetectCureTDL3: IrpHandler (1) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (2) addr: 896F6500 17:26:07:440 2320 DetectCureTDL3: IrpHandler (3) addr: 896F6500 17:26:07:440 2320 DetectCureTDL3: IrpHandler (4) addr: 896F6500 17:26:07:440 2320 DetectCureTDL3: IrpHandler (5) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (6) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (7) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (8) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (9) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (10) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (11) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (12) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (13) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (14) addr: 896F6500 17:26:07:440 2320 DetectCureTDL3: IrpHandler (15) addr: 896F6500 17:26:07:440 2320 DetectCureTDL3: IrpHandler (16) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (17) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (18) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (19) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (20) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (21) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (22) addr: 896F6500 17:26:07:440 2320 DetectCureTDL3: IrpHandler (23) addr: 896F6500 17:26:07:440 2320 DetectCureTDL3: IrpHandler (24) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (25) addr: 804F9739 17:26:07:440 2320 DetectCureTDL3: IrpHandler (26) addr: 804F9739 17:26:07:440 2320 KLMD_ReadMem: Trying to ReadMemory 0xF7820F26[0x400] 17:26:07:440 2320 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 0, 0 17:26:07:440 2320 TDL3_FileDetect: Processing driver: USBSTOR 17:26:07:440 2320 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\usbstor.sys, C:\WINDOWS\system32\Drivers\usbstor.tsk, SYSTEM\CurrentControlSet\Services\USBSTOR, system32\Drivers\usbstor.tsk 17:26:07:440 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\usbstor.sys 17:26:07:440 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\usbstor.sys 17:26:07:455 2320 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 89A63C68 17:26:07:455 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A63C68 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0x89A63C68[0x38] 17:26:07:455 2320 DetectCureTDL3: DRIVER_OBJECT addr: 89AE18F8 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0x89AE18F8[0xA8] 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0xE1435058[0x208] 17:26:07:455 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:26:07:455 2320 DetectCureTDL3: IrpHandler (0) addr: F763DBB0 17:26:07:455 2320 DetectCureTDL3: IrpHandler (1) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (2) addr: F763DBB0 17:26:07:455 2320 DetectCureTDL3: IrpHandler (3) addr: F7637D1F 17:26:07:455 2320 DetectCureTDL3: IrpHandler (4) addr: F7637D1F 17:26:07:455 2320 DetectCureTDL3: IrpHandler (5) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (6) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (7) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (8) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (9) addr: F76382E2 17:26:07:455 2320 DetectCureTDL3: IrpHandler (10) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (11) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (12) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (13) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (14) addr: F76383BB 17:26:07:455 2320 DetectCureTDL3: IrpHandler (15) addr: F763BF28 17:26:07:455 2320 DetectCureTDL3: IrpHandler (16) addr: F76382E2 17:26:07:455 2320 DetectCureTDL3: IrpHandler (17) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (18) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (19) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (20) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (21) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (22) addr: F7639C82 17:26:07:455 2320 DetectCureTDL3: IrpHandler (23) addr: F763E99E 17:26:07:455 2320 DetectCureTDL3: IrpHandler (24) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (25) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (26) addr: 804F9739 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 17:26:07:455 2320 KLMD_ReadMem: DeviceIoControl error 1 17:26:07:455 2320 TDL3_StartIoHookDetect: Unable to get StartIo handler code 17:26:07:455 2320 TDL3_FileDetect: Processing driver: Disk 17:26:07:455 2320 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk 17:26:07:455 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys 17:26:07:455 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys 17:26:07:455 2320 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 89AC0C68 17:26:07:455 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89AC0C68 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0x89AC0C68[0x38] 17:26:07:455 2320 DetectCureTDL3: DRIVER_OBJECT addr: 89AE18F8 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0x89AE18F8[0xA8] 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0xE1435058[0x208] 17:26:07:455 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:26:07:455 2320 DetectCureTDL3: IrpHandler (0) addr: F763DBB0 17:26:07:455 2320 DetectCureTDL3: IrpHandler (1) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (2) addr: F763DBB0 17:26:07:455 2320 DetectCureTDL3: IrpHandler (3) addr: F7637D1F 17:26:07:455 2320 DetectCureTDL3: IrpHandler (4) addr: F7637D1F 17:26:07:455 2320 DetectCureTDL3: IrpHandler (5) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (6) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (7) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (8) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (9) addr: F76382E2 17:26:07:455 2320 DetectCureTDL3: IrpHandler (10) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (11) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (12) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (13) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (14) addr: F76383BB 17:26:07:455 2320 DetectCureTDL3: IrpHandler (15) addr: F763BF28 17:26:07:455 2320 DetectCureTDL3: IrpHandler (16) addr: F76382E2 17:26:07:455 2320 DetectCureTDL3: IrpHandler (17) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (18) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (19) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (20) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (21) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (22) addr: F7639C82 17:26:07:455 2320 DetectCureTDL3: IrpHandler (23) addr: F763E99E 17:26:07:455 2320 DetectCureTDL3: IrpHandler (24) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (25) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (26) addr: 804F9739 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 17:26:07:455 2320 KLMD_ReadMem: DeviceIoControl error 1 17:26:07:455 2320 TDL3_StartIoHookDetect: Unable to get StartIo handler code 17:26:07:455 2320 TDL3_FileDetect: Processing driver: Disk 17:26:07:455 2320 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk 17:26:07:455 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys 17:26:07:455 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys 17:26:07:455 2320 DetectCureTDL3: 4 Curr stack PDEVICE_OBJECT: 89AC1C68 17:26:07:455 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89AC1C68 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0x89AC1C68[0x38] 17:26:07:455 2320 DetectCureTDL3: DRIVER_OBJECT addr: 89AE18F8 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0x89AE18F8[0xA8] 17:26:07:455 2320 KLMD_ReadMem: Trying to ReadMemory 0xE1435058[0x208] 17:26:07:455 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk 17:26:07:455 2320 DetectCureTDL3: IrpHandler (0) addr: F763DBB0 17:26:07:455 2320 DetectCureTDL3: IrpHandler (1) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (2) addr: F763DBB0 17:26:07:455 2320 DetectCureTDL3: IrpHandler (3) addr: F7637D1F 17:26:07:455 2320 DetectCureTDL3: IrpHandler (4) addr: F7637D1F 17:26:07:455 2320 DetectCureTDL3: IrpHandler (5) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (6) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (7) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (8) addr: 804F9739 17:26:07:455 2320 DetectCureTDL3: IrpHandler (9) addr: F76382E2 17:26:07:471 2320 DetectCureTDL3: IrpHandler (10) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (11) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (12) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (13) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (14) addr: F76383BB 17:26:07:471 2320 DetectCureTDL3: IrpHandler (15) addr: F763BF28 17:26:07:471 2320 DetectCureTDL3: IrpHandler (16) addr: F76382E2 17:26:07:471 2320 DetectCureTDL3: IrpHandler (17) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (18) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (19) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (20) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (21) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (22) addr: F7639C82 17:26:07:471 2320 DetectCureTDL3: IrpHandler (23) addr: F763E99E 17:26:07:471 2320 DetectCureTDL3: IrpHandler (24) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (25) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (26) addr: 804F9739 17:26:07:471 2320 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400] 17:26:07:471 2320 KLMD_ReadMem: DeviceIoControl error 1 17:26:07:471 2320 TDL3_StartIoHookDetect: Unable to get StartIo handler code 17:26:07:471 2320 TDL3_FileDetect: Processing driver: Disk 17:26:07:471 2320 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\disk.sys, C:\WINDOWS\system32\Drivers\disk.tsk, SYSTEM\CurrentControlSet\Services\Disk, system32\Drivers\disk.tsk 17:26:07:471 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\disk.sys 17:26:07:471 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\disk.sys 17:26:07:471 2320 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 89A64AB8 17:26:07:471 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89A64AB8 17:26:07:471 2320 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 89B5BF18 17:26:07:471 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B5BF18 17:26:07:471 2320 DetectCureTDL3: 5 Curr stack PDEVICE_OBJECT: 89AB6030 17:26:07:471 2320 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89AB6030 17:26:07:471 2320 KLMD_ReadMem: Trying to ReadMemory 0x89AB6030[0x38] 17:26:07:471 2320 DetectCureTDL3: DRIVER_OBJECT addr: 89A90D20 17:26:07:471 2320 KLMD_ReadMem: Trying to ReadMemory 0x89A90D20[0xA8] 17:26:07:471 2320 KLMD_ReadMem: Trying to ReadMemory 0xE145F2D0[0x208] 17:26:07:471 2320 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 17:26:07:471 2320 DetectCureTDL3: IrpHandler (0) addr: F7978B40 17:26:07:471 2320 DetectCureTDL3: IrpHandler (1) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (2) addr: F7978B40 17:26:07:471 2320 DetectCureTDL3: IrpHandler (3) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (4) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (5) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (6) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (7) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (8) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (9) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (10) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (11) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (12) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (13) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (14) addr: F7978B40 17:26:07:471 2320 DetectCureTDL3: IrpHandler (15) addr: F7978B40 17:26:07:471 2320 DetectCureTDL3: IrpHandler (16) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (17) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (18) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (19) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (20) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (21) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (22) addr: F7978B40 17:26:07:471 2320 DetectCureTDL3: IrpHandler (23) addr: F7978B40 17:26:07:471 2320 DetectCureTDL3: IrpHandler (24) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (25) addr: 804F9739 17:26:07:471 2320 DetectCureTDL3: IrpHandler (26) addr: 804F9739 17:26:07:471 2320 KLMD_ReadMem: Trying to ReadMemory 0xF7976864[0x400] 17:26:07:471 2320 TDL3_StartIoHookDetect: CheckParameters: 0, 0, 316, 0 17:26:07:471 2320 TDL3_FileDetect: Processing driver: atapi 17:26:07:471 2320 TDL3_FileDetect: Parameters: C:\WINDOWS\system32\drivers\atapi.sys, C:\WINDOWS\system32\Drivers\atapi.tsk, SYSTEM\CurrentControlSet\Services\atapi, system32\Drivers\atapi.tsk 17:26:07:471 2320 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys 17:26:07:471 2320 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys 17:26:07:487 2320 Completed Results: 17:26:07:487 2320 Infected objects in memory: 0 17:26:07:487 2320 Cured objects in memory: 0 17:26:07:487 2320 Infected objects on disk: 0 17:26:07:487 2320 Objects on disk cured on reboot: 0 17:26:07:487 2320 Objects on disk deleted on reboot: 0 17:26:07:487 2320 Registry nodes deleted on reboot: 0 17:26:07:487 2320 |
|
|
||
27.12.2009, 17:37
Member
Beiträge: 3716 |
#11
sorry, kann dir nicht mehr sagen, wie läuft der pc im moment?
|
|
|
||
27.12.2009, 17:39
Member
Beiträge: 14 |
#12
Schon in Ordnung.
Stabil und unauffällig. |
|
|
||
27.12.2009, 17:43
Member
Beiträge: 3716 |
#13
Hi,
http://board.protecus.de/t29350.htm laden, dann schalte alle laufenden Programme, wie avira aus. trenne die Internetverbindung, in dem du das netzwerkkabel ziehst, bzw wlan ausschaltest. Programm starten, es wird nun ein schnell scan starten, funde verschieben, evtl. log posten. einstellungen machen wie beschrieben, bitte aber die heuristik aktiev lassen. dann den normalen scan starten, nicht am pc arbeiten, log posten. |
|
|
||
27.12.2009, 17:45
Member
Beiträge: 14 |
#14
Im abgesicherten Modus?
Was ist die "heuristik"? |
|
|
||
27.12.2009, 17:53
Member
Beiträge: 3716 |
#15
ja, im abgesicherten modus. die heuristik findest du in der Programmeinstellung, sie ist aber aktiev, musst du also nicht nach suchen.
die heuristik such anhand von verdächtigen codefragmenten nach dateien, die der signatur nicht bekannt sind. hoffe das war verständlich erklärt :-) |
|
|
||
Wäre für jeden mir verständlichen Rat dankbar.