Trojaner entfernen

#1 Hallo ihr lieben Helfer,

ich habe wirklich ausreichende Sicherung auf meinem PC, aber dennoch bekomme ich immer wieder Spyware und Trojaner drauf, die sich damm im system32 feststzen.

Habe aktuell zwei solcher Dinger drauf:

.....sytem32/cryptonet.dll
.....system32/?????? ...... der kommt selten, aber er ist da.

Habe alle logfiles von malwarebytes, combofix. hijack this und datfind laut Anweisung von Sabina erstellt und im Anhang als "logfiles" im Textformat gepostet.

Wer kann mir nun bitte helfen diese lästigen Dinger wieder los zu werden ??
Für Eure Hilfe wäre ich Euch sehr dankbar.

LG


alfaseele

------------------------------------------------------------------


(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Config.ini

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Legacy_TCPSR
-------\Service_MEMSWEEP2


((((((((((((((((((((((( Dateien erstellt von 2008-06-27 bis 2008-07-27 ))))))))))))))))))))))))))))))
.

2008-07-27 12:34 . 2008-07-27 12:34 <DIR> d-------- C:\Dokumente und Einstellungen\Ludwig\Anwendungsdaten\Malwarebytes
2008-07-27 12:34 . 2008-07-27 12:34 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-07-27 12:34 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-27 12:34 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 12:33 . 2008-07-27 12:34 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-07-27 08:51 . 2004-05-12 11:13 40,960 --a------ C:\WINDOWS\system32\exitwx.exe
2008-07-26 17:08 . 2008-07-26 17:08 120 --a------ C:\drmHeader.bin

2008-07-17 16:17 . 2008-07-17 16:17 2,335,270 --a------ C:\WINDOWS\system32\5bc3.mht
2008-07-17 16:17 . 2008-07-17 16:17 54,624 --a------ C:\WINDOWS\system32\9554.sys
2008-07-14 22:28 . 2008-07-14 22:28 198 --ahs---- C:\WINDOWS\system32\drivers\c1548.DAT
2008-07-14 22:28 . 2008-07-14 22:28 198 --ahs---- C:\WINDOWS\system32\drivers\95547.DAT
2008-07-14 22:28 . 2008-07-14 22:28 198 --ahs---- C:\WINDOWS\system32\drivers\02646.DAT
2008-07-14 20:43 . 2008-07-14 20:43 <DIR> d-------- C:\Programme\VS Revo Group
2008-07-14 20:39 . 2008-07-14 20:41 <DIR> d-------- C:\Programme\McafeeRootkit
2008-07-14 19:00 . 2008-07-14 19:00 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-07-14 19:00 . 2008-07-14 19:00 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-14 18:59 . 2008-07-14 18:59 <DIR> d-------- C:\WINDOWS\system32\de
2008-07-14 18:59 . 2008-07-14 18:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-14 18:54 . 2008-07-14 19:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 18:10 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-07-14 18:10 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-07-14 18:10 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-07-14 18:10 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-07-14 18:10 . 2004-08-03 22:41 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-07-14 16:05 . 2008-07-14 16:05 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-07-08 18:32 . 2008-07-08 18:32 <DIR> d-------- C:\WINDOWS\system32\repository
2008-07-03 16:13 . 2008-07-03 16:13 <DIR> d-------- C:\Programme\Lavasoft
2008-07-02 07:37 . 2008-07-09 23:04 216 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-01 20:07 . 2008-06-14 19:32 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-01 20:07 . 2008-06-14 19:32 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-01 20:06 . 2008-05-08 16:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-27 18:39 --------- d-----w C:\Programme\Gemeinsame Dateien\Symantec Shared
2008-07-27 06:55 --------- d-----w C:\Programme\FarStone
2008-07-27 06:55 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\RestoreIT
2008-07-26 14:02 --------- d-----w C:\Programme\DivX
2008-07-17 15:20 --------- d-----w C:\Programme\Norton Personal Firewall
2008-07-17 03:12 --------- d-----w C:\Programme\Coolspot
2008-07-17 03:04 --------- d-----w C:\Programme\Gemeinsame Dateien\LightScribe
2008-07-14 15:19 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-07-03 14:11 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-07-01 19:47 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-16 14:48 --------- d-----w C:\Programme\QuickDic
2008-03-03 16:32 21,976 ----a-w C:\Dokumente und Einstellungen\Ludwig\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2007-02-12 17:28 9,051 ----a-w C:\Programme\Readme.txt
2007-02-12 17:28 5,117 ----a-w C:\Programme\License.txt
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:22 15360]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2008-04-14 04:22 1695232]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-09-24 18:22 1916928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-30 22:05 344064]
"ccApp"="C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2008-01-31 12:56 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-31 22:49 100056]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ToADiMon.exe"="C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe" [2007-02-15 11:04 282624]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"UnlockerAssistant"="C:\Programme\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19 15872]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Programme\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"Dit"="Dit.exe" [2002-08-28 13:43 73728 C:\WINDOWS\Dit.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DJSNetCN"="C:\Programme\Gemeinsame Dateien\Symantec Shared\DJSNETCN.exe" [2004-09-17 13:10 42648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:22 15360]
"DWQueuedReporting"="C:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptonet]
2008-06-01 20:44 28672 C:\WINDOWS\system32\cryptonet.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gko37.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Component Manager"="C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 DCDisk;DCDisk;C:\WINDOWS\system32\drivers\DCDisk.sys [2005-09-14 11:25]
R1 SAVRKBootTasks;Boot Tasks Driver;C:\WINDOWS\system32\SAVRKBootTasks.sys [2007-08-14 10:12]
R2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-08-03 17:34]
R3 TSMPacket;DSL-Manager Service;C:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 12:53]
S0 02646;02646;C:\WINDOWS\system32\drivers\02646.SYS []
S0 Gko37;Gko37;C:\WINDOWS\system32\Drivers\Gko37.sys []
S1 95547;95547;C:\WINDOWS\system32\drivers\95547.SYS []
S2 c1548;c1548;C:\WINDOWS\system32\drivers\c1548.SYS []
S3 9554;9554;C:\WINDOWS\system32\9554.sys [2008-07-17 16:17]
S3 exdisk;Express Disk Service;C:\WINDOWS\system32\DRIVERS\exdisk.sys []
S3 jnv4_mib;jnv4_mib;C:\DOKUME~1\Ludwig\LOKALE~1\Temp\jnv4_mib.sys []
S3 MIINPazX;MIINPazX NDIS Protocol Driver;C:\PROGRA~1\GEMEIN~1\MARMIK~1\MInfraIS\MIINPazX.SYS [2006-05-22 06:40]
S3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [2006-10-09 14:46]
S3 TDslMgrService;DSL-Manager;C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe [2007-08-01 15:36]
S3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 10:54]
.
Inhalt des "geplante Tasks" Ordners
2008-06-20 C:\WINDOWS\Tasks\1-Klick-Wartung.job - C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe [2005-08-24 03:29]
2008-07-27 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Programme\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - Entfernte verwaiste Registrierungseintr„ge - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
SSODL-hxaCzPXz-{30B8AC90-9A12-063A-9536-AE2061F2591A} - (no file)


.
------- Zus„tzlicher Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.ilove.de/dtf/register/validateEmailVpin.do?vpin=2147591219-1002299935
O8 -: &eBay Search - C:\Programme\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 -: &ICQ Toolbar Search - C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 -: Nach Microsoft &Excel exportieren - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: {02CA9974-B6AC-497E-A371-73580432B0F6} - hxxp://wildmatch.com/ChatSource/hVideoContol.cab
C:\WINDOWS\Downloaded Program Files\hVideoContol.inf
C:\Programme\Java\jre1.5.0_11\bin\jpeg.dll
C:\WINDOWS\system32\Unicows.dll
C:\WINDOWS\Downloaded Program Files\EStream7Encoder.dll
C:\WINDOWS\Downloaded Program Files\EStream7Decoder.dll
C:\WINDOWS\Downloaded Program Files\EStream8Decoder.dll
C:\WINDOWS\Downloaded Program Files\EyeStream7.dll
C:\WINDOWS\Downloaded Program Files\GSM.dll
C:\WINDOWS\Downloaded Program Files\MELP.dll
C:\WINDOWS\Downloaded Program Files\MID.ocx
C:\WINDOWS\Downloaded Program Files\SslNetwork.dll
C:\WINDOWS\Downloaded Program Files\CoVideoMessage.ocx
C:\WINDOWS\Downloaded Program Files\VideoMail.ocx
C:\WINDOWS\Downloaded Program Files\ChatRoom.ocx
C:\WINDOWS\Downloaded Program Files\CoVideoWindow.ocx
C:\WINDOWS\Downloaded Program Files\VideoSession.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-27 20:42:20
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

Prozess: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cryptonet.dll

Prozess: C:\WINDOWS\explorer.exe
-> C:\Programme\Unlocker\UnlockerHook.dll
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Programme\Windows Defender\MsMpEng.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPROXY.EXE
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCSETMGR.EXE
C:\Programme\Norton Personal Firewall\ISSVC.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SNDSrvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCEVTMGR.EXE
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Norton AntiVirus\NAVAPSVC.EXE
C:\Programme\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\Programme\Registry Defragmentation\RegManServ.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programme\HP\hpcoretech\comp\hptskmgr.exe
C:\Programme\Norton AntiVirus\SAVSCAN.EXE
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-07-27 22:35:47 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-07-27 20:35:18

Pre-Run: 13 Verzeichnis(se), 14,715,682,816 Bytes frei
Post-Run: 17 Verzeichnis(se), 14,686,056,448 Bytes frei

210 --- E O F --- 2008-07-25 06:59:08

#2 Hallo alfaseele

1.
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

Gko37

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

das gleiche mit:
95547
02646
02646
c1548
cryptonet.dll
exdisk
9554.sys
jnv4_mib.sys


_________________________________________________________-

ist für mich:

C:\WINDOWS\system32\exitwx.exe
C:\WINDOWS\system32\cryptonet.dll
C:\WINDOWS\system32\9554.sys
C:\WINDOWS\system32\5bc3.mht


2008-07-27 08:51 . 2004-05-12 11:13 40,960 --a------ C:\WINDOWS\system32\exitwx.exe
2008-07-26 17:08 . 2008-07-26 17:08 120 --a------ C:\drmHeader.bin
2008-07-17 16:17 . 2008-07-17 16:17 2,335,270 --a------ C:\WINDOWS\system32\5bc3.mht
2008-07-17 16:17 . 2008-07-17 16:17 54,624 --a------ C:\WINDOWS\system32\9554.sys
2008-07-14 22:28 . 2008-07-14 22:28 198 --ahs---- C:\WINDOWS\system32\drivers\c1548.DAT
2008-07-14 22:28 . 2008-07-14 22:28 198 --ahs---- C:\WINDOWS\system32\drivers\95547.DAT
2008-07-14 22:28 . 2008-07-14 22:28 198 --ahs---- C:\WINDOWS\system32\drivers\02646.DAT


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptonet]
2008-06-01 20:44 28672 C:\WINDOWS\system32\cryptonet.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gko37.sys]
@="Driver"

S0 Gko37;Gko37;C:\WINDOWS\system32\Drivers\Gko37.sys []
S1 95547;95547;C:\WINDOWS\system32\drivers\95547.SYS []
S2 c1548;c1548;C:\WINDOWS\system32\drivers\c1548.SYS []
S3 9554;9554;C:\WINDOWS\system32\9554.sys [2008-07-17 16:17]
S3 exdisk;Express Disk Service;C:\WINDOWS\system32\DRIVERS\exdisk.sys []
S3 jnv4_mib;jnv4_mib;C:\DOKUME~1\Ludwig\LOKALE~1\Temp\jnv4_mib.sys []
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Oh .... vielen Dank Sabina.

Aber bitte sei mir nicht böse, wenn ich nach all der Prozedur mit regsearch nun vor dem Resultat von "Gko37" stehe und damit (ich meine poste) nichts anfangen kann.
Bitte auch hierzu ein kleine Anleitung, da ich Angst habe etwas falsch zu machen.

Vielen Dank


alfaseele

#4 poste bedeutet, dass du alles, was angezeigt wird abkopieren sollst (hier rein) - text mit der Maus markiren - kopieren - hier im Forum - einfügen

der Rechner ist voller rootkits und der beginn der reinigung ist, dass ich die Registryeinträge (der Rootkits) sehen will.
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Ach so ... vielen Dank nochmals.

Also hier die kopierten Einträge:


Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 28.07.2008 12:31:54 for strings:
; 'gko37'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Gko37.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Gko37.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GKO37]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GKO37\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GKO37\0000]
"Service"="Gko37"
"DeviceDesc"="Gko37"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GKO37\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gko37]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gko37]
"ImagePath"="System32\\Drivers\\Gko37.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gko37\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gko37\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gko37\Enum]
"0"="Root\\LEGACY_GKO37\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Gko37.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Gko37.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GKO37]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GKO37\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GKO37\0000]
"Service"="Gko37"
"DeviceDesc"="Gko37"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Gko37]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Gko37]
"ImagePath"="System32\\Drivers\\Gko37.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Gko37\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gko37.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Gko37.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GKO37]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GKO37\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GKO37\0000]
"Service"="Gko37"
"DeviceDesc"="Gko37"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GKO37\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gko37]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gko37]
"ImagePath"="System32\\Drivers\\Gko37.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gko37\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gko37\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gko37\Enum]
"0"="Root\\LEGACY_GKO37\\0000"

; End Of The Log...




Na ... dann bin ich jetzt weiter gespannt.


Liebe Grüße


alfaseele

#6 das gleiche mit:
95547
02646
02646
c1548
cryptonet.dll
exdisk
9554.sys
jnv4_mib.sys
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 28.07.2008 17:40:05 for strings:
; '95547'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\95547]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\95547]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\95547.SYS
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,39,00,35,00,35,00,\
34,00,37,00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="95547"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\95547\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\95547]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\95547]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\95547.SYS
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,39,00,35,00,35,00,\
34,00,37,00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="95547"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\95547\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\95547]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\95547]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\95547.SYS
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,39,00,35,00,35,00,\
34,00,37,00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="95547"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\95547\Security]

; End Of The Log...



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 28.07.2008 17:50:37 for strings:
; '02646'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\02646]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\02646]
; Contents of value:
; system32\drivers\02646.SYS
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,30,00,32,00,36,00,34,00,36,00,2e,\
00,53,00,59,00,53,00,00,00
"DisplayName"="02646"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\02646\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\02646]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\02646]
; Contents of value:
; system32\drivers\02646.SYS
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,30,00,32,00,36,00,34,00,36,00,2e,\
00,53,00,59,00,53,00,00,00
"DisplayName"="02646"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\02646\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\02646]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\02646]
; Contents of value:
; system32\drivers\02646.SYS
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,30,00,32,00,36,00,34,00,36,00,2e,\
00,53,00,59,00,53,00,00,00
"DisplayName"="02646"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\02646\Security]

; End Of The Log...



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 28.07.2008 17:53:37 for strings:
; 'c1548'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\50C154874C6F14B48AE0F5068BC7E626]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C1548]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C1548\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C1548\0000]
"Service"="c1548"
"DeviceDesc"="c1548"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C1548\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c1548]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c1548]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\c1548.SYS
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,31,00,35,00,\
34,00,38,00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="c1548"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c1548\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c1548\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c1548\Enum]
"0"="Root\\LEGACY_C1548\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_C1548]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_C1548\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_C1548\0000]
"Service"="c1548"
"DeviceDesc"="c1548"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\c1548]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\c1548]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\c1548.SYS
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,31,00,35,00,\
34,00,38,00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="c1548"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\c1548\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C1548]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C1548\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C1548\0000]
"Service"="c1548"
"DeviceDesc"="c1548"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C1548\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c1548]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c1548]
; Contents of value:
; \??\C:\WINDOWS\system32\drivers\c1548.SYS
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,64,00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,63,00,31,00,35,00,\
34,00,38,00,2e,00,53,00,59,00,53,00,00,00
"DisplayName"="c1548"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c1548\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c1548\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c1548\Enum]
"0"="Root\\LEGACY_C1548\\0000"

; End Of The Log...




Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 28.07.2008 17:57:29 for strings:
; 'cryptonet.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptonet]
"DllName"="cryptonet.dll"

; End Of The Log...



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 28.07.2008 17:59:51 for strings:
; 'exdisk'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{19A0A4FD-8479-42D9-8B4F-E2A2F0F89B3E}]
"Class"="RitExDisk"
@="RitExDisk"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exdisk]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exdisk]
; Contents of value:
; system32\DRIVERS\exdisk.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,64,00,69,00,73,00,6b,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exdisk\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\exdisk\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{19A0A4FD-8479-42D9-8B4F-E2A2F0F89B3E}]
"Class"="RitExDisk"
@="RitExDisk"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\exdisk]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\exdisk]
; Contents of value:
; system32\DRIVERS\exdisk.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,64,00,69,00,73,00,6b,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\exdisk\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\exdisk\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{19A0A4FD-8479-42D9-8B4F-E2A2F0F89B3E}]
"Class"="RitExDisk"
@="RitExDisk"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exdisk]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exdisk]
; Contents of value:
; system32\DRIVERS\exdisk.sys
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,65,00,78,00,64,00,69,00,73,00,6b,\
00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exdisk\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\exdisk\Security]

; End Of The Log...



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 28.07.2008 18:02:09 for strings:
; '9554.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\9554]
; Contents of value:
; \??\C:\WINDOWS\system32\9554.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,39,00,35,00,35,00,34,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\9554]
; Contents of value:
; \??\C:\WINDOWS\system32\9554.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,39,00,35,00,35,00,34,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9554]
; Contents of value:
; \??\C:\WINDOWS\system32\9554.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
44,00,4f,00,57,00,53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
00,5c,00,39,00,35,00,35,00,34,00,2e,00,73,00,79,00,73,00,00,00

; End Of The Log...



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 28.07.2008 18:04:30 for strings:
; 'jnv4_mib.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jnv4_mib]
; Contents of value:
; \??\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\jnv4_mib.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,4b,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,4c,00,75,00,64,00,77,00,69,00,67,00,5c,\
00,4c,00,4f,00,4b,00,41,00,4c,00,45,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\
70,00,5c,00,6a,00,6e,00,76,00,34,00,5f,00,6d,00,69,00,62,00,2e,00,73,00,79,\
00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jnv4_mib]
; Contents of value:
; \??\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\jnv4_mib.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,4b,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,4c,00,75,00,64,00,77,00,69,00,67,00,5c,\
00,4c,00,4f,00,4b,00,41,00,4c,00,45,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\
70,00,5c,00,6a,00,6e,00,76,00,34,00,5f,00,6d,00,69,00,62,00,2e,00,73,00,79,\
00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jnv4_mib]
; Contents of value:
; \??\C:\DOKUME~1\Ludwig\LOKALE~1\Temp\jnv4_mib.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,4b,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,4c,00,75,00,64,00,77,00,69,00,67,00,5c,\
00,4c,00,4f,00,4b,00,41,00,4c,00,45,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,\
70,00,5c,00,6a,00,6e,00,76,00,34,00,5f,00,6d,00,69,00,62,00,2e,00,73,00,79,\
00,73,00,00,00

; End Of The Log...




Vielen Dank Sabina


alfaseele xxxoxxx

#8 ««

Avenger
http://virus-protect.org/artikel/tools/avenger.html

-setze ein Häkchen in: "Automatically disable any rootkits found"
-Das Häkchen "Scan for Rootkits" sollte angehakt sein.

kopiere in das weisse Feld: (Zitat nicht mit reinkopieren)

Zitat

Drivers to disable:
Gko37
95547
c1548
9554
Drivers to delete:
Gko37
95547
c1548
9554
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Gko37.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Gko37.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GKO37
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gko37
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Gko37.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Gko37.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GKO37
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Gko37
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gko37.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Gko37.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GKO37
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gko37
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\95547
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\95547
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\95547
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\02646
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\02646
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\02646
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C1548
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c1548
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_C1548
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\c1548
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C1548
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c1548
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\9554
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\9554
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9554
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jnv4_mib
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jnv4_mib
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jnv4_mib
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptonet
Files to delete:
C:\WINDOWS\system32\exitwx.exe
C:\WINDOWS\system32\cryptonet.dll
C:\WINDOWS\system32\9554.sys
C:\WINDOWS\system32\5bc3.mht
C:\WINDOWS\system32\drivers\c1548.SYS
C:\WINDOWS\system32\drivers\c1548.DAT
C:\WINDOWS\system32\drivers\95547.SYS
C:\WINDOWS\system32\drivers\95547.DAT
C:\WINDOWS\system32\drivers\02646.SYS
C:\WINDOWS\system32\drivers\02646.DAT
C:\WINDOWS\system32\drivers\Gko37.sys

schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)

Klicke: Execute

bestätige, dass der Rechner neu gestartet wird - klicke "yes"

nach dem Neustart erscheint automatisch ein Log vom Avenger - (C:\avenger.txt), kopiere es ab - mit rechtem Mausklick - kopieren - einfügen

++
poste bitte ein neues log von Combofix




«
__________
MfG Sabina

rund um die PC-Sicherheit

#9 Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "Gko37" disabled successfully.
Driver "95547" disabled successfully.
Driver "c1548" disabled successfully.
Driver "9554" disabled successfully.
Driver "Gko37" deleted successfully.
Driver "95547" deleted successfully.
Driver "c1548" deleted successfully.
Driver "9554" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Gko37.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Gko37.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GKO37" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gko37" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Gko37" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\Gko37.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\Gko37.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GKO37" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Gko37" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gko37.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gko37.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Gko37.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Gko37.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GKO37" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GKO37" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gko37" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Gko37" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\95547" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\95547" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\95547" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\95547" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\95547" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\02646" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\02646" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\02646" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\02646" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_C1548" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c1548" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\c1548" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_C1548" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\c1548" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C1548" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_C1548" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c1548" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\c1548" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\9554" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\9554" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\9554" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9554" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\9554" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jnv4_mib" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\jnv4_mib" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jnv4_mib" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jnv4_mib" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\exitwx.exe" deleted successfully.
File "C:\WINDOWS\system32\cryptonet.dll" deleted successfully.
File "C:\WINDOWS\system32\9554.sys" deleted successfully.
File "C:\WINDOWS\system32\5bc3.mht" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\c1548.SYS" not found!
Deletion of file "C:\WINDOWS\system32\drivers\c1548.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\c1548.DAT" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\95547.SYS" not found!
Deletion of file "C:\WINDOWS\system32\drivers\95547.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\95547.DAT" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\02646.SYS" not found!
Deletion of file "C:\WINDOWS\system32\drivers\02646.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\drivers\02646.DAT" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\Gko37.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\Gko37.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptonet" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.









ComboFix 08-07-27.1 - Ludwig 2008-07-29 7:29:31.2 - NTFSx86
ausgeführt von:: D:\Dokumente und Einstellungen\Ludwig\Eigene Dateien\Exe-Dateien\ComboFix\ComboFix.exe

[color=red]Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !![/color]
.

((((((((((((((((((((((( Dateien erstellt von 2008-06-28 bis 2008-07-29 ))))))))))))))))))))))))))))))
.

2008-07-28 12:28 . 2008-07-28 18:06 <DIR> d-------- C:\Programme\Regsearch
2008-07-27 12:34 . 2008-07-27 12:34 <DIR> d-------- C:\Dokumente und Einstellungen\Ludwig\Anwendungsdaten\Malwarebytes
2008-07-27 12:34 . 2008-07-27 12:34 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-07-27 12:34 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-27 12:34 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-27 12:33 . 2008-07-27 12:34 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-07-26 17:08 . 2008-07-26 17:08 120 --a------ C:\drmHeader.bin
2008-07-14 20:43 . 2008-07-14 20:43 <DIR> d-------- C:\Programme\VS Revo Group
2008-07-14 20:39 . 2008-07-14 20:41 <DIR> d-------- C:\Programme\McafeeRootkit
2008-07-14 19:00 . 2008-07-14 19:00 <DIR> d-------- C:\WINDOWS\system32\de-de
2008-07-14 19:00 . 2008-07-14 19:00 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-14 18:59 . 2008-07-14 18:59 <DIR> d-------- C:\WINDOWS\system32\de
2008-07-14 18:59 . 2008-07-14 18:59 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-14 18:54 . 2008-07-14 19:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-14 18:10 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-07-14 18:10 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-07-14 18:10 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-07-14 18:10 . 2004-07-17 22:55 129,045 --------- C:\WINDOWS\system32\drivers\cxthsfs2.cty
2008-07-14 18:10 . 2004-08-03 22:41 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-07-14 16:05 . 2008-07-14 16:05 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-07-08 18:32 . 2008-07-08 18:32 <DIR> d-------- C:\WINDOWS\system32\repository
2008-07-03 16:13 . 2008-07-03 16:13 <DIR> d-------- C:\Programme\Lavasoft
2008-07-02 07:37 . 2008-07-09 23:04 216 --a------ C:\WINDOWS\system32\MRT.INI
2008-07-01 20:07 . 2008-06-14 19:32 273,024 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-01 20:07 . 2008-06-14 19:32 273,024 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-01 20:06 . 2008-05-08 16:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-28 10:28 --------- d-----w C:\Programme\FarStone
2008-07-27 20:41 --------- d-----w C:\Programme\Gemeinsame Dateien\Symantec Shared
2008-07-27 06:55 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\RestoreIT
2008-07-26 14:02 --------- d-----w C:\Programme\DivX
2008-07-17 15:20 --------- d-----w C:\Programme\Norton Personal Firewall
2008-07-17 03:12 --------- d-----w C:\Programme\Coolspot
2008-07-17 03:04 --------- d-----w C:\Programme\Gemeinsame Dateien\LightScribe
2008-07-14 15:19 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-07-03 14:11 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-07-01 19:47 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-06-20 17:46 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-16 14:48 --------- d-----w C:\Programme\QuickDic
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-09 10:54 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:54 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:54 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:54 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:10 1,293,824 ----a-w C:\WINDOWS\system32\quartz.dll
2008-03-03 16:32 21,976 ----a-w C:\Dokumente und Einstellungen\Ludwig\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2007-02-12 17:28 9,051 ----a-w C:\Programme\Readme.txt
2007-02-12 17:28 5,117 ----a-w C:\Programme\License.txt
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:22 15360]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2008-04-14 04:22 1695232]
"NBJ"="C:\Programme\Ahead\Nero BackItUp\NBJ.exe" [2004-09-24 18:22 1916928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-30 22:05 344064]
"ccApp"="C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2008-01-31 12:56 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-05-31 22:49 100056]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ToADiMon.exe"="C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis1\ToADiMon.exe" [2007-02-15 11:04 282624]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"UnlockerAssistant"="C:\Programme\Unlocker\UnlockerAssistant.exe" [2006-09-07 19:19 15872]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Programme\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"Dit"="Dit.exe" [2002-08-28 13:43 73728 C:\WINDOWS\Dit.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"DJSNetCN"="C:\Programme\Gemeinsame Dateien\Symantec Shared\DJSNETCN.exe" [2004-09-17 13:10 42648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:22 15360]
"DWQueuedReporting"="C:\PROGRA~1\GEMEIN~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Component Manager"="C:\Programme\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 exdisk;Express Disk Service;C:\WINDOWS\system32\DRIVERS\exdisk.sys []
R3 MIINPazX;MIINPazX NDIS Protocol Driver;C:\PROGRA~1\GEMEIN~1\MARMIK~1\MInfraIS\MIINPazX.SYS [2006-05-22 06:40]
R3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [2006-10-09 14:46]
R3 TDslMgrService;DSL-Manager;C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe [2007-08-01 15:36]
R3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 10:54]
S1 DCDisk;DCDisk;C:\WINDOWS\system32\DRIVERS\DCDisk.syS [2005-09-14 11:25]
S1 SAVRKBootTasks;Boot Tasks Driver;C:\WINDOWS\system32\SAVRKBootTasks.sys [2007-08-14 10:12]
S2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-08-03 17:34]
S3 TSMPacket;DSL-Manager Service;C:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 12:53]

.
Inhalt des "geplante Tasks" Ordners
2008-06-20 C:\WINDOWS\Tasks\1-Klick-Wartung.job - C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe [2005-08-24 03:29]
2008-07-29 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Programme\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
2008-06-28 C:\WINDOWS\Tasks\Norton AntiVirus - Meinen Computer prüfen - Ludwig.job - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"???Ludwig?CDies ist eine Task f?r eine geplante Pr?fung von Norton AntiVirus.??? []
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

Notify-cryptonet - (no file)


.
------- Zusätzlicher Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.ilove.de/dtf/register/validateEmailVpin.do?vpin=2147591219-1002299935
O8 -: &eBay Search - C:\Programme\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 -: &ICQ Toolbar Search - C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 -: Nach Microsoft &Excel exportieren - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 -: {02CA9974-B6AC-497E-A371-73580432B0F6} - hxxp://wildmatch.com/ChatSource/hVideoContol.cab
C:\WINDOWS\Downloaded Program Files\hVideoContol.inf
C:\Programme\Java\jre1.5.0_11\bin\jpeg.dll
C:\WINDOWS\system32\Unicows.dll
C:\WINDOWS\Downloaded Program Files\EStream7Encoder.dll
C:\WINDOWS\Downloaded Program Files\EStream7Decoder.dll
C:\WINDOWS\Downloaded Program Files\EStream8Decoder.dll
C:\WINDOWS\Downloaded Program Files\EyeStream7.dll
C:\WINDOWS\Downloaded Program Files\GSM.dll
C:\WINDOWS\Downloaded Program Files\MELP.dll
C:\WINDOWS\Downloaded Program Files\MID.ocx
C:\WINDOWS\Downloaded Program Files\SslNetwork.dll
C:\WINDOWS\Downloaded Program Files\CoVideoMessage.ocx
C:\WINDOWS\Downloaded Program Files\VideoMail.ocx
C:\WINDOWS\Downloaded Program Files\ChatRoom.ocx
C:\WINDOWS\Downloaded Program Files\CoVideoWindow.ocx
C:\WINDOWS\Downloaded Program Files\VideoSession.ocx


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 07:36:05
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-07-29 7:41:23
ComboFix-quarantined-files.txt 2008-07-29 05:40:54
ComboFix2.txt 2008-07-27 20:35:49

Pre-Run: 14 Verzeichnis(se), 14,551,552,000 Bytes frei
Post-Run: 18 Verzeichnis(se), 14,551,277,568 Bytes frei

171 --- E O F --- 2008-07-25 06:59:08

#10 Hallo,alfaseele

das sieht schon mal viel besser aus

««
sdfix
http://virus-protect.org/artikel/tools/sdfix.html
unter C:\ findet man nun den SDFix-Ordner

boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet)

gehe in den Ordner C:\SDFix

RunThis.bat doppelt klicken
folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten
kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag
-----------

««
sdfix
im normalmodus
RunThis.bat doppelt klicken
reinschreiben: 3

3 : wird Sophos geladen

wähle Option 6 (scannen) + poste hier den report - "SophosReport.txt" (im SDFix-Ordner)
__________
MfG Sabina

rund um die PC-Sicherheit

#11 Abgesicherter Modus

SDFix: Version 1.209
Run by Ludwig on 29.07.2008 at 11:04

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 11:38:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM]
"Start"=dword:b148858f
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000004d
"TracesSuccessful"=dword:00000013

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Mon 14 Apr 2008 93,184 A.SH. --- "C:\Programme\Internet Explorer\iexplore.exe"
Mon 14 Apr 2008 60,416 A.SH. --- "C:\Programme\Outlook Express\msimn.exe"
Sun 18 Mar 2007 5,355,320 A..H. --- "C:\Programme\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
Sun 20 Nov 2005 4,348 ..SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"

Finished!



Normaler Modus


Sophos startet nicht.
Mögliche Ursache: Norton Antivirus machte eine Meldung auf und ich habe
"immer blockieren" ausgewählt. Scheint die Ursache zu sein.

Sorry


alfaseele

#12 dann mach erst mal den Norton aus...(deaktivieren)
sonst kann sophos nicht geladen werden....
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Sophos Normaler Modus

Sophos Anti-Virus

Full Scanning

Could not open C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcrst.dll
>>> Virus 'Mal/EncPk-EC' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1401\A0263003.exe
Removal successful
>>> Virus 'Mal/TibsPak' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1409\A0263396.exe
Removal successful
>>> Virus 'Troj/Pushu-Gen' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1415\A0263702.sys
Removal successful
>>> Virus 'Mal/TibsPak' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1415\A0263703.exe
Removal successful
>>> Virus 'Troj/Pushu-Gen' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1415\A0264701.sys
Removal successful
>>> Virus 'Troj/Pushu-Gen' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1418\A0264916.sys
Removal successful
>>> Virus 'Troj/Pushu-Gen' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1419\A0264973.sys
Removal successful
>>> Virus 'Troj/Pushu-Gen' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1419\A0265018.sys
Removal successful
>>> Virus 'Mal/TibsPak' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1420\A0265088.exe
Removal successful
>>> Virus 'Troj/Pushu-Gen' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1432\A0265624.sys
Removal successful
>>> Virus 'Troj/FakeAV-AQ' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1437\A0266714.exe
Removal successful
>>> Virus 'Troj/FakeAV-AQ' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1438\A0267712.exe
Removal successful
>>> Virus 'Mal/TibsPk-D' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1439\A0267723.exe
Removal successful
>>> Virus 'Troj/FakeAV-AQ' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1440\A0268737.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0270747.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0270769.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0271048.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0271375.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0271960.dll
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0272001.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0272030.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0272038.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0272152.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1442\A0272227.exe
Removal successful
>>> Virus 'Troj/FakeAV-AQ' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1449\A0272795.exe
Removal successful
>>> Virus 'Mal/Generic-A' found in file C:\System Volume Information\_restore{0815D400-5F54-4A05-BD67-A6CCCB7B235D}\RP1456\A0273580.dll
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\WINDOWS\$NtServicePackUninstall$\services.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
Removal successful
>>> Virus 'W32/Liger-A' found in file C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
Removal successful

3 boot sectors swept.
50682 files swept in 1 hour, 23 minutes and 41 seconds.
1 error was encountered.
32 viruses were discovered.
32 files out of 50682 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.

#14 Hallo,alfaseele

mal sehen, ob norman noch was findet:
im Normalmodus
RunThis.bat doppelt klicken
2 : wird Norman geladen

Wenn man mit Norman von SDFix scant steht auf dem Desktop das Log
"NFix_datum_nummer"
"NFix_2008-04-27_21-49-53"
poste das log
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Norman Malware Cleaner
Copyright © 1990 - 2008, Norman ASA. Built 2008/07/17 18:58:30

Norman Scanner Engine Version: 5.93.01
Nvcbin.def Version: 5.93.00, Date: 2008/07/17 18:58:30, Variants: 1892446

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Logged on user: C3PO\Ludwig


Scan started: 29/07/2008 15:39:57


Scanning running processes and process memory...

Number of processes/threads found: 2664
Number of processes/threads scanned: 2664
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 2m 2s


Scanning file system...

Scanning: C:\*.*

C:\System Volume Information\_RESTO~1\RP1429\A0265541.exe (Infected with W32/Zbot.AFN)
Deleted file

Scanning: D:\*.*

D:\6.11\Eigene Dateien\ICQ Lite\261871623\Lovre_201482121\Counter-Strike Condition Zero Crack + CD-Key.Serial. + Patch(1).zip/Counter-Strike Condition Zero Crack + CD-Key.Serial. + Patch.rar/CRACK.exe (Error whilst scanning file: I/O Error)

D:\6.11\ICQ Lite\261871623\Lovre_201482121\Counter-Strike Condition Zero Crack + CD-Key.Serial. + Patch(1).zip/Counter-Strike Condition Zero Crack + CD-Key.Serial. + Patch.rar/CRACK.exe (Error whilst scanning file: I/O Error)

D:\Dokumente und Einstellungen\Ludwig\Eigene Dateien\Exe-Dateien\WurmVirusKiller-avast\aswclnr210.exe (Infected with NetworkWorm.VO)
Deleted file

D:\Downloads\Ad-Aware.SE.Professional.1.06R1 Languagepack.by.eddi88.rar/CMT (Error whilst scanning file: I/O Error)

D:\System Volume Information\_R3116~1\RP1457\A0273715.exe (Infected with NetworkWorm.VO)
Deleted file

Scanning: E:\*.*

Scanning: c:\System Volume Information\*.*

Scanning: d:\System Volume Information\*.*


Running post-scan cleanup routine:

Number of files found: 388974
Number of archives unpacked: 4343
Number of files scanned: 388945
Number of files not scanned: 29
Number of files skipped due to exclude list: 0
Number of infected files found: 3
Number of infected files repaired/deleted: 3
Number of infections removed: 3
Total scanning time: 2h 14m 58s