MBR rootkit / ntos.exe / wsnpoem

#16 sehr gut, damit sollte das prob. gelöst sein...
poste ein neues log von sdfix
__________
MfG Sabina

rund um die PC-Sicherheit

#17 SDFix: Version 1.205
Run by Michael on 16.07.2008 at 14:53

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\bca4e2da.$$$ - Deleted
C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\Temp\fa56d7ec.$$$ - Deleted

[color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/mbr.exe]MBR Rootkit Detector[/url] by Gmer or [url=http://www.freedrweb.com/cureit]CureIt[/url] by Dr.Web[/color]




Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 15:02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,..
"p0"="C:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,..
"a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,ed,ae,0c,06,bc,2b,7c,04,05,7b,ab,84,fc,55,63,30,35,..
"ljej40"=hex:e4,70,19,e2,aa,26,bd,f0,c0,18,74,44,a9,7c,f2,6f,df,40,cf,c7,7e,..
"ljej41"=hex:53,70,19,e2,d2,26,bd,f0,c1,18,75,44,a8,7c,f2,6f,df,40,cf,c7,6e,..
"ljej42"=hex:53,70,19,e2,d2,26,bd,f0,c1,18,75,44,a8,7c,f2,6f,df,40,cf,c7,6e,..
"ljej43"=hex:53,70,19,e2,d2,26,bd,f0,c1,18,75,44,a8,7c,f2,6f,df,40,cf,c7,6e,..
"ljej44"=hex:53,70,19,e2,d2,26,bd,f0,c1,18,75,44,a8,7c,f2,6f,df,40,cf,c7,6e,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,..
"p0"="C:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,..
"a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe"="C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe:*:Enabled:Universe at War Earth Assault"
"C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 5 Jan 2008 0 ..SH. --- "C:\WINDOWS\SDED748F9.tmp"
Mon 11 Sep 2006 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"
Mon 11 Sep 2006 401 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv15.bak"
Tue 3 Oct 2006 50,280 A..H. --- "C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Programme\Gemeinsame Dateien\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sat 9 Sep 2006 444 A..H. --- "C:\Dokumente und Einstellungen\Michael\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"
Tue 18 Mar 2008 2,158 ...HR --- "C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!

#18 o.k.
lade avz, scanne + poste den report
http://virus-protect.org/artikel/tools/avz.html

danach noch mal das gleiche spielchen - sdfix im abgesicherten modus anwenden + das log posten (diemal hat es die rootkits geloescht) - ich will sehen, ob nun alles sauber ist.
__________
MfG Sabina

rund um die PC-Sicherheit

#19 Attention !!! Database was last updated 06.04.2008 it is necessary to update the bases using automatic updates (File/Database update)
AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 16.07.2008 15:19:03
Database loaded: signatures - 157571, NN profile(s) - 2, microprograms of healing - 55, signature database released 06.04.2008 17:09
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 70476
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:GetProcAddress (408) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AC28->7C882FEC
Function kernel32.dll:LoadLibraryA (578) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D77->7C882F9C
Function kernel32.dll:LoadLibraryExA (579) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D4F->7C882FB0
Function kernel32.dll:LoadLibraryExW (580) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF1->7C882FD8
Function kernel32.dll:LoadLibraryW (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C80ACD3->7C882FC4
IAT modification detected: LoadLibraryA - 7C882F9C<>7C801D77
IAT modification detected: GetProcAddress - 7C882FEC<>7C80AC28
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=0846E0)
Kernel ntkrnlpa.exe found in memory at address 804D7000
SDT = 8055B6E0
KiST = 8A7DB318 (297)
>>> Attention, KiST table is moved ! (80503734(284)->8A7DB318(297))
Function NtClose (19) intercepted (805BAEB4->B7179CB0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (80622048->B716D540), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreatePagingFile (2D) intercepted (805AA414->BA669C70), hook C:\WINDOWS\system32\Drivers\Vax347b.sys, driver recognized as trusted
Function NtCreateProcess (2F) intercepted (805CFA1C->B71799C0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateProcessEx (30) intercepted (805CF966->B7179B40), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateSection (32) intercepted (805A9DEE->B717A5B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (805C35E0->B717A230), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (805CF804->B717AF10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (806224D8->B716D660), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (806226A8->B716D6E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805BC890->B7179E00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80622888->B716D770), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (80622AF2->B716D820), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtFlushKey (4F) intercepted (80622D5C->B716D8D0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtInitializeRegistry (5C) intercepted (80620020->B716D950), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadKey (62) intercepted (80623D78->B716E1F0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadKey2 (63) intercepted (806239C2->B716D970), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtNotifyChangeKey (6F) intercepted (80623D42->B716DA70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (80578F5C->BA44F000), hook C:\WINDOWS\system32\Drivers\kl1.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (806233DE->B716DB50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805C9C46->B71797B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenSection (7D) intercepted (805A8E12->B717A400), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80623702->B716DC50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (80621216->B716DD00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQuerySystemInformation (AD) intercepted (8060F7E0->B717ABC0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (80620102->B716DDB0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (80623C28->B716DE60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (80620450->B716DEF0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtResumeThread (CE) intercepted (805D3148->B717AEC0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (806204F2->B716DF80), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (805CFF26->B717B230), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationFile (E0) intercepted (80579DC4->B717BAE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationKey (E2) intercepted (80620DE2->B716E010), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationProcess (E4) intercepted (805CC690->B717F2A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (805BE8FA->B7177A30), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetSystemPowerState (F1) intercepted (80650E26->BA6754F0), hook C:\WINDOWS\system32\Drivers\Vax347b.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80620708->B716E0B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805D3082->B717AE70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805D1170->B717AA10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtUnloadKey (107) intercepted (806209D0->B716E1B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (805B2D5C->B7179CD0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (804EAE40) - machine code modification Method of JmpTo. jmp B717BF00 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804EF634) - machine code modification Method of JmpTo. jmp B717C400 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 41, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Analysis for CPU 2
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
\FileSystem\ntfs[IRP_MJ_CREATE] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_CLOSE] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_WRITE] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_EA] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_EA] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 8AC911F8 -> hook not defined
\FileSystem\ntfs[IRP_MJ_PNP] = 8AC911F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CREATE] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_CLOSE] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_WRITE] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_INFORMATION] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_INFORMATION] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_EA] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_EA] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_QUERY_VOLUME_INFORMATION] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_SET_VOLUME_INFORMATION] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DIRECTORY_CONTROL] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_FILE_SYSTEM_CONTROL] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_DEVICE_CONTROL] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_LOCK_CONTROL] = 8A0991F8 -> hook not defined
\FileSystem\FastFat[IRP_MJ_PNP] = 8A0991F8 -> hook not defined
Checking - complete
2. Scanning memory
Number of processes found: 28
Number of modules loaded: 387
Scanning memory - complete
3. Scanning disks
Direct reading C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Lokale Einstellungen\Temp\fla10.tmp
C:\System Volume Information\_restore{59447283-CEF1-4F69-9D56-009ED686B39D}\RP613\A0531973.DLL >>>>> RiskWare.CrackTool.Win32.HotHook.dll deletion disabled by settings
Direct reading C:\WINDOWS\system32\drivers\sptd.sys
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: RemoteRegistry (Remote-Registrierung)
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: mnmsrvc (NetMeeting-Remotedesktop-Freigabe)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking - complete
9. Troubleshooting wizard
Checking - complete
Files scanned: 101341, extracted from archives: 65899, malicious software found 1, suspicions - 0
Scanning finished at 16.07.2008 15:41:57
Time of scanning: 00:22:54
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference

#20 dann bitte noch ein log von sdfix
__________
MfG Sabina

rund um die PC-Sicherheit

#21 SDFix: Version 1.205
Run by Michael on 16.07.2008 at 16:12

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 16:23:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,..
"p0"="C:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,..
"a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,83,24,51,06,de,f4,e9,33,8f,c1,25,b3,f2,70,b1,4e,03,..
"ljej40"=hex:86,af,8c,d5,20,9c,33,c7,ce,3d,a6,3a,9f,a7,aa,1d,9d,af,a1,8d,44,..
"ljej41"=hex:31,af,8c,d5,58,9c,33,c7,cf,3d,a7,3a,9e,a7,aa,1d,9d,af,a1,8d,54,..
"ljej42"=hex:31,af,8c,d5,58,9c,33,c7,cf,3d,a7,3a,9e,a7,aa,1d,9d,af,a1,8d,54,..
"ljej43"=hex:31,af,8c,d5,58,9c,33,c7,cf,3d,a7,3a,9e,a7,aa,1d,9d,af,a1,8d,54,..
"ljej44"=hex:31,af,8c,d5,58,9c,33,c7,cf,3d,a7,3a,9e,a7,aa,1d,9d,af,a1,8d,54,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,..
"p0"="C:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,..
"a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe"="C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe:*:Enabled:Universe at War Earth Assault"
"C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Sat 5 Jan 2008 0 ..SH. --- "C:\WINDOWS\SDED748F9.tmp"
Mon 11 Sep 2006 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"
Mon 11 Sep 2006 401 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv15.bak"
Tue 3 Oct 2006 50,280 A..H. --- "C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Programme\Gemeinsame Dateien\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sat 9 Sep 2006 444 A..H. --- "C:\Dokumente und Einstellungen\Michael\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"
Tue 18 Mar 2008 2,158 ...HR --- "C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!

#22 jippihe !!! geschafft
nun deaktiviere noch die Systemwiederherstellung, dann wieder aktivieren.

Und mache noch einen oder zwei Onlinescans , z.B Bitdefender und F-Secure
http://virus-protect.org/onlinescan.html

Falls es noch Probleme gibt, melde dich.
__________
MfG Sabina

rund um die PC-Sicherheit

#23 erst mal danke für die schnelle und super hilfe alles leuft wie butter an eineem heißen sommer tag.sorry das klingt blöd aber wie deaktiviere ich das den ^^

#24 Hallo Sunce

Dann gebe ich halt noch meinen Senf dazu

Hier eine Anleitung: http://virus-protect.org/systemwiederherstellung.html

Gruss swiss