MBR rootkit / ntos.exe / wsnpoem |
||
---|---|---|
#0
| ||
16.07.2008, 14:29
Ehrenmitglied
Beiträge: 29434 |
||
|
||
16.07.2008, 15:06
Member
Themenstarter Beiträge: 12 |
#17
SDFix: Version 1.205
Run by Michael on 16.07.2008 at 14:53 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted C:\WINDOWS\Temp\ed47fa.$ - Deleted C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted [color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/mbr.exe]MBR Rootkit Detector[/url] by Gmer or [url=http://www.freedrweb.com/cureit]CureIt[/url] by Dr.Web[/color] Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-16 15:02:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,.. "p0"="C:\Programme\DAEMON Tools Lite\" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,.. "a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40] "ujdew"=hex:20,02,00,00,ed,ae,0c,06,bc,2b,7c,04,05,7b,ab,84,fc,55,63,30,35,.. "ljej40"=hex:e4,70,19,e2,aa,26,bd,f0,c0,18,74,44,a9,7c,f2,6f,df,40,cf,c7,7e,.. "ljej41"=hex:53,70,19,e2,d2,26,bd,f0,c1,18,75,44,a8,7c,f2,6f,df,40,cf,c7,6e,.. "ljej42"=hex:53,70,19,e2,d2,26,bd,f0,c1,18,75,44,a8,7c,f2,6f,df,40,cf,c7,6e,.. "ljej43"=hex:53,70,19,e2,d2,26,bd,f0,c1,18,75,44,a8,7c,f2,6f,df,40,cf,c7,6e,.. "ljej44"=hex:53,70,19,e2,d2,26,bd,f0,c1,18,75,44,a8,7c,f2,6f,df,40,cf,c7,6e,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,.. "p0"="C:\Programme\DAEMON Tools Lite\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,.. "a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,.. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}] "DisplayName"="Alcohol 120%" scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe"="C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe:*:Enabled:Universe at War Earth Assault" "C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6" "C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties" "C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sat 5 Jan 2008 0 ..SH. --- "C:\WINDOWS\SDED748F9.tmp" Mon 11 Sep 2006 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak" Mon 11 Sep 2006 401 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv15.bak" Tue 3 Oct 2006 50,280 A..H. --- "C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe" Mon 13 Nov 2006 319,456 A..H. --- "C:\Programme\Gemeinsame Dateien\Motorola Shared\MotPCSDrivers\difxapi.dll" Sat 9 Sep 2006 444 A..H. --- "C:\Dokumente und Einstellungen\Michael\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak" Tue 18 Mar 2008 2,158 ...HR --- "C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak" Finished! |
|
|
||
16.07.2008, 15:08
Ehrenmitglied
Beiträge: 29434 |
#18
o.k.
lade avz, scanne + poste den report http://virus-protect.org/artikel/tools/avz.html danach noch mal das gleiche spielchen - sdfix im abgesicherten modus anwenden + das log posten (diemal hat es die rootkits geloescht) - ich will sehen, ob nun alles sauber ist. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
16.07.2008, 15:56
Member
Themenstarter Beiträge: 12 |
#19
Attention !!! Database was last updated 06.04.2008 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30 Scanning started at 16.07.2008 15:19:03 Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09 Heuristic microprograms loaded: 370 SPV microprograms loaded: 9 Digital signatures of system files loaded: 70476 Heuristic analyzer mode: Medium heuristics level Healing mode: enabled Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights System Restore: enabled 1. Searching for Rootkits and programs intercepting API functions 1.1 Searching for user-mode API hooks Analysis: kernel32.dll, export table found in section .text Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC28->7C882FEC Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->7C882F9C Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->7C882FB0 Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->7C882FD8 Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ACD3->7C882FC4 IAT modification detected: LoadLibraryA - 7C882F9C<>7C801D77 IAT modification detected: GetProcAddress - 7C882FEC<>7C80AC28 Analysis: ntdll.dll, export table found in section .text Analysis: user32.dll, export table found in section .text Analysis: advapi32.dll, export table found in section .text Analysis: ws2_32.dll, export table found in section .text Analysis: wininet.dll, export table found in section .text Analysis: rasapi32.dll, export table found in section .text Analysis: urlmon.dll, export table found in section .text Analysis: netapi32.dll, export table found in section .text 1.2 Searching for kernel-mode API hooks Driver loaded successfully SDT found (RVA=0846E0) Kernel ntkrnlpa.exe found in memory at address 804D7000 SDT = 8055B6E0 KiST = 8A7DB318 (297) >>> Attention, KiST table is moved ! (80503734(284)->8A7DB318(297)) Function NtClose (19) intercepted (805BAEB4->B7179CB0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateKey (29) intercepted (80622048->B716D540), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreatePagingFile (2D) intercepted (805AA414->BA669C70), hook C:\WINDOWS\system32\Drivers\Vax347b.sys, driver recognized as trusted Function NtCreateProcess (2F) intercepted (805CFA1C->B71799C0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateProcessEx (30) intercepted (805CF966->B7179B40), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateSection (32) intercepted (805A9DEE->B717A5B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateSymbolicLinkObject (34) intercepted (805C35E0->B717A230), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtCreateThread (35) intercepted (805CF804->B717AF10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtDeleteKey (3F) intercepted (806224D8->B716D660), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtDeleteValueKey (41) intercepted (806226A8->B716D6E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtDuplicateObject (44) intercepted (805BC890->B7179E00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtEnumerateKey (47) intercepted (80622888->B716D770), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtEnumerateValueKey (49) intercepted (80622AF2->B716D820), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtFlushKey (4F) intercepted (80622D5C->B716D8D0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtInitializeRegistry (5C) intercepted (80620020->B716D950), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtLoadKey (62) intercepted (80623D78->B716E1F0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtLoadKey2 (63) intercepted (806239C2->B716D970), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtNotifyChangeKey (6F) intercepted (80623D42->B716DA70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtOpenFile (74) intercepted (80578F5C->BA44F000), hook C:\WINDOWS\system32\Drivers\kl1.sys, driver recognized as trusted Function NtOpenKey (77) intercepted (806233DE->B716DB50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtOpenProcess (7A) intercepted (805C9C46->B71797B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtOpenSection (7D) intercepted (805A8E12->B717A400), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtQueryKey (A0) intercepted (80623702->B716DC50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtQueryMultipleValueKey (A1) intercepted (80621216->B716DD00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtQuerySystemInformation (AD) intercepted (8060F7E0->B717ABC0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtQueryValueKey (B1) intercepted (80620102->B716DDB0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtReplaceKey (C1) intercepted (80623C28->B716DE60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtRestoreKey (CC) intercepted (80620450->B716DEF0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtResumeThread (CE) intercepted (805D3148->B717AEC0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSaveKey (CF) intercepted (806204F2->B716DF80), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetContextThread (D5) intercepted (805CFF26->B717B230), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetInformationFile (E0) intercepted (80579DC4->B717BAE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetInformationKey (E2) intercepted (80620DE2->B716E010), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetInformationProcess (E4) intercepted (805CC690->B717F2A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetSecurityObject (ED) intercepted (805BE8FA->B7177A30), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSetSystemPowerState (F1) intercepted (80650E26->BA6754F0), hook C:\WINDOWS\system32\Drivers\Vax347b.sys, driver recognized as trusted Function NtSetValueKey (F7) intercepted (80620708->B716E0B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtSuspendThread (FE) intercepted (805D3082->B717AE70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtTerminateProcess (101) intercepted (805D1170->B717AA10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtUnloadKey (107) intercepted (806209D0->B716E1B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function NtWriteVirtualMemory (115) intercepted (805B2D5C->B7179CD0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function FsRtlCheckLockForReadAccess (804EAE40) - machine code modification Method of JmpTo. jmp B717BF00 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Function IoIsOperationSynchronous (804EF634) - machine code modification Method of JmpTo. jmp B717C400 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted Functions checked: 284, intercepted: 41, restored: 0 1.3 Checking IDT and SYSENTER Analysis for CPU 1 Analysis for CPU 2 Checking IDT and SYSENTER - complete 1.4 Searching for masking processes and drivers Checking not performed: extended monitoring driver (AVZPM) is not installed Driver loaded successfully 1.5 Checking of IRP handlers \FileSystem\ntfs[IRP_MJ_CREATE] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_CLOSE] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_WRITE] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_EA] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8AC911F8 -> hook not defined \FileSystem\ntfs[IRP_MJ_PNP] = 8AC911F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CREATE] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_CLOSE] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_WRITE] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_EA] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_EA] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 8A0991F8 -> hook not defined \FileSystem\FastFat[IRP_MJ_PNP] = 8A0991F8 -> hook not defined Checking - complete 2. Scanning memory Number of processes found: 28 Number of modules loaded: 387 Scanning memory - complete 3. Scanning disks Direct reading C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Lokale Einstellungen\Temp\fla10.tmp C:\System Volume Information\_restore{59447283-CEF1-4F69-9D56-009ED686B39D}\RP613\A0531973.DLL >>>>> RiskWare.CrackTool.Win32.HotHook.dll deletion disabled by settings Direct reading C:\WINDOWS\system32\drivers\sptd.sys 4. Checking Winsock Layered Service Provider (SPI/LSP) LSP settings checked. No errors detected 5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs) 6. Searching for opened TCP/UDP ports used by malicious programs Checking disabled by user 7. Heuristic system check Checking - complete 8. Searching for vulnerabilities >> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung) >> Services: potentially dangerous service allowed: TermService (Terminaldienste) >> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst) >> Services: potentially dangerous service allowed: Schedule (Taskplaner) >> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe) >> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe) > Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)! >> Security: disk drives' autorun is enabled >> Security: administrative shares (C$, D$ ...) are enabled >> Security: anonymous user access is enabled >> Security: sending Remote Assistant queries is enabled Checking - complete 9. Troubleshooting wizard Checking - complete Files scanned: 101341, extracted from archives: 65899, malicious software found 1, suspicions - 0 Scanning finished at 16.07.2008 15:41:57 Time of scanning: 00:22:54 If you have a suspicion on presence of viruses or questions on the suspected objects, you can address http://virusinfo.info conference |
|
|
||
16.07.2008, 16:04
Ehrenmitglied
Beiträge: 29434 |
||
|
||
16.07.2008, 16:25
Member
Themenstarter Beiträge: 12 |
#21
SDFix: Version 1.205
Run by Michael on 16.07.2008 at 16:12 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-16 16:23:08 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,.. "p0"="C:\Programme\DAEMON Tools Lite\" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,.. "a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40] "ujdew"=hex:20,02,00,00,83,24,51,06,de,f4,e9,33,8f,c1,25,b3,f2,70,b1,4e,03,.. "ljej40"=hex:86,af,8c,d5,20,9c,33,c7,ce,3d,a6,3a,9f,a7,aa,1d,9d,af,a1,8d,44,.. "ljej41"=hex:31,af,8c,d5,58,9c,33,c7,cf,3d,a7,3a,9e,a7,aa,1d,9d,af,a1,8d,54,.. "ljej42"=hex:31,af,8c,d5,58,9c,33,c7,cf,3d,a7,3a,9e,a7,aa,1d,9d,af,a1,8d,54,.. "ljej43"=hex:31,af,8c,d5,58,9c,33,c7,cf,3d,a7,3a,9e,a7,aa,1d,9d,af,a1,8d,54,.. "ljej44"=hex:31,af,8c,d5,58,9c,33,c7,cf,3d,a7,3a,9e,a7,aa,1d,9d,af,a1,8d,54,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "h0"=dword:00000000 "khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,.. "p0"="C:\Programme\DAEMON Tools Lite\" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,.. "a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,.. scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}] "DisplayName"="Alcohol 120%" scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe"="C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe:*:Enabled:Universe at War Earth Assault" "C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6" "C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties" "C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1" "C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)" Remaining Files : Files with Hidden Attributes : Sat 5 Jan 2008 0 ..SH. --- "C:\WINDOWS\SDED748F9.tmp" Mon 11 Sep 2006 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak" Mon 11 Sep 2006 401 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv15.bak" Tue 3 Oct 2006 50,280 A..H. --- "C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe" Mon 13 Nov 2006 319,456 A..H. --- "C:\Programme\Gemeinsame Dateien\Motorola Shared\MotPCSDrivers\difxapi.dll" Sat 9 Sep 2006 444 A..H. --- "C:\Dokumente und Einstellungen\Michael\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak" Tue 18 Mar 2008 2,158 ...HR --- "C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak" Finished! |
|
|
||
16.07.2008, 18:15
Ehrenmitglied
Beiträge: 29434 |
#22
jippihe !!! geschafft
nun deaktiviere noch die Systemwiederherstellung, dann wieder aktivieren. Und mache noch einen oder zwei Onlinescans , z.B Bitdefender und F-Secure http://virus-protect.org/onlinescan.html Falls es noch Probleme gibt, melde dich. __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
16.07.2008, 18:35
Member
Themenstarter Beiträge: 12 |
#23
erst mal danke für die schnelle und super hilfe alles leuft wie butter an eineem heißen sommer tag.sorry das klingt blöd aber wie deaktiviere ich das den ^^
|
|
|
||
18.07.2008, 16:04
Moderator
Beiträge: 5694 |
#24
Hallo Sunce
Dann gebe ich halt noch meinen Senf dazu Hier eine Anleitung: http://virus-protect.org/systemwiederherstellung.html Gruss swiss |
|
|
||
poste ein neues log von sdfix
__________
MfG Sabina
rund um die PC-Sicherheit