Habe ich einen Rootkit??? |
||
|---|---|---|
| #0
| ||
|
18.08.2008, 16:33
Member
Beiträge: 29 |
||
 
|
|
|
|
18.08.2008, 23:07
Ehrenmitglied
 Beiträge: 29434 |
#2
Hallo MaxPeter
ja, da ist was zu sehen.... «« http://virus-protect.org/artikel/tools/mbr.html Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. mbr.exe –f Doppelklick auf fix.bat Es wird ein Log erstellt ( mbr.log )und poste dessen Inhalt (Hinweis: der Pfad zu mbr muss der Gleiche sein, also aufpassen, dass mbr auch auf dem Desktop abgespeichert ist) ----------------------------------------------------------------- sdfix http://virus-protect.org/artikel/tools/sdfix.html unter C:\ findet man nun den SDFix-Ordner boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet) gehe in den Ordner C:\SDFix RunThis.bat doppelt klicken folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag, __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
19.08.2008, 16:09
Member
Themenstarter Beiträge: 29 |
#3
hallo,ich hoffe das ist richtig so,danke das sie mir helfen wollen.
Gruß,MaxPeter Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully MBR rootkit code detected ! malicious code @ sector 0x132c4977 size 0x1e4 ! copy of MBR has been found in sector 62 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix. SDFix: Version 1.218 Run by Frank on 19.08.2008 at 16:22 Microsoft Windows XP [Version 5.1.2600] Running From: C:\Dokumente und Einstellungen\Frank\Desktop\SDFix\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll - Deleted C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem\audio.dll - Deleted [color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/mbr.exe]MBR Rootkit Detector[/url] by Gmer[/color] Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$ Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$ Folder C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-19 16:28:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:7e,96,56,85,7b,2e,67,08,c4,31,de,27,39,62,7c,ea,bb,39,e0,d6,70,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:7e,96,56,85,7b,2e,67,08,c4,31,de,27,39,62,7c,ea,bb,39,e0,d6,70,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:7e,96,56,85,7b,2e,67,08,c4,31,de,27,39,62,7c,ea,bb,39,e0,d6,70,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\IncrediMail\\bin\\IMApp.exe"="C:\\Programme\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail" "C:\\Programme\\IncrediMail\\bin\\IncMail.exe"="C:\\Programme\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail" "C:\\Programme\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Programme\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail" "C:\\Programme\\IncrediMail\\bin\\ImLc.exe"="C:\\Programme\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail" "C:\\Programme\\IncrediMail\\bin\\ImPackr.exe"="C:\\Programme\\IncrediMail\\bin\\ImPackr.exe:*:Enabled:IncrediMail" "C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service" "C:\\Programme\\Gemeinsame Dateien\\Acronis\\Agent\\agent.exe"="C:\\Programme\\Gemeinsame Dateien\\Acronis\\Agent\\agent.exe:*:Enabled:Acronis Remote Agent" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Programme\\iTunes\\iTunes.exe"="C:\\Programme\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6" "C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Programme\\Yahoo!\\Messenger\\YServer.exe"="C:\\Programme\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Programme\\FlashFXP\\FlashFXP.exe"="C:\\Programme\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3" "C:\\Programme\\uTorrent\\uTorrent.exe"="C:\\Programme\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0" "C:\\Programme\\MSN Messenger\\msncall.exe"="C:\\Programme\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Programme\\FlashFXP\\FlashFXP.exe"="C:\\Programme\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3" Remaining Files : C:\WINDOWS\Temp\bca4e2da.$$$ Found C:\WINDOWS\Temp\fa56d7ec.$$$ Found File Backups: - C:\DOKUME~1\Frank\Desktop\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes : Fri 8 Aug 2008 294 A.SHR --- "C:\BOOT.BAK" Sat 3 Nov 2007 48 ..SH. --- "C:\WINDOWS\SE258FE47.tmp" Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" Sat 30 Dec 2006 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak" Mon 31 Mar 2008 32,256 ...H. --- "C:\Dokumente und Einstellungen\Frank\Desktop\Links frs FSB Forum\~WRL1421.tmp" Sat 29 Mar 2008 31,232 ...H. --- "C:\Dokumente und Einstellungen\Frank\Desktop\Links frs FSB Forum\~WRL3117.tmp" Fri 11 Apr 2008 20,480 ...H. --- "C:\Dokumente und Einstellungen\Frank\Desktop\Links frs FSB Forum\~WRL4081.tmp" Thu 14 Aug 2008 740,866 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\08d6fba5d6b92029ac42ab96ea81e9c9\BIT1F.tmp" Thu 14 Aug 2008 2,484,827 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\20bd78b878862fca3885f5c330d745cf\BIT18.tmp" Thu 14 Aug 2008 824,872 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3017ad0bed1c28cb85a5d0764459f43e\BIT1A.tmp" Thu 14 Aug 2008 8,943,656 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7d478d7ebdca397b4337dfdfe8145c43\BIT1B.tmp" Thu 14 Aug 2008 535,080 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8c3fdaa85345572f18cf5263dc74df9c\BIT22.tmp" Thu 14 Aug 2008 507,432 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\965d5918c5c1c8b0ce0e2f7b47cf4e28\BIT21.tmp" Thu 14 Aug 2008 2,790,952 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b88b4cc0c1c17df4c72d146c77358b85\BIT16.tmp" Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ccba472a05828aa2a3ee32c96c6466ca\BIT109.tmp" Fri 8 Feb 2008 576,512 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Vorlagen\~WRL0031.tmp" Sat 15 Dec 2007 536,064 A..H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Vorlagen\~WRL1550.tmp" Sat 7 Jul 2007 369,664 A..H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Vorlagen\~WRL3306.tmp" Fri 27 Jun 2008 667,136 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Vorlagen\~WRL3348.tmp" Sun 8 Apr 2007 308,736 A..H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0005.tmp" Fri 20 Apr 2007 315,392 A..H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0159.tmp" Mon 28 Jan 2008 575,488 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0318.tmp" Sun 20 Jan 2008 573,952 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0489.tmp" Sun 13 Apr 2008 602,624 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0818.tmp" Wed 28 May 2008 641,536 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL1096.tmp" Thu 17 Apr 2008 603,648 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL1452.tmp" Mon 14 Apr 2008 603,136 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL1514.tmp" Sun 27 Apr 2008 605,696 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL1956.tmp" Wed 23 Jan 2008 576,000 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL2081.tmp" Sat 10 May 2008 610,816 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL2209.tmp" Tue 22 Jan 2008 575,488 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL3620.tmp" Sat 31 May 2008 644,608 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL3762.tmp" Mon 21 Jan 2008 574,464 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL3779.tmp" Sat 7 Jun 2008 647,168 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL3865.tmp" Thu 14 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c343d169e833b4e7742252b302eea1d7\download\BIT93.tmp" Thu 14 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f14fd8e5430c9159611462b685a23f24\download\BITE3.tmp" Finished! Dieser Beitrag wurde am 19.08.2008 um 16:43 Uhr von MaxPeter editiert.
|
|
|
|
|
|
|
19.08.2008, 17:16
Ehrenmitglied
Beiträge: 29434 |
#4
««
otmoveIt http://virus-protect.org/artikel/tools/otmoveIt.html Download OTMoveIt zum Desktop OTMoveIt öffne: OTMoveIt.exe OTMoveIt Kopiere rein: im linken Fenster ,wo steht: Paste List of Files/Folders to Move Zitat [kill explorer]Klicke auf den Roten MoveIt! -------------------------------------- Avenger http://virus-protect.org/artikel/tools/avenger.html setze nur ein Häkchen in: "Automatically disable any rootkits found" Das Häkchen "Scan for Rootkits" sollte angehakt sein. kopiere in das weisse Feld: Zitat Files to delete:schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten) Klicke: Execute bestätige, dass der Rechner neu gestartet wird - klicke "yes" ----------- «« lade mbr.exe - auf c:\ http://www2.gmer.net/mbr/mbr.exe sieh: http://virus-protect.org/artikel/tools/mbr.html Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.bat mit 'Speichern unter' auf C:\ - Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt in c:\ diese Datei finden. Zitat mbr.exe –fDoppelklick auf fix.bat ------------ wende sdfix noch mal an (im abgesicherten modus + poste hier den report «« __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
19.08.2008, 17:44
Member
Themenstarter Beiträge: 29 |
#5
Explorer killed successfully
< EmptyTemp > File delete failed. C:\DOKUME~1\Frank\LOKALE~1\Temp\etilqs_Djz4JXtr2cl4buxXfKYH scheduled to be deleted on reboot. File delete failed. C:\DOKUME~1\Frank\LOKALE~1\Temp\Perflib_Perfdata_a2c.dat scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\bca4e2da.$$$ scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\fa56d7ec.$$$ scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\JET16D.tmp scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\JET209.tmp scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\JET47A.tmp scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\JET601.tmp scheduled to be deleted on reboot. Temp folders emptied. IE temp folders emptied. < purity > Explorer started successfully OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08192008_173149 Files moved on Reboot... File C:\DOKUME~1\Frank\LOKALE~1\Temp\etilqs_Djz4JXtr2cl4buxXfKYH not found! File C:\DOKUME~1\Frank\LOKALE~1\Temp\Perflib_Perfdata_a2c.dat not found! File move failed. C:\WINDOWS\temp\bca4e2da.$$$ scheduled to be moved on reboot. File move failed. C:\WINDOWS\temp\fa56d7ec.$$$ scheduled to be moved on reboot. C:\WINDOWS\temp\JET16D.tmp moved successfully. C:\WINDOWS\temp\JET209.tmp moved successfully. C:\WINDOWS\temp\JET47A.tmp moved successfully. C:\WINDOWS\temp\JET601.tmp moved successfully. Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\Temp\bca4e2da.$$$" deleted successfully. File "C:\WINDOWS\Temp\fa56d7ec.$$$" deleted successfully. Folder "C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem" deleted successfully. Completed script processing. ******************* Finished! Terminate. So,das war die letzte Anleitung bis jetzt SDFix: Version 1.218 Run by Frank on 19.08.2008 at 18:14 Microsoft Windows XP [Version 5.1.2600] Running From: C:\Dokumente und Einstellungen\Frank\Desktop\SDFix\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: [color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/mbr.exe]MBR Rootkit Detector[/url] by Gmer[/color] Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$ Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$ Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-19 18:20:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:7e,96,56,85,7b,2e,67,08,c4,31,de,27,39,62,7c,ea,bb,39,e0,d6,70,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:7e,96,56,85,7b,2e,67,08,c4,31,de,27,39,62,7c,ea,bb,39,e0,d6,70,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "h0"=dword:00000000 "ujdew"=hex:7e,96,56,85,7b,2e,67,08,c4,31,de,27,39,62,7c,ea,bb,39,e0,d6,70,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\IncrediMail\\bin\\IMApp.exe"="C:\\Programme\\IncrediMail\\bin\\IMApp.exe:*:Enabled:IncrediMail" "C:\\Programme\\IncrediMail\\bin\\IncMail.exe"="C:\\Programme\\IncrediMail\\bin\\IncMail.exe:*:Enabled:IncrediMail" "C:\\Programme\\IncrediMail\\bin\\ImpCnt.exe"="C:\\Programme\\IncrediMail\\bin\\ImpCnt.exe:*:Enabled:IncrediMail" "C:\\Programme\\IncrediMail\\bin\\ImLc.exe"="C:\\Programme\\IncrediMail\\bin\\ImLc.exe:*:Enabled:IncrediMail" "C:\\Programme\\IncrediMail\\bin\\ImPackr.exe"="C:\\Programme\\IncrediMail\\bin\\ImPackr.exe:*:Enabled:IncrediMail" "C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service" "C:\\Programme\\Gemeinsame Dateien\\Acronis\\Agent\\agent.exe"="C:\\Programme\\Gemeinsame Dateien\\Acronis\\Agent\\agent.exe:*:Enabled:Acronis Remote Agent" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Programme\\iTunes\\iTunes.exe"="C:\\Programme\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6" "C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Programme\\Yahoo!\\Messenger\\YServer.exe"="C:\\Programme\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Programme\\FlashFXP\\FlashFXP.exe"="C:\\Programme\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3" "C:\\Programme\\uTorrent\\uTorrent.exe"="C:\\Programme\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0" "C:\\Programme\\MSN Messenger\\msncall.exe"="C:\\Programme\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Programme\\FlashFXP\\FlashFXP.exe"="C:\\Programme\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3" Remaining Files : C:\WINDOWS\Temp\bca4e2da.$$$ Found C:\WINDOWS\Temp\fa56d7ec.$$$ Found File Backups: - C:\DOKUME~1\Frank\Desktop\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes : Fri 8 Aug 2008 294 A.SHR --- "C:\BOOT.BAK" Sat 3 Nov 2007 48 ..SH. --- "C:\WINDOWS\SE258FE47.tmp" Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" Sat 30 Dec 2006 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak" Mon 31 Mar 2008 32,256 ...H. --- "C:\Dokumente und Einstellungen\Frank\Desktop\Links frs FSB Forum\~WRL1421.tmp" Sat 29 Mar 2008 31,232 ...H. --- "C:\Dokumente und Einstellungen\Frank\Desktop\Links frs FSB Forum\~WRL3117.tmp" Fri 11 Apr 2008 20,480 ...H. --- "C:\Dokumente und Einstellungen\Frank\Desktop\Links frs FSB Forum\~WRL4081.tmp" Thu 14 Aug 2008 740,866 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\08d6fba5d6b92029ac42ab96ea81e9c9\BIT1F.tmp" Thu 14 Aug 2008 2,484,827 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\20bd78b878862fca3885f5c330d745cf\BIT18.tmp" Thu 14 Aug 2008 824,872 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3017ad0bed1c28cb85a5d0764459f43e\BIT1A.tmp" Thu 14 Aug 2008 8,943,656 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7d478d7ebdca397b4337dfdfe8145c43\BIT1B.tmp" Thu 14 Aug 2008 535,080 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8c3fdaa85345572f18cf5263dc74df9c\BIT22.tmp" Thu 14 Aug 2008 507,432 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\965d5918c5c1c8b0ce0e2f7b47cf4e28\BIT21.tmp" Thu 14 Aug 2008 2,790,952 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b88b4cc0c1c17df4c72d146c77358b85\BIT16.tmp" Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ccba472a05828aa2a3ee32c96c6466ca\BIT109.tmp" Fri 8 Feb 2008 576,512 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Vorlagen\~WRL0031.tmp" Sat 15 Dec 2007 536,064 A..H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Vorlagen\~WRL1550.tmp" Sat 7 Jul 2007 369,664 A..H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Vorlagen\~WRL3306.tmp" Fri 27 Jun 2008 667,136 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Vorlagen\~WRL3348.tmp" Sun 8 Apr 2007 308,736 A..H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0005.tmp" Fri 20 Apr 2007 315,392 A..H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0159.tmp" Mon 28 Jan 2008 575,488 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0318.tmp" Sun 20 Jan 2008 573,952 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0489.tmp" Sun 13 Apr 2008 602,624 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL0818.tmp" Wed 28 May 2008 641,536 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL1096.tmp" Thu 17 Apr 2008 603,648 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL1452.tmp" Mon 14 Apr 2008 603,136 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL1514.tmp" Sun 27 Apr 2008 605,696 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL1956.tmp" Wed 23 Jan 2008 576,000 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL2081.tmp" Sat 10 May 2008 610,816 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL2209.tmp" Tue 22 Jan 2008 575,488 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL3620.tmp" Sat 31 May 2008 644,608 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL3762.tmp" Mon 21 Jan 2008 574,464 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL3779.tmp" Sat 7 Jun 2008 647,168 ...H. --- "C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Word\~WRL3865.tmp" Thu 14 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c343d169e833b4e7742252b302eea1d7\download\BIT93.tmp" Thu 14 Aug 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f14fd8e5430c9159611462b685a23f24\download\BITE3.tmp" Finished! Dieser Beitrag wurde am 19.08.2008 um 18:28 Uhr von MaxPeter editiert.
|
|
|
|
|
|
|
20.08.2008, 00:03
Ehrenmitglied
Beiträge: 29434 |
#6
ja hmmm... nicht geklappt
 alles hat fleissig rausgelöscht...aber weg ist es nicht ich hatte das schon mal, aber da haben wir es sauber bekommen ... nach Anwendung von mbr.exe –f siehe: im unteren Teil der Seite http://virus-protect.org/artikel/spyware/wsnpoem-remove.html 1. wende gmer an + poste den report http://virus-protect.org/artikel/tools/gmer.html 2. poste bitte das log von Combofix http://virus-protect.org/artikel/tools/combofix.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
20.08.2008, 15:54
Member
Themenstarter Beiträge: 29 |
#7
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-20 15:52:27 Windows 5.1.2600 Service Pack 2 ---- Disk sectors - GMER 1.0.14 ---- Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x132c4977 size 0x1e4 Disk \Device\Harddisk0\DR0 sector 62: copy of MBR ---- System - GMER 1.0.14 ---- SSDT spbl.sys ZwEnumerateKey [0xF72BBCA2] SSDT spbl.sys ZwEnumerateValueKey [0xF72BC030] ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 86FD81F8 Device \FileSystem\Fastfat \Fat 86988500 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \Driver\Tcpip \Device\Ip GDTdiIcpt.sys (G DATA Software AG) Device \Driver\Tcpip \Device\Tcp GDTdiIcpt.sys (G DATA Software AG) Device \Driver\Tcpip \Device\Udp GDTdiIcpt.sys (G DATA Software AG) Device \Driver\Tcpip \Device\RawIp GDTdiIcpt.sys (G DATA Software AG) ---- EOF - GMER 1.0.14 ---- ComboFix im abgesicherten Modus,hoffe das war so richtig?! ComboFix 08-08-19.02 - Frank 2008-08-20 16:04:18.6 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.790 [GMT 2:00] ausgeführt von:: C:\Dokumente und Einstellungen\Frank\Desktop\ComboFix.exe . ((((((((((((((((((((((( Dateien erstellt von 2008-07-20 bis 2008-08-20 )))))))))))))))))))))))))))))) . 2008-08-19 19:55 . 2008-08-19 19:55 <DIR> d-------- C:\Dokumente und Einstellungen\Frank\DoctorWeb 2008-08-19 17:31 . 2008-08-19 17:31 <DIR> d-------- C:\_OTMoveIt 2008-08-18 18:13 . 2008-08-18 18:13 <DIR> d-------- C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Malwarebytes 2008-08-18 18:13 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-18 18:13 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-18 18:12 . 2008-08-18 18:13 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware 2008-08-18 18:12 . 2008-08-18 18:12 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2008-08-08 21:55 . 2008-08-08 21:55 <DIR> d-------- C:\Programme\FlashFXP . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-20 13:40 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP 2008-08-18 16:47 --------- d-----w C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\uTorrent 2008-08-17 09:36 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard 2008-08-08 19:48 --------- d-----w C:\Programme\MSECACHE 2008-07-12 20:16 --------- d-----w C:\Programme\Gemeinsame Dateien\Ahead 2008-07-12 20:16 --------- d-----w C:\Programme\Ahead 2008-07-12 19:36 --------- d-----w C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Nero 2008-07-12 19:29 --------- d-----w C:\Programme\Gemeinsame Dateien\Nero 2008-07-12 19:26 --------- d-----w C:\Programme\Nero 2008-07-12 19:26 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero 2008-06-30 04:53 --------- d-----w C:\Programme\eMule 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys 2008-04-11 17:36 47,360 ----a-w C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\pcouffin.sys 2008-01-20 14:42 93,784 ----a-w C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2004-07-03 20:09 140,800 ----a-w C:\Programme\mozilla firefox\plugins\al2np.dll 2007-09-28 16:08 479,232 ----a-w C:\Programme\mozilla firefox\plugins\msvcm80.dll 2007-09-28 16:08 548,864 ----a-w C:\Programme\mozilla firefox\plugins\msvcp80.dll 2007-09-28 16:08 626,688 ----a-w C:\Programme\mozilla firefox\plugins\msvcr80.dll . ((((((((((((((((((((((((((((( snapshot@2008-05-27_12.45.33.29 ))))))))))))))))))))))))))))))))))))))))) . + 2008-04-23 04:19:40 124,928 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\advpack.dll + 2008-04-23 04:19:40 347,136 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\dxtmsft.dll + 2008-04-23 04:19:40 214,528 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\dxtrans.dll + 2008-04-23 04:19:40 132,608 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\extmgr.dll + 2008-04-23 04:19:40 63,488 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\icardie.dll + 2008-04-22 08:02:19 70,656 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ie4uinit.exe + 2008-04-23 04:19:40 153,088 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieakeng.dll + 2008-04-23 04:19:40 230,400 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieaksie.dll + 2008-04-20 05:07:38 161,792 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieakui.dll + 2007-04-17 09:32:38 2,455,488 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieapfltr.dat + 2008-04-23 04:19:40 383,488 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieapfltr.dll + 2008-04-23 04:19:40 388,608 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\iedkcs32.dll + 2008-04-23 04:19:40 6,068,224 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieframe.dll + 2008-04-23 04:19:40 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\iernonce.dll + 2008-04-23 04:19:40 267,776 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\iertutil.dll + 2008-04-22 08:02:19 13,824 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\ieudinit.exe + 2008-04-22 08:02:46 625,664 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\iexplore.exe + 2008-04-23 04:19:41 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\jsproxy.dll + 2008-04-23 04:19:41 459,264 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\msfeeds.dll + 2008-04-23 04:19:41 52,224 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\msfeedsbs.dll + 2008-04-23 04:19:41 3,593,728 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\mshtml.dll + 2008-04-23 04:19:41 478,208 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\mshtmled.dll + 2008-04-23 04:19:41 193,024 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\msrating.dll + 2008-04-23 04:19:41 671,232 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\mstime.dll + 2008-04-23 04:19:41 102,912 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\occache.dll + 2008-04-23 04:19:41 44,544 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\pngfilt.dll + 2008-04-23 04:19:41 105,984 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\url.dll + 2008-04-23 04:19:41 1,162,752 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\urlmon.dll + 2008-04-23 04:19:41 233,472 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\webcheck.dll + 2008-04-23 04:19:41 827,392 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll + 2007-03-06 01:14:08 15,584 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\spmsg.dll + 2007-03-06 01:14:13 217,312 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\spuninst.exe + 2007-03-06 01:14:07 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\update\spcustom.dll + 2007-03-06 01:14:35 725,728 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\update\update.exe + 2007-03-06 01:15:25 377,568 ----a-w C:\WINDOWS\$hf_mig$\KB950759-IE7\update\updspapi.dll + 2007-11-30 12:39:14 18,808 ----a-w C:\WINDOWS\$hf_mig$\KB950760\spmsg.dll + 2007-11-30 12:39:14 234,872 ----a-w C:\WINDOWS\$hf_mig$\KB950760\spuninst.exe + 2007-11-30 12:39:14 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950760\update\spcustom.dll + 2007-11-30 12:39:14 765,304 ----a-w C:\WINDOWS\$hf_mig$\KB950760\update\update.exe + 2007-11-30 12:39:15 388,984 ----a-w C:\WINDOWS\$hf_mig$\KB950760\update\updspapi.dll + 2008-05-08 12:14:51 203,008 ----a-w C:\WINDOWS\$hf_mig$\KB950762\SP2QFE\rmcast.sys + 2008-05-08 14:02:52 203,136 ----a-w C:\WINDOWS\$hf_mig$\KB950762\SP3GDR\rmcast.sys + 2008-05-08 13:58:17 203,136 ----a-w C:\WINDOWS\$hf_mig$\KB950762\SP3QFE\rmcast.sys + 2007-11-30 12:39:14 18,808 ----a-w C:\WINDOWS\$hf_mig$\KB950762\spmsg.dll + 2007-11-30 12:39:14 234,872 ----a-w C:\WINDOWS\$hf_mig$\KB950762\spuninst.exe + 2007-11-30 12:39:14 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB950762\update\spcustom.dll + 2007-11-30 12:39:14 765,304 ----a-w C:\WINDOWS\$hf_mig$\KB950762\update\update.exe + 2007-11-30 12:39:15 388,984 ----a-w C:\WINDOWS\$hf_mig$\KB950762\update\updspapi.dll + 2008-06-14 18:01:09 273,024 ----a-w C:\WINDOWS\$hf_mig$\KB951376-v2\SP2QFE\bthport.sys + 2008-06-14 17:32:01 273,024 ----a-w C:\WINDOWS\$hf_mig$\KB951376-v2\SP3GDR\bthport.sys + 2008-06-14 17:37:44 273,024 ----a-w C:\WINDOWS\$hf_mig$\KB951376-v2\SP3QFE\bthport.sys + 2007-11-30 11:18:34 18,808 ----a-w C:\WINDOWS\$hf_mig$\KB951376-v2\spmsg.dll + 2007-11-30 11:18:34 234,872 ----a-w C:\WINDOWS\$hf_mig$\KB951376-v2\spuninst.exe + 2007-11-30 11:18:34 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951376-v2\update\spcustom.dll + 2007-11-30 11:18:35 765,304 ----a-w C:\WINDOWS\$hf_mig$\KB951376-v2\update\update.exe + 2007-11-30 11:18:35 388,984 ----a-w C:\WINDOWS\$hf_mig$\KB951376-v2\update\updspapi.dll + 2008-04-14 16:16:13 273,024 ----a-w C:\WINDOWS\$hf_mig$\KB951376\SP2QFE\bthport.sys + 2008-04-14 15:58:22 273,024 ----a-w C:\WINDOWS\$hf_mig$\KB951376\SP3GDR\bthport.sys + 2008-04-14 16:21:08 273,024 ----a-w C:\WINDOWS\$hf_mig$\KB951376\SP3QFE\bthport.sys + 2007-11-30 11:18:34 18,808 ----a-w C:\WINDOWS\$hf_mig$\KB951376\spmsg.dll + 2007-11-30 11:18:34 234,872 ----a-w C:\WINDOWS\$hf_mig$\KB951376\spuninst.exe + 2007-11-30 11:18:34 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951376\update\spcustom.dll + 2007-11-30 11:18:35 765,304 ----a-w C:\WINDOWS\$hf_mig$\KB951376\update\update.exe + 2007-11-30 11:18:35 388,984 ----a-w C:\WINDOWS\$hf_mig$\KB951376\update\updspapi.dll + 2008-05-07 04:55:02 1,293,824 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP2QFE\quartz.dll + 2008-05-07 05:10:35 1,293,824 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3GDR\quartz.dll + 2008-05-07 05:04:30 1,293,824 ----a-w C:\WINDOWS\$hf_mig$\KB951698\SP3QFE\quartz.dll + 2007-11-30 11:18:34 18,808 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spmsg.dll + 2007-11-30 11:18:34 234,872 ----a-w C:\WINDOWS\$hf_mig$\KB951698\spuninst.exe + 2007-11-30 11:18:34 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\spcustom.dll + 2007-11-30 12:39:14 765,304 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\update.exe + 2007-11-30 12:39:15 388,984 ----a-w C:\WINDOWS\$hf_mig$\KB951698\update\updspapi.dll + 2006-08-16 12:13:36 100,352 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\6to4svc.dll + 2008-06-20 10:44:08 138,368 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\afd.sys + 2008-06-20 17:36:12 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\dnsapi.dll + 2008-06-20 17:36:12 247,296 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\mswsock.dll + 2008-06-20 10:44:42 360,960 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip.sys + 2008-06-20 09:32:39 225,920 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP2QFE\tcpip6.sys + 2008-06-20 11:40:08 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\afd.sys + 2008-06-20 17:46:10 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\dnsapi.dll + 2008-06-20 17:46:10 247,296 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\mswsock.dll + 2008-06-20 11:51:12 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip.sys + 2008-06-20 11:08:27 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3GDR\tcpip6.sys + 2008-06-20 11:48:03 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys + 2008-06-20 17:43:49 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\dnsapi.dll + 2008-06-20 17:43:49 247,296 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll + 2008-06-20 11:59:02 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys + 2008-06-20 11:16:44 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip6.sys + 2007-11-30 12:39:14 18,808 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll + 2007-11-30 12:39:14 234,872 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe + 2007-11-30 12:39:14 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll + 2007-11-30 12:39:08 765,304 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\update.exe + 2007-11-30 12:39:08 388,984 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll + 2004-12-06 22:53:51 297,472 -c----w C:\WINDOWS\$NtUninstallKB932823-v3$\msctf.dll + 2007-03-06 01:14:17 217,312 -c----w C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe + 2007-03-06 01:15:25 377,568 -c----w C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\updspapi.dll + 2007-11-30 12:39:14 234,872 -c----w C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe + 2007-11-30 12:39:15 388,984 -c----w C:\WINDOWS\$NtUninstallKB950760$\spuninst\updspapi.dll + 2006-07-13 08:48:58 202,240 -c----w C:\WINDOWS\$NtUninstallKB950762$\rmcast.sys + 2007-11-30 12:39:14 234,872 -c----w C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe + 2007-11-30 12:39:15 388,984 -c----w C:\WINDOWS\$NtUninstallKB950762$\spuninst\updspapi.dll + 2008-04-14 15:51:00 273,024 -c----w C:\WINDOWS\$NtUninstallKB951376-v2$\bthport.sys + 2007-11-30 11:18:34 234,872 -c----w C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe + 2007-11-30 11:18:35 388,984 -c----w C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\updspapi.dll + 2007-11-30 11:18:34 234,872 -c----w C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe + 2007-11-30 11:18:35 388,984 -c----w C:\WINDOWS\$NtUninstallKB951376$\spuninst\updspapi.dll + 2007-10-29 22:42:30 1,293,312 -c----w C:\WINDOWS\$NtUninstallKB951698$\quartz.dll + 2007-11-30 11:18:34 234,872 -c----w C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe + 2007-11-30 12:39:15 388,984 -c----w C:\WINDOWS\$NtUninstallKB951698$\spuninst\updspapi.dll + 2004-08-03 22:14:16 138,496 -c----w C:\WINDOWS\$NtUninstallKB951748$\afd.sys + 2008-02-20 05:33:54 148,992 -c----w C:\WINDOWS\$NtUninstallKB951748$\dnsapi.dll + 2004-08-03 23:57:30 247,296 -c----w C:\WINDOWS\$NtUninstallKB951748$\mswsock.dll + 2007-11-30 12:39:14 234,872 -c----w C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe + 2007-11-30 12:39:08 388,984 -c----w C:\WINDOWS\$NtUninstallKB951748$\spuninst\updspapi.dll + 2007-10-30 17:20:55 360,064 -c----w C:\WINDOWS\$NtUninstallKB951748$\tcpip.sys + 2006-08-16 09:37:30 225,664 -c----w C:\WINDOWS\$NtUninstallKB951748$\tcpip6.sys + 2008-06-14 17:57:40 273,024 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys - 2008-05-27 01:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-08-07 14:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE - 2008-05-27 10:18:18 13,922,304 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2008-08-19 16:11:42 14,671,872 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat - 2008-05-27 10:18:18 1,576,960 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-08-19 16:11:42 1,576,960 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat - 2007-12-14 21:04:45 585,791 ----a-w C:\WINDOWS\gmer.dll + 2008-08-19 19:07:05 884,736 ----a-w C:\WINDOWS\gmer.dll - 2007-06-29 08:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe + 2008-04-17 19:13:02 811,008 ----a-w C:\WINDOWS\gmer.exe + 2008-03-01 12:53:51 124,928 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll + 2008-03-01 12:53:51 347,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll + 2008-03-01 12:53:52 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll + 2008-03-01 12:53:52 133,120 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll + 2008-03-01 12:53:52 63,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\icardie.dll + 2008-02-29 08:54:43 70,656 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe + 2008-03-01 12:53:52 153,088 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll + 2008-03-01 12:53:52 230,400 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll + 2008-02-15 05:44:25 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll + 2008-03-01 12:53:52 383,488 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieapfltr.dll + 2008-03-01 12:53:53 384,512 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll + 2008-03-01 12:53:56 6,066,176 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieframe.dll + 2008-03-01 12:53:57 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll + 2008-03-01 12:53:57 267,776 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iertutil.dll + 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe + 2008-02-29 08:55:08 625,664 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe + 2008-03-01 12:53:58 27,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll + 2008-03-01 12:53:59 459,264 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeeds.dll + 2008-03-01 12:53:59 52,224 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msfeedsbs.dll + 2008-03-01 16:24:04 3,591,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll + 2008-03-01 12:54:02 478,208 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll + 2008-03-01 12:54:03 193,024 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll + 2008-03-01 12:54:03 671,232 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll + 2008-03-01 12:54:03 102,912 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll + 2008-03-01 12:54:04 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll + 2007-03-06 01:14:13 217,312 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe + 2007-03-06 01:15:25 377,568 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\updspapi.dll + 2008-03-01 12:54:04 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll + 2008-03-01 12:54:04 1,159,680 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll + 2008-03-01 12:54:05 233,472 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll + 2008-03-01 12:54:05 826,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll + 2008-08-08 19:49:34 38,240 ----a-r C:\WINDOWS\Installer\{90120000-0020-0407-0000-0000000FF1CE}\O12ConvIcon.exe - 2008-03-13 20:02:51 135,168 ----a-r C:\WINDOWS\Installer\{90840407-6000-11D3-8CFE-0150048383C9}\misc.exe + 2008-07-25 02:18:32 135,168 ----a-r C:\WINDOWS\Installer\{90840407-6000-11D3-8CFE-0150048383C9}\misc.exe - 2008-03-13 20:02:51 40,960 ----a-r C:\WINDOWS\Installer\{90840407-6000-11D3-8CFE-0150048383C9}\xlvicon.exe + 2008-07-25 02:18:32 40,960 ----a-r C:\WINDOWS\Installer\{90840407-6000-11D3-8CFE-0150048383C9}\xlvicon.exe - 2000-08-31 06:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe + 2000-08-31 06:00:00 28,672 ----a-w C:\WINDOWS\Nircmd.exe + 2001-07-14 15:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll - 2008-03-01 12:53:51 124,928 ----a-w C:\WINDOWS\system32\advpack.dll + 2008-04-23 04:16:29 124,928 ----a-w C:\WINDOWS\system32\advpack.dll - 2005-12-21 19:08:06 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat + 2008-06-11 02:09:26 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat - 2005-12-21 19:08:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat + 2008-06-11 02:09:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat - 2005-12-21 19:08:06 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat + 2008-06-11 02:09:26 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat - 2008-03-01 12:53:51 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll + 2008-04-23 04:16:29 124,928 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll - 2004-08-03 22:14:16 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys + 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys + 2008-06-14 17:57:40 273,024 -c----w C:\WINDOWS\system32\dllcache\bthport.sys - 2008-02-20 05:33:54 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll + 2008-06-20 17:39:48 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll - 2008-03-01 12:53:51 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll + 2008-04-23 04:16:29 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll - 2008-03-01 12:53:52 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll + 2008-04-23 04:16:29 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll - 2008-03-01 12:53:52 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll + 2008-04-23 04:16:29 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll - 2008-03-01 12:53:52 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll + 2008-04-23 04:16:29 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll - 2008-02-29 08:54:43 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe + 2008-04-22 07:39:48 70,656 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe - 2008-03-01 12:53:52 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll + 2008-04-23 04:16:29 153,088 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll - 2008-03-01 12:53:52 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll + 2008-04-23 04:16:29 230,400 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll - 2008-02-15 05:44:25 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll + 2008-04-20 05:07:51 161,792 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll - 2008-03-01 12:53:52 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll + 2008-04-23 04:16:29 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll - 2008-03-01 12:53:53 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll + 2008-04-23 04:16:29 384,512 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll - 2008-03-01 12:53:56 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll + 2008-04-23 04:16:30 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll - 2008-03-01 12:53:57 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll + 2008-04-23 04:16:30 44,544 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll - 2008-03-01 12:53:57 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll + 2008-04-23 04:16:30 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll - 2008-02-22 10:00:51 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe + 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe - 2008-02-29 08:55:08 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe + 2008-04-22 07:40:19 625,664 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe - 2008-03-01 12:53:58 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll + 2008-04-23 04:16:30 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll - 2004-08-03 23:57:26 331,776 -c--a-w C:\WINDOWS\system32\dllcache\msadce.dll + 2008-05-01 14:30:33 331,776 -c--a-w C:\WINDOWS\system32\dllcache\msadce.dll - 2004-12-06 22:53:51 297,472 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll + 2008-02-26 11:49:00 297,984 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll - 2008-03-01 12:53:59 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll + 2008-04-23 04:16:30 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll - 2008-03-01 12:53:59 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll + 2008-04-23 04:16:30 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll - 2008-03-01 16:24:04 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll + 2008-04-23 20:16:32 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll - 2008-03-01 12:54:02 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll + 2008-04-23 04:16:31 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll - 2008-03-01 12:54:03 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll + 2008-04-23 04:16:31 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll - 2008-03-01 12:54:03 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll + 2008-04-23 04:16:31 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll - 2004-08-03 23:57:30 247,296 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll + 2008-06-20 17:39:48 247,296 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll - 2008-03-01 12:54:03 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll + 2008-04-23 04:16:31 102,912 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll - 2008-03-01 12:54:04 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll + 2008-04-23 04:16:31 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll - 2007-10-29 22:42:30 1,293,312 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll + 2008-05-07 05:14:45 1,293,312 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll - 2006-07-13 08:48:58 202,240 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys + 2008-05-08 12:28:49 202,752 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys - 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys + 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys - 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys + 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys - 2008-03-01 12:54:04 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll + 2008-04-23 04:16:31 105,984 -c--a-w C:\WINDOWS\system32\dllcache\url.dll - 2008-03-01 12:54:04 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll + 2008-04-23 04:16:31 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll - 2008-03-01 12:54:05 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll + 2008-04-23 04:16:32 233,472 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll - 2008-03-01 12:54:05 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll + 2008-04-23 04:16:32 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll - 2008-02-20 05:33:54 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll + 2008-06-20 17:39:48 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll - 2008-05-02 09:49:30 99,264 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys + 2008-06-12 09:49:09 99,264 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys + 2007-01-18 12:00:28 3,968 ----a-w C:\WINDOWS\system32\drivers\AvgArCln.sys + 2007-01-31 13:33:46 5,632 ----a-w C:\WINDOWS\system32\drivers\avgarkt.sys + 2008-06-14 17:57:40 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys - 2007-12-14 21:04:45 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys + 2008-08-19 19:07:05 85,969 ----a-w C:\WINDOWS\system32\drivers\gmer.sys - 2005-08-15 11:08:26 5,888 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys + 2008-02-18 15:21:08 11,304 ----a-w C:\WINDOWS\system32\drivers\imagedrv.sys - 2005-08-15 11:08:26 127,488 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys + 2008-02-18 15:21:08 132,904 ----a-w C:\WINDOWS\system32\drivers\imagesrv.sys - 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys + 2008-05-08 12:28:49 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys - 2008-03-01 12:53:51 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll + 2008-04-23 04:16:29 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll - 2008-03-01 12:53:52 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll + 2008-04-23 04:16:29 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll - 2008-03-01 12:53:52 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll + 2008-04-23 04:16:29 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll - 2008-04-12 01:37:51 282,928 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT + 2008-08-10 11:57:24 302,032 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT - 2008-03-01 12:53:52 63,488 ----a-w C:\WINDOWS\system32\icardie.dll + 2008-04-23 04:16:29 63,488 ----a-w C:\WINDOWS\system32\icardie.dll - 2008-02-29 08:54:43 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe + 2008-04-22 07:39:48 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe - 2008-03-01 12:53:52 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll + 2008-04-23 04:16:29 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll - 2008-03-01 12:53:52 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll + 2008-04-23 04:16:29 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll - 2008-02-15 05:44:25 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll + 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll - 2008-03-01 12:53:52 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll + 2008-04-23 04:16:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll - 2008-03-01 12:53:53 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll + 2008-04-23 04:16:29 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll - 2008-03-01 12:53:56 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll + 2008-04-23 04:16:30 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll - 2008-03-01 12:53:57 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll + 2008-04-23 04:16:30 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll - 2008-03-01 12:53:57 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll + 2008-04-23 04:16:30 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll - 2008-02-22 10:00:51 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe + 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe - 2004-07-26 16:16:10 1,568,768 ----a-w C:\WINDOWS\system32\imagX7.dll + 2006-03-17 10:45:52 1,757,184 ----a-w C:\WINDOWS\system32\imagX7.dll - 2004-07-26 16:16:10 476,320 ----a-w C:\WINDOWS\system32\imagXpr7.dll + 2006-03-17 10:45:54 497,296 ----a-w C:\WINDOWS\system32\imagXpr7.dll - 2004-07-26 16:16:10 262,144 ----a-w C:\WINDOWS\system32\imagXR7.dll + 2006-03-17 10:45:54 258,048 ----a-w C:\WINDOWS\system32\imagXR7.dll - 2004-07-26 16:16:10 471,040 ----a-w C:\WINDOWS\system32\imagXRA7.dll + 2006-03-17 10:45:54 802,816 ----a-w C:\WINDOWS\system32\imagXRA7.dll + 2006-12-19 08:30:26 81,920 ----a-w C:\WINDOWS\system32\IoctlSvc.exe - 2008-03-01 12:53:58 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll + 2008-04-23 04:16:30 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll - 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe + 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe - 2004-12-06 22:53:51 297,472 ----a-w C:\WINDOWS\system32\msctf.dll + 2008-02-26 11:49:00 297,984 ----a-w C:\WINDOWS\system32\msctf.dll - 2008-03-01 12:53:59 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll + 2008-04-23 04:16:30 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll - 2008-03-01 12:53:59 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll + 2008-04-23 04:16:30 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll - 2008-03-01 16:24:04 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll + 2008-04-23 20:16:32 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll - 2008-03-01 12:54:02 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll + 2008-04-23 04:16:31 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll - 2008-03-01 12:54:03 193,024 ----a-w C:\WINDOWS\system32\msrating.dll + 2008-04-23 04:16:31 193,024 ----a-w C:\WINDOWS\system32\msrating.dll - 2008-03-01 12:54:03 671,232 ----a-w C:\WINDOWS\system32\mstime.dll + 2008-04-23 04:16:31 671,232 ----a-w C:\WINDOWS\system32\mstime.dll - 2004-08-03 23:57:30 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll + 2008-06-20 17:39:48 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll - 2005-02-16 14:18:04 90,184 ----a-w C:\WINDOWS\system32\NeroCo.dll + 2008-02-18 15:04:04 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll - 2008-03-01 12:54:03 102,912 ----a-w C:\WINDOWS\system32\occache.dll + 2008-04-23 04:16:31 102,912 ----a-w C:\WINDOWS\system32\occache.dll - 2008-03-01 12:54:04 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll + 2008-04-23 04:16:31 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll - 2007-10-29 22:42:30 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll + 2008-05-07 05:14:45 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll - 2008-05-15 16:01:42 174,764 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat + 2008-06-16 21:01:03 212,520 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat - 2006-11-17 14:14:30 16,176 ------w C:\WINDOWS\system32\spmsg.dll + 2007-11-30 11:18:34 18,808 ------w C:\WINDOWS\system32\spmsg.dll - 2004-07-09 08:43:56 364,544 ----a-w C:\WINDOWS\system32\TwnLib4.dll + 2006-03-17 13:49:46 368,640 ----a-w C:\WINDOWS\system32\TwnLib4.dll - 2008-03-01 12:54:04 105,984 ----a-w C:\WINDOWS\system32\url.dll + 2008-04-23 04:16:31 105,984 ----a-w C:\WINDOWS\system32\url.dll - 2008-03-01 12:54:04 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll + 2008-04-23 04:16:31 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll - 2008-03-01 12:54:05 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll + 2008-04-23 04:16:32 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll - 2008-03-01 12:54:05 826,368 ----a-w C:\WINDOWS\system32\wininet.dll + 2008-04-23 04:16:32 826,368 ----a-w C:\WINDOWS\system32\wininet.dll - 2008-05-27 10:42:17 40,960 ----a-w C:\WINDOWS\Temp\rtdrvmon.exe + 2008-08-20 14:10:25 40,960 ----a-w C:\WINDOWS\temp\rtdrvmon.exe - 2006-07-14 16:29:44 966,656 ----a-w C:\WINDOWS\UNNeroBackItUp.exe + 2007-03-20 19:22:04 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe - 2006-07-14 16:29:44 966,656 ----a-w C:\WINDOWS\UNNeroMediaHome.exe + 2008-02-28 16:38:48 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe - 2006-07-14 16:29:44 966,656 ----a-w C:\WINDOWS\UNNeroShowTime.exe + 2007-02-28 14:41:02 972,336 ----a-w C:\WINDOWS\UNNeroShowTime.exe - 2006-07-14 16:29:44 966,656 ----a-w C:\WINDOWS\UNNeroVision.exe + 2007-03-21 19:02:12 972,336 ----a-w C:\WINDOWS\UNNeroVision.exe - 2006-07-14 16:29:44 966,656 ----a-w C:\WINDOWS\UNRecode.exe + 2008-02-26 15:14:26 972,072 ----a-w C:\WINDOWS\UNRecode.exe + 2006-12-01 20:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll + 2006-12-01 22:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll + 2006-12-01 22:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll + 2006-12-01 22:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll + 2006-12-01 22:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll + 2006-12-01 22:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll + 2006-12-01 22:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll + 2006-12-01 22:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll + 2006-12-01 22:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll + 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll + 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll + 2006-12-01 22:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll + 2006-12-01 22:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll + 2006-12-01 22:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll + 2006-12-01 22:46:44 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll . -- Snapshot reset to current date -- . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:57 15360] "IncrediMail"="C:\Programme\IncrediMail\bin\IncMail.exe" [2008-01-22 15:06 243072] "TuneUp MemOptimizer"="C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" [2007-12-14 14:17 414976] "AnyDVD"="C:\Programme\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-06-13 13:36 2137024] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OOCCCTRL.EXE"="C:\Programme\OO Software\CleverCache\OOCCCTRL.EXE" [2007-01-28 15:08 1911568] "OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 03:08 2512392] "Lexmark 1200 Series"="C:\Programme\Lexmark 1200 Series\lxczbmgr.exe" [2006-07-13 14:26 57344] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-06-15 11:20 6803456] "GDFirewallTray"="C:\Programme\G DATA InternetSecurity\Firewall\GDFirewallTray.exe" [2007-10-25 12:09 1189552] "AVKTray"="C:\Programme\G DATA InternetSecurity\AVKTray\AVKTray.exe" [2007-11-05 16:17 603720] "TrueImageMonitor.exe"="C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-12-03 12:06 2622104] "AcronisTimounterMonitor"="C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-12-03 12:09 911184] "Acronis Scheduler2 Service"="C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2007-12-03 12:06 140568] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 01:57 15360] "InfoCockpit"="C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE" [2007-07-30 14:27 176128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.MJPG"= Pvmjpg30.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 relog_ap [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programme\\IncrediMail\\bin\\IMApp.exe"= "C:\\Programme\\IncrediMail\\bin\\IncMail.exe"= "C:\\Programme\\IncrediMail\\bin\\ImpCnt.exe"= "C:\\Programme\\IncrediMail\\bin\\ImLc.exe"= "C:\\Programme\\IncrediMail\\bin\\ImPackr.exe"= "C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"= "C:\\Programme\\Gemeinsame Dateien\\Acronis\\Agent\\agent.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Programme\\iTunes\\iTunes.exe"= "C:\\Programme\\ICQ6\\ICQ.exe"= "C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Programme\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Programme\\FlashFXP\\FlashFXP.exe"= "C:\\Programme\\uTorrent\\uTorrent.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "4358:TCP"= 4358:TCP  pLive"5903:UDP"= 5903:UDP pLive"14592:TCP"= 14592:TCP:BitComet 14592 TCP "14592:UDP"= 14592:UDP:BitComet 14592 UDP "16015:TCP"= 16015:TCP:BitComet 16015 TCP "16015:UDP"= 16015:UDP:BitComet 16015 UDP "19068:TCP"= 19068:TCP:BitComet 19068 TCP "19068:UDP"= 19068:UDP:BitComet 19068 UDP "18318:TCP"= 18318:TCP:BitComet 18318 TCP "18318:UDP"= 18318:UDP:BitComet 18318 UDP R0 GDNdisIc;GDNdisIc;C:\WINDOWS\system32\drivers\GDNdisIc.sys [2008-01-06 18:16] R0 sojubus;sojubus;C:\WINDOWS\system32\DRIVERS\sojubus.sys [2003-10-05 11:41] R0 sojuscsi;sojuscsi;C:\WINDOWS\system32\DRIVERS\sojuscsi.sys [2003-09-28 11:57] R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-01-13 13:59] R2 ACEDRV06;ACEDRV06;C:\WINDOWS\system32\drivers\ACEDRV06.sys [2006-10-22 20:08] R2 AcronisAgent;Acronis Remote Agent;C:\Programme\Gemeinsame Dateien\Acronis\Agent\agent.exe [2006-07-18 15:21] R2 AVKProxy;G DATA AntiVirus Proxy;C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe [2007-10-26 12:16] R2 AVKService;G DATA Scheduler;C:\Programme\G DATA InternetSecurity\AVK\AVKService.exe [2007-09-27 16:10] R2 AVKWCtl;AntiVirus Wächter;C:\Programme\G DATA InternetSecurity\AVK\AVKWCtl.exe [2007-10-08 12:43] R2 CA_LIC_CLNT;CA License Client;C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe [2004-08-31 15:21] R2 GDTdiInterceptor;GDTdiInterceptor;C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [2008-01-06 18:16] R2 HDDlife HDD Access service;HDDlife HDD Access service;C:\Programme\BinarySense\HDDlife 3\hldasvc.exe [2007-06-07 16:09] R2 LogWatch;Event Log Watch;C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe [2004-07-23 16:06] R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys [2007-07-15 03:37] R2 TryAndDecideService;Acronis Try And Decide Service;C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe [2007-12-03 12:26] R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:58] R3 GDFwSvc;G DATA Personal Firewall;C:\Programme\G DATA InternetSecurity\Firewall\GDFwSvc.exe [2007-10-24 15:26] R3 GDMnIcpt;GDMnIcpt;C:\WINDOWS\system32\drivers\MiniIcpt.sys [2008-01-06 18:20] R3 HookCentre;HookCentre;C:\WINDOWS\system32\drivers\HookCentre.sys [2008-01-06 18:20] R3 TSMPacket;DSL-Manager Service;C:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 12:53] S2 Windows Update Center;Update Center;C:\WINDOWS\scvhost.exe [] S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;C:\DOKUME~1\Frank\LOKALE~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 16:18] S3 MIINPazX;MIINPazX NDIS Protocol Driver;C:\PROGRA~1\GEMEIN~1\MARMIK~1\MInfraIS\MIINPazX.SYS [2006-05-22 06:40] S3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [2006-10-09 14:46] S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 19:31] S3 TDslMgrService;DSL-Manager;C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe [2007-08-01 15:36] S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-15 13:03] S4 Block Level Filtering Service;Block Level Filtering Service;C:\WINDOWS\svchost.exe [] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp . Inhalt des "geplante Tasks" Ordners 2008-02-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Programme\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . - - - - Entfernte verwaiste Registrierungseintr„ge - - - - HKCU-Run-Microsoft Works Update Detection - C:\Programme\Microsoft Works\WkDetect.exe Notify-ljJBTKbY - ljJBTKbY.dll . ------- Zus„tzlicher Scan ------- . FireFox -: Profile - C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Mozilla\Firefox\Profiles\2eywjidc.default\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - google.de FF -: plugin - C:\Programme\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Programme\Java\jre1.5.0_11\bin\NPJava11.dll FF -: plugin - C:\Programme\Java\jre1.5.0_11\bin\NPJava12.dll FF -: plugin - C:\Programme\Java\jre1.5.0_11\bin\NPJava13.dll FF -: plugin - C:\Programme\Java\jre1.5.0_11\bin\NPJava14.dll FF -: plugin - C:\Programme\Java\jre1.5.0_11\bin\NPJava32.dll FF -: plugin - C:\Programme\Java\jre1.5.0_11\bin\NPJPI150_11.dll FF -: plugin - C:\Programme\Java\jre1.5.0_11\bin\NPOJI610.dll FF -: plugin - C:\PROGRAMME\MOZILLA FIREFOX\plugins\npalnn.dll FF -: plugin - C:\Programme\Yahoo!\Common\npyaxmpb.dll FF -: plugin - C:\Programme\Yahoo!\Shared\npYState.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-20 16:09:11 Windows 5.1.2600 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Eintr„ge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\oreans32] "ImagePath"="\"\"" . ------------------------ Weitere, laufende Prozesse ------------------------ . C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\Programme\Lexmark 1200 Series\lxczbmon.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\WkCalRem.exe C:\Programme\IncrediMail\bin\IMApp.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\Programme\OO Software\CleverCache\ooccag.exe C:\WINDOWS\system32\IoctlSvc.exe C:\Programme\Registry Defragmentation\RegManServ.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************** . Zeit der Fertigstellung: 2008-08-20 16:15:36 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2008-08-20 14:15:21 ComboFix2.txt 2008-05-27 10:46:10 ComboFix3.txt 2008-05-18 10:38:29 Pre-Run: 8,075,493,376 Bytes frei Post-Run: 7,041,724,416 Bytes frei 571 --- E O F --- 2008-08-14 14:11:52 Dieser Beitrag wurde am 20.08.2008 um 16:20 Uhr von MaxPeter editiert.
|
|
|
|
|
|
|
20.08.2008, 23:58
Ehrenmitglied
Beiträge: 29434 |
#8
hier ist der Rootkit:
Zitat Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x132c4977 size 0x1e4ich kenne im Prinzip nur eine Möglichkeit, das rauszubekommen , mit: mbr.exe –f (Leerzeichen beachten...) -------- oder mittels Konsole: To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr. 1. Combofix - Erstellen der Windows Recovery Console http://virus-protect.org/artikel/tools/combofix-konsole.html 2. http://virus-protect.org/artikel/tools/masterbootrecord.html Besteht der Verdacht, dass ein solches Rootkit installiert ist, sollten betroffene Anwender ihre Rechner mit einer Boot-CD hochfahren, um den Master Boot Record zu umgehen. Um die schädliche Veränderung rückgängig zu machen, sollte der MBR anschließend mit dem systeminternen Tool - für (WinXP) fixmbr innerhalb der Windows-Recovery-Konsole zurückgesetzt werden. ------------------------- mit der XP-CD starten. Da wählt man "Reparieren". ( Mit "Reparieren" wird die Wiederherstellungskonsole aufgerufen.) Wenn man bei "C:\" - ist gibt man fixmbr ein. Damit wird der Master-Boot-Record neu geschrieben. --------------------- wenn du es hinbekommen hast, poste ein neues Log von mbr und von sdfix __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
21.08.2008, 17:33
Member
Themenstarter Beiträge: 29 |
#9
Ich habe es versucht, es kam die Mitteilung :
Der MBR Boot Record scheint ungültig oder nicht standartmäßig zu sein. Wenn sie weiter machen könnte das die Partitionstabellen beschädigen Das kann dazu führen das keine Partition auf der aktuelle Festplatte zugreifen kann Soll ich da weiter machen?was riskiere ich ? Oder ist diese Meldung normal? Ich bitte um Info Gruß,MaxPeter Dieser Beitrag wurde am 21.08.2008 um 20:44 Uhr von MaxPeter editiert.
|
|
|
|
|
|
|
21.08.2008, 22:26
Ehrenmitglied
 Beiträge: 6028 |
||
|
|
|
|
|
22.08.2008, 04:19
Member
Themenstarter Beiträge: 29 |
#11
Up to Date?? was heißt das genau?
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:16:55, on 22.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Programme\G DATA InternetSecurity\Firewall\GDFirewallTray.exe C:\Programme\G DATA InternetSecurity\AVKTray\AVKTray.exe C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe C:\Programme\SlySoft\AnyDVD\AnyDVDtray.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe C:\Programme\IncrediMail\bin\ImApp.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\G DATA InternetSecurity\AVK\AVKService.exe C:\Programme\G DATA InternetSecurity\AVK\AVKWCtl.exe C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe C:\Programme\BinarySense\HDDlife 3\hldasvc.exe C:\Programme\BinarySense\HDDlife 3\hldasvc.exe C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\Programme\OO Software\CleverCache\ooccag.exe C:\WINDOWS\system32\IoctlSvc.exe C:\Programme\Registry Defragmentation\RegManServ.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe C:\WINDOWS\system32\wscntfy.exe C:\Programme\G DATA InternetSecurity\Firewall\GDFwSvc.exe C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE C:\PROGRA~1\T-Online\T-ONLI~1\Notifier\Notifier.exe C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE C:\Programme\G DATA InternetSecurity\GUI\avkis.exe C:\Dokumente und Einstellungen\Frank\Desktop\SICHERHEIT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: G DATA WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G DATA InternetSecurity\Webfilter\AVKWebIE.dll O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Programme\BitComet\tools\BitCometBHO_1.1.8.30.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programme\FlashFXP\IEFlash.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll O3 - Toolbar: G DATA WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G DATA InternetSecurity\Webfilter\AVKWebIE.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O4 - HKLM\..\Run: [OOCCCTRL.EXE] "C:\Programme\OO Software\CleverCache\OOCCCTRL.EXE" /tasktray O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Programme\Lexmark 1200 Series\lxczbmgr.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [GDFirewallTray] C:\Programme\G DATA InternetSecurity\Firewall\GDFirewallTray.exe O4 - HKLM\..\Run: [AVKTray] "C:\Programme\G DATA InternetSecurity\AVKTray\AVKTray.exe" O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [IncrediMail] C:\Programme\IncrediMail\bin\IncMail.exe /c O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart O4 - HKCU\..\Run: [AnyDVD] C:\Programme\SlySoft\AnyDVD\AnyDVDtray.exe O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [InfoCockpit] C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.EXE /nosplash (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: DSL-Manager.lnk = C:\Programme\T-Online\DSL-Manager\DslMgr.exe (User 'SYSTEM') O4 - .DEFAULT Startup: DSL-Manager.lnk = C:\Programme\T-Online\DSL-Manager\DslMgr.exe (User 'Default user') O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Reader 8.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Programme\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe O4 - Global Startup: Erinnerungen in Microsoft Works-Kalender.lnk = ? O4 - Global Startup: G DATA Firewall Tray.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Programme\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Mit dem LeechGet Wizard laden - file://C:\Programme\LeechGet 2006\\Wizard.html O8 - Extra context menu item: Mit LeechGet herunterladen - file://C:\Programme\LeechGet 2006\\AddUrl.html O8 - Extra context menu item: Mit LeechGet parsen - file://C:\Programme\LeechGet 2006\\Parser.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Programme\BitComet\tools\BitCometBHO_1.1.8.30.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{DA6F281A-6A04-4058-98E2-9841EC959974}: NameServer = 217.237.151.205 217.237.148.70 O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Programme\BinarySense\HDDlife 3\hlAPP.dll" (file missing) O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Agent\agent.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: G DATA AntiVirus Proxy (AVKProxy) - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe O23 - Service: G DATA Scheduler (AVKService) - G DATA Software AG - C:\Programme\G DATA InternetSecurity\AVK\AVKService.exe O23 - Service: AntiVirus Wächter (AVKWCtl) - G DATA Software AG - C:\Programme\G DATA InternetSecurity\AVK\AVKWCtl.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: G DATA Personal Firewall (GDFwSvc) - G DATA Software AG - C:\Programme\G DATA InternetSecurity\Firewall\GDFwSvc.exe O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Programme\BinarySense\HDDlife 3\hldasvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Programme\OO Software\CleverCache\ooccag.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Programme\Registry Defragmentation\RegManServ.exe O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Programme\Gemeinsame Dateien\Sonic Shared\RoxioUPnPRenderer9.exe (file missing) O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Programme\Gemeinsame Dateien\Sonic Shared\RoxioUpnpService9.exe (file missing) O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing) O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe O23 - Service: stllssvr - Unknown owner - C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe (file missing) O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe (file missing) O23 - Service: Update Center (Windows Update Center) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing) -- End of file - 13435 bytes |
|
|
|
|
|
|
22.08.2008, 10:42
Ehrenmitglied
Beiträge: 29434 |
#12
o.k.
also noch mal alles von vorn ...wir bekommen das hin  1. http://virus-protect.org/artikel/tools/regsearch.html und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren) Update Center in edit und klicke "Ok". Notepad wird sich öffnen -- kopiere den Text ab und poste ihn. in: "Enter search strings" (reinschreiben oder reinkopieren) Windows Update Center in edit und klicke "Ok". Notepad wird sich öffnen -- kopiere den Text ab und poste ihn. in: "Enter search strings" (reinschreiben oder reinkopieren) stllssvr in edit und klicke "Ok". Notepad wird sich öffnen -- kopiere den Text ab und poste ihn. --------- 2. wende zoek an + poste den report http://virus-protect.org/artikel/tools/zoek.html 3. systemscan anwenden http://virus-protect.org/artikel/tools/systemscan.html setze nur die Häkchen bei: Showing files newer than 60 days MASTER BOOT RECORD SUSPICIOUS FILES klicke: "ScanNow" + poste den report __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
22.08.2008, 14:36
Member
Themenstarter Beiträge: 29 |
#13
hallo,das wäre toll,ich hoffe ich packe das alles
Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 22.08.2008 14:30:49 for strings: ; 'update center' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDOWS_UPDATE_CENTER\0000] "Service"="Windows Update Center" "DeviceDesc"="Update Center" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Update Center] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Update Center] "DisplayName"="Update Center" "Description"="Update Center" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Update Center\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDOWS_UPDATE_CENTER\0000] "Service"="Windows Update Center" "DeviceDesc"="Update Center" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Windows Update Center] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Windows Update Center] "DisplayName"="Update Center" "Description"="Update Center" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Windows Update Center\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_WINDOWS_UPDATE_CENTER\0000] "Service"="Windows Update Center" "DeviceDesc"="Update Center" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Windows Update Center] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Windows Update Center] "DisplayName"="Update Center" "Description"="Update Center" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Windows Update Center\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Windows Update Center\Enum] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_UPDATE_CENTER\0000] "Service"="Windows Update Center" "DeviceDesc"="Update Center" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Update Center] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Update Center] "DisplayName"="Update Center" "Description"="Update Center" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Update Center\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Update Center\Enum] ; End Of The Log... Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 22.08.2008 14:38:50 for strings: ; ' windows update center' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS ; End Of The Log... Windows Registry Editor Version 5.00 ; Registry Search 2.0 by Bobbi Flekman © 2005 ; Version: 2.0.5.0 ; Results at 22.08.2008 14:44:16 for strings: ; 'stllssvr' ; Strings excluded from search: ; (None) ; Search in: ; Registry Keys Registry Values Registry Data ; HKEY_LOCAL_MACHINE HKEY_USERS [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stllssvr] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stllssvr] ; Contents of value: ; "C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe" "ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\ 6d,00,6d,00,65,00,5c,00,47,00,65,00,6d,00,65,00,69,00,6e,00,73,00,61,00,6d,\ 00,65,00,20,00,44,00,61,00,74,00,65,00,69,00,65,00,6e,00,5c,00,53,00,75,00,\ 72,00,65,00,54,00,68,00,69,00,6e,00,67,00,20,00,53,00,68,00,61,00,72,00,65,\ 00,64,00,5c,00,73,00,74,00,6c,00,6c,00,73,00,73,00,76,00,72,00,2e,00,65,00,\ 78,00,65,00,22,00,00,00 "DisplayName"="stllssvr" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\stllssvr\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\stllssvr] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\stllssvr] ; Contents of value: ; "C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe" "ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\ 6d,00,6d,00,65,00,5c,00,47,00,65,00,6d,00,65,00,69,00,6e,00,73,00,61,00,6d,\ 00,65,00,20,00,44,00,61,00,74,00,65,00,69,00,65,00,6e,00,5c,00,53,00,75,00,\ 72,00,65,00,54,00,68,00,69,00,6e,00,67,00,20,00,53,00,68,00,61,00,72,00,65,\ 00,64,00,5c,00,73,00,74,00,6c,00,6c,00,73,00,73,00,76,00,72,00,2e,00,65,00,\ 78,00,65,00,22,00,00,00 "DisplayName"="stllssvr" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\stllssvr\Security] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\stllssvr] [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\stllssvr] ; Contents of value: ; "C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe" "ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\ 6d,00,6d,00,65,00,5c,00,47,00,65,00,6d,00,65,00,69,00,6e,00,73,00,61,00,6d,\ 00,65,00,20,00,44,00,61,00,74,00,65,00,69,00,65,00,6e,00,5c,00,53,00,75,00,\ 72,00,65,00,54,00,68,00,69,00,6e,00,67,00,20,00,53,00,68,00,61,00,72,00,65,\ 00,64,00,5c,00,73,00,74,00,6c,00,6c,00,73,00,73,00,76,00,72,00,2e,00,65,00,\ 78,00,65,00,22,00,00,00 "DisplayName"="stllssvr" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\stllssvr\Security] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stllssvr] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stllssvr] ; Contents of value: ; "C:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe" "ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,\ 6d,00,6d,00,65,00,5c,00,47,00,65,00,6d,00,65,00,69,00,6e,00,73,00,61,00,6d,\ 00,65,00,20,00,44,00,61,00,74,00,65,00,69,00,65,00,6e,00,5c,00,53,00,75,00,\ 72,00,65,00,54,00,68,00,69,00,6e,00,67,00,20,00,53,00,68,00,61,00,72,00,65,\ 00,64,00,5c,00,73,00,74,00,6c,00,6c,00,73,00,73,00,76,00,72,00,2e,00,65,00,\ 78,00,65,00,22,00,00,00 "DisplayName"="stllssvr" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\stllssvr\Security] ; End Of The Log... ======C:\WINDOWS==== ----a-w 0 2008-08-22 12:00:39 C:\WINDOWS\0.log ----a-w 1,141 2008-08-15 11:28:57 C:\WINDOWS\ARCHPR.INI --s-a-w 2,048 2008-08-22 12:00:38 C:\WINDOWS\bootstat.dat ----a-w 30,750 2008-08-14 14:11:50 C:\WINDOWS\comsetup.log ----a-w 356 2008-08-08 12:48:43 C:\WINDOWS\DHCPUPG.LOG ----a-w 92,739 2008-08-14 14:11:50 C:\WINDOWS\FaxSetup.log ----a-w 884,736 2008-08-19 19:07:05 C:\WINDOWS\gmer.dll ----a-w 297 2008-08-21 19:06:18 C:\WINDOWS\gmer.ini ----a-w 99,993 2008-08-14 14:11:50 C:\WINDOWS\iis6.log ----a-w 1,374 2008-08-14 14:11:50 C:\WINDOWS\imsins.log ----a-w 4,601 2008-08-14 13:16:14 C:\WINDOWS\KB944338-v2.log ----a-w 4,488 2008-08-14 13:37:10 C:\WINDOWS\KB950974.log ----a-w 6,224 2008-08-14 14:18:25 C:\WINDOWS\KB951072-v2.log ----a-w 9,373 2008-08-14 14:11:50 C:\WINDOWS\KB952287.log ----a-w 5,603 2008-08-14 14:31:28 C:\WINDOWS\KB952954.log ----a-w 269 2008-08-21 15:43:35 C:\WINDOWS\lexstat.ini ----a-w 6,375 2008-08-14 14:11:50 C:\WINDOWS\MedCtrOC.log ----a-w 4,635 2008-08-14 14:11:50 C:\WINDOWS\msgsocm.log ----a-w 28,208 2008-08-14 14:11:46 C:\WINDOWS\msmqinst.log ----a-w 69 2008-08-20 19:20:10 C:\WINDOWS\NeroDigital.ini ----a-w 16,245 2008-08-14 14:11:50 C:\WINDOWS\netfxocm.log ----a-w 16,166,774 2008-08-21 13:47:06 C:\WINDOWS\ntbtlog.txt ----a-w 18,615 2008-08-14 14:11:50 C:\WINDOWS\ntdtcsetup.log ----a-w 43,740 2008-08-14 14:11:50 C:\WINDOWS\ocgen.log ----a-w 5,130 2008-08-14 14:11:50 C:\WINDOWS\ocmsn.log ---ha-w 54,156 2008-07-19 10:25:28 C:\WINDOWS\QTFont.qfn ----a-w 228 2008-08-08 12:50:21 C:\WINDOWS\setupact.log ----a-w 227 2008-08-20 14:09:07 C:\WINDOWS\system.ini ----a-w 4,665 2008-08-14 14:11:50 C:\WINDOWS\tabletoc.log ----a-w 42,315 2008-08-14 14:11:50 C:\WINDOWS\tsoc.log ----a-w 254 2008-08-08 12:49:37 C:\WINDOWS\UPGRADE.TXT ----a-w 159 2008-08-22 12:00:53 C:\WINDOWS\wiadebug.log ----a-w 0 2008-08-22 12:00:52 C:\WINDOWS\wiaservc.log ----a-w 692 2008-08-22 12:04:32 C:\WINDOWS\win.ini ----a-w 1,364,214 2008-08-22 12:00:55 C:\WINDOWS\WindowsUpdate.log ----a-w 16,154 2008-08-08 12:50:07 C:\WINDOWS\WINNT32.LOG ----a-w 34,384 2008-08-08 12:49:35 C:\WINDOWS\wsdu.log Entries: 37 (35) Directories: 0 Files: 37 Bytes: 18,951,231 Blocks: 37,033 ======C:\WINDOWS\system32===== ----atw 77,824 2008-08-20 16:44:46 C:\WINDOWS\System32\DRWEBSP.DLL ----a-w 302,032 2008-08-10 11:57:24 C:\WINDOWS\System32\FNTCACHE.DAT ----a-w 26,682 2008-08-22 12:00:44 C:\WINDOWS\System32\nvapps.xml ----a-w 946,465 2008-08-22 12:00:35 C:\WINDOWS\System32\OODBS.lor ----a-w 2,206 2008-08-19 13:50:10 C:\WINDOWS\System32\wpa.dbl Entries: 5 (5) Directories: 0 Files: 5 Bytes: 1,355,209 Blocks: 2,649 ======C:\WINDOWS\system32\drivers===== ----a-w 85,969 2008-08-19 19:07:05 C:\WINDOWS\System32\drivers\gmer.sys ----a-w 17,144 2008-08-17 13:01:14 C:\WINDOWS\System32\drivers\mbam.sys ----a-w 38,472 2008-08-17 13:01:18 C:\WINDOWS\System32\drivers\mbamswissarmy.sys Entries: 3 (3) Directories: 0 Files: 3 Bytes: 141,585 Blocks: 278 =======C:\Programme===== Entries: 0 (0) Directories: 0 Files: 0 Bytes: 0 Blocks: 0 =======C:===== ----a-w 1,322 2008-08-19 15:46:58 C:\avenger.txt --sha-r 294 2008-08-08 12:21:14 C:\BOOT.BAK --sha-r 294 2008-08-08 12:50:06 C:\boot.ini ----a-w 44,117 2008-08-20 14:15:41 C:\ComboFix.txt --sha-w 1,073,008,640 2008-08-22 12:00:36 C:\hiberfil.sys --sha-w 1,609,408,512 2008-08-22 12:00:35 C:\pagefile.sys Entries: 6 (2) Directories: 0 Files: 6 Bytes: 2,682,463,179 Blocks: 5,239,188 ======C:\Dokumente und Einstellungen\Frank\Anwendungsdaten====== Entries: 0 (0) Directories: 0 Files: 0 Bytes: 0 Blocks: 0 ======C:\Temp====== Entries: 0 (0) Directories: 0 Files: 0 Bytes: 0 Blocks: 0 ======C:\Dokumente und Einstellungen\Frank====== ----a-w 117 2008-08-20 19:20:13 C:\Dokumente und Einstellungen\Frank\default.pls ----a-w 14,680,064 2008-08-22 02:40:49 C:\Dokumente und Einstellungen\Frank\ntuser.dat ---ha-w 49,152 2008-08-22 12:50:42 C:\Dokumente und Einstellungen\Frank\ntuser.dat.LOG --sh--w 190 2008-08-22 02:40:49 C:\Dokumente und Einstellungen\Frank\ntuser.ini Entries: 4 (2) Directories: 0 Files: 4 Bytes: 14,729,523 Blocks: 28,770 ======C:\WINDOWS\Downloaded Program Files==== Entries: 0 (0) Directories: 0 Files: 0 Bytes: 0 Blocks: 0 ============= SystemScan - www.suspectfile.com - ver. 3.5.5 (code: holifay & bReAkdOWn) Running on: Windows XP PROFESSIONAL Edition, Service Pack 2 (2600.5.1) System directory: C:\WINDOWS SystemScan file: C:\Dokumente und Einstellungen\Frank\Desktop\sys29685.exe Running in: User mode Date: 22.08.2008 Time: 15:01:09 Output limited to: -Recent files -Master Boot Record -Suspicious Files ===================== RECENT FILES ===================== Showing files newer than 60 days ----- recent files in C:\ 08.08.2008 14:21:14 294 byte 14 days old -- BOOT.BAK 08.08.2008 14:50:05 (DIR) 0 byte 14 days old -- cmdcons 08.08.2008 14:50:06 294 byte 14 days old -- boot.ini 12.08.2008 16:46:58 (DIR) 0 byte 10 days old -- temp 17.08.2008 11:31:01 (DIR) 0 byte 5 days old -- Config.Msi 18.08.2008 18:46:16 (DIR) 0 byte 4 days old -- Downloads 19.08.2008 17:31:49 (DIR) 0 byte 3 days old -- _OTMoveIt 19.08.2008 17:46:58 1322 byte 3 days old -- avenger.txt 19.08.2008 17:47:31 (DIR) 0 byte 3 days old -- Avenger 20.08.2008 16:15:41 (DIR) 0 byte 2 days old -- QooBox 20.08.2008 16:15:41 44117 byte 2 days old -- ComboFix.txt 20.08.2008 16:16:05 (DIR) 0 byte 2 days old -- ComboFix 20.08.2008 16:39:36 (DIR) 0 byte 2 days old -- RECYCLER 20.08.2008 18:50:55 (DIR) 0 byte 2 days old -- Programme 21.08.2008 19:05:01 (DIR) 0 byte 1 days old -- VIDEO_TS 21.08.2008 21:22:23 (DIR) 0 byte 1 days old -- WINDOWS 22.08.2008 14:00:35 1609408512 byte 0 days old -- pagefile.sys 22.08.2008 14:00:36 (DIR)1073008640 byte 0 days old -- hiberfil.sys ----- recent files in C:\WINDOWS\ 29.12.1765 06:03:33 3120 byte 8 days old -- .lfa 26.06.2008 19:35:17 (DIR) 0 byte 57 days old -- Minidump 12.07.2008 19:18:12 (DIR) 0 byte 41 days old -- $NtUninstallKB951748$ 12.07.2008 19:18:14 13027 byte 41 days old -- updspapi.log 12.07.2008 19:18:21 1374 byte 41 days old -- imsins.BAK 12.07.2008 19:18:21 25096 byte 41 days old -- KB951748.log 12.07.2008 20:15:53 (DIR) 0 byte 41 days old -- WinSxS 12.07.2008 21:25:50 (DIR) 0 byte 41 days old -- Cursors 19.07.2008 12:25:28 54156 byte 34 days old -- QTFont.qfn 08.08.2008 14:48:43 356 byte 14 days old -- DHCPUPG.LOG 08.08.2008 14:49:27 (DIR) 0 byte 14 days old -- setupupd 08.08.2008 14:49:35 (DIR) 0 byte 14 days old -- setup.pss 08.08.2008 14:49:35 34384 byte 14 days old -- wsdu.log 08.08.2008 14:49:37 254 byte 14 days old -- UPGRADE.TXT 08.08.2008 14:50:07 16154 byte 14 days old -- WINNT32.LOG 08.08.2008 14:50:21 228 byte 14 days old -- setupact.log 08.08.2008 21:49:15 (DIR) 0 byte 14 days old -- Fonts 14.08.2008 15:16:14 4601 byte 8 days old -- KB944338-v2.log 14.08.2008 15:37:10 4488 byte 8 days old -- KB950974.log 14.08.2008 16:11:40 (DIR) 0 byte 8 days old -- $NtUninstallKB952287$ 14.08.2008 16:11:46 28208 byte 8 days old -- msmqinst.log 14.08.2008 16:11:50 6375 byte 8 days old -- MedCtrOC.log 14.08.2008 16:11:50 43740 byte 8 days old -- ocgen.log 14.08.2008 16:11:50 18615 byte 8 days old -- ntdtcsetup.log 14.08.2008 16:11:50 16245 byte 8 days old -- netfxocm.log 14.08.2008 16:11:50 4635 byte 8 days old -- msgsocm.log 14.08.2008 16:11:50 5130 byte 8 days old -- ocmsn.log 14.08.2008 16:11:50 42315 byte 8 days old -- tsoc.log 14.08.2008 16:11:50 99993 byte 8 days old -- iis6.log 14.08.2008 16:11:50 30750 byte 8 days old -- comsetup.log 14.08.2008 16:11:50 92739 byte 8 days old -- FaxSetup.log 14.08.2008 16:11:50 9373 byte 8 days old -- KB952287.log 14.08.2008 16:11:50 4665 byte 8 days old -- tabletoc.log 14.08.2008 16:11:50 1374 byte 8 days old -- imsins.log 14.08.2008 16:18:25 6224 byte 8 days old -- KB951072-v2.log 14.08.2008 16:18:29 (DIR) 0 byte 8 days old -- $hf_mig$ 14.08.2008 16:31:28 5603 byte 8 days old -- KB952954.log 14.08.2008 16:31:28 (DIR) 0 byte 8 days old -- inf 15.08.2008 13:28:57 1141 byte 7 days old -- ARCHPR.INI 17.08.2008 11:31:08 (DIR) 0 byte 5 days old -- Installer 19.08.2008 21:07:05 884736 byte 3 days old -- gmer.dll 19.08.2008 21:35:53 (DIR) 0 byte 3 days old -- system 20.08.2008 16:06:16 (DIR) 0 byte 2 days old -- AppPatch 20.08.2008 16:09:07 227 byte 2 days old -- system.ini 20.08.2008 18:44:46 (DIR) 0 byte 2 days old -- system32 20.08.2008 21:20:10 69 byte 2 days old -- NeroDigital.ini 21.08.2008 15:47:06 16166774 byte 1 days old -- ntbtlog.txt 21.08.2008 17:43:35 269 byte 1 days old -- lexstat.ini 21.08.2008 21:06:18 297 byte 1 days old -- gmer.ini 22.08.2008 14:00:38 2048 byte 0 days old -- bootstat.dat 22.08.2008 14:00:39 0 byte 0 days old -- 0.log 22.08.2008 14:00:52 0 byte 0 days old -- wiaservc.log 22.08.2008 14:00:53 159 byte 0 days old -- wiadebug.log 22.08.2008 14:00:55 1364214 byte 0 days old -- WindowsUpdate.log 22.08.2008 14:04:32 692 byte 0 days old -- win.ini 22.08.2008 14:53:34 (DIR) 0 byte 0 days old -- temp ----- recent files in C:\WINDOWS\Downloaded Program Files\ ----- recent files in C:\WINDOWS\system\ ----- recent files in C:\WINDOWS\system32\ 25.06.2008 18:15:46 17972344 byte 58 days old -- MRT.exe 12.07.2008 21:52:12 297 byte 41 days old -- MsiExec.exe.log 10.08.2008 13:57:24 302032 byte 12 days old -- FNTCACHE.DAT 14.08.2008 16:11:41 (DIR) 0 byte 8 days old -- dllcache 19.08.2008 15:50:10 2206 byte 3 days old -- wpa.dbl 20.08.2008 16:14:28 (DIR) 0 byte 2 days old -- CatRoot2 20.08.2008 16:16:05 (DIR) 0 byte 2 days old -- drivers 20.08.2008 18:44:46 77824 byte 2 days old -- DRWEBSP.DLL 22.08.2008 14:00:35 946465 byte 0 days old -- OODBS.lor 22.08.2008 14:00:44 26682 byte 0 days old -- nvapps.xml ----- recent files in C:\WINDOWS\system32\drivers\ 17.08.2008 15:01:14 17144 byte 5 days old -- mbam.sys 17.08.2008 15:01:18 38472 byte 5 days old -- mbamswissarmy.sys 19.08.2008 21:07:05 85969 byte 3 days old -- gmer.sys 20.08.2008 16:08:53 (DIR) 0 byte 2 days old -- etc ----- recent files in C:\WINDOWS\temp\ 20.08.2008 16:11:18 9076736 byte 2 days old -- JETC430.tmp 20.08.2008 16:11:18 45056 byte 2 days old -- JETC394.tmp 20.08.2008 16:11:19 8192 byte 2 days old -- JETC598.tmp 20.08.2008 16:11:19 57344 byte 2 days old -- JETC8A5.tmp 20.08.2008 18:52:17 0 byte 2 days old -- JETB178.tmp 20.08.2008 18:52:17 0 byte 2 days old -- JETB06F.tmp 20.08.2008 18:52:18 0 byte 2 days old -- JETB551.tmp 20.08.2008 18:52:19 0 byte 2 days old -- JETB9E5.tmp 20.08.2008 19:03:32 4096 byte 2 days old -- JETFD56.tmp 20.08.2008 19:03:33 5640192 byte 2 days old -- JET19C.tmp 20.08.2008 19:03:34 8192 byte 2 days old -- JET2F4.tmp 20.08.2008 19:03:34 57344 byte 2 days old -- JET44B.tmp 21.08.2008 15:54:14 8192 byte 1 days old -- JET1582.tmp 21.08.2008 15:54:14 225280 byte 1 days old -- JET13EB.tmp 21.08.2008 15:54:14 4096 byte 1 days old -- JET134F.tmp 21.08.2008 15:54:15 57344 byte 1 days old -- JET1756.tmp 21.08.2008 16:16:08 258048 byte 1 days old -- JETF86.tmp 21.08.2008 16:16:08 4096 byte 1 days old -- JETDD1.tmp 21.08.2008 16:16:10 8192 byte 1 days old -- JET15B1.tmp 21.08.2008 16:16:11 57344 byte 1 days old -- JET1C38.tmp 21.08.2008 18:12:16 0 byte 1 days old -- JET1AD1.tmp 21.08.2008 18:12:16 0 byte 1 days old -- JET1A83.tmp 21.08.2008 18:12:16 0 byte 1 days old -- JET1D13.tmp 21.08.2008 18:12:17 0 byte 1 days old -- JET1E9A.tmp 21.08.2008 18:29:45 0 byte 1 days old -- JETCC44.tmp 21.08.2008 18:29:46 0 byte 1 days old -- JETD1A3.tmp 21.08.2008 18:29:47 0 byte 1 days old -- JETD6C3.tmp 21.08.2008 18:29:50 0 byte 1 days old -- JETE0D5.tmp 21.08.2008 19:34:08 4096 byte 1 days old -- JET15FF.tmp 21.08.2008 19:34:18 241664 byte 1 days old -- JET3D1E.tmp 21.08.2008 19:34:18 8192 byte 1 days old -- JET3E09.tmp 21.08.2008 19:34:18 57344 byte 1 days old -- JET3FED.tmp 21.08.2008 20:26:15 4096 byte 1 days old -- JETD92.tmp 21.08.2008 20:26:16 6053888 byte 1 days old -- JETEEA.tmp 21.08.2008 20:26:17 8192 byte 1 days old -- JET12B3.tmp 21.08.2008 20:26:18 57344 byte 1 days old -- JET1870.tmp 22.08.2008 04:23:51 0 byte 0 days old -- JET10AF.tmp 22.08.2008 04:23:51 0 byte 0 days old -- JET10FD.tmp 22.08.2008 04:23:52 0 byte 0 days old -- JET1478.tmp 22.08.2008 04:23:52 0 byte 0 days old -- JET1320.tmp 22.08.2008 14:00:52 40960 byte 0 days old -- rtdrvmon.exe 22.08.2008 14:01:04 4096 byte 0 days old -- JETE1A5.tmp 22.08.2008 14:01:06 204800 byte 0 days old -- JETE975.tmp 22.08.2008 14:01:08 8192 byte 0 days old -- JETF2CC.tmp 22.08.2008 14:01:10 57344 byte 0 days old -- JETF934.tmp 22.08.2008 14:30:24 (DIR) 0 byte 0 days old -- _avast4_ ----- recent files in C:\Programme\ 30.06.2008 06:53:09 (DIR) 0 byte 53 days old -- eMule 12.07.2008 21:26:06 (DIR) 0 byte 41 days old -- Nero 12.07.2008 22:16:42 (DIR) 0 byte 41 days old -- Ahead 08.08.2008 21:48:12 (DIR) 0 byte 14 days old -- MSECACHE 08.08.2008 21:49:02 (DIR) 0 byte 14 days old -- Microsoft Office 08.08.2008 21:55:46 (DIR) 0 byte 14 days old -- FlashFXP 18.08.2008 18:13:08 (DIR) 0 byte 4 days old -- Malwarebytes' Anti-Malware 20.08.2008 16:06:16 (DIR) 0 byte 2 days old -- Gemeinsame Dateien 20.08.2008 18:44:31 (DIR) 0 byte 2 days old -- InstallShield Installation Information 22.08.2008 04:22:05 (DIR) 0 byte 0 days old -- Spybot - Search & Destroy 22.08.2008 14:04:50 (DIR) 0 byte 0 days old -- Mozilla Firefox 22.08.2008 14:19:01 (DIR) 0 byte 0 days old -- Registry Mechanic ----- recent files in C:\Programme\Gemeinsame Dateien\ 12.07.2008 21:29:00 (DIR) 0 byte 41 days old -- Nero 12.07.2008 22:16:42 (DIR) 0 byte 41 days old -- Ahead 08.08.2008 21:48:57 (DIR) 0 byte 14 days old -- Microsoft Shared 17.08.2008 11:36:53 (DIR) 0 byte 5 days old -- Wise Installation Wizard ----- recent files in C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\ 12.07.2008 21:36:12 (DIR) 0 byte 41 days old -- Nero 18.08.2008 18:13:11 (DIR) 0 byte 4 days old -- Malwarebytes 18.08.2008 18:47:05 (DIR) 0 byte 4 days old -- uTorrent ----- recent files in C:\DOKUME~1\Frank\LOKALE~1\Temp\ 12.08.2008 12:10:40 1041 byte 10 days old -- zoek.bat 20.08.2008 16:27:15 (DIR) 0 byte 2 days old -- plugtmp 20.08.2008 16:30:38 (DIR) 0 byte 2 days old -- nro.log 20.08.2008 16:34:10 (DIR) 0 byte 2 days old -- VBE 20.08.2008 17:09:40 69032 byte 2 days old -- cteng_1_1_121218519147.dat 20.08.2008 17:09:40 78640 byte 2 days old -- cteng_1_1_111218949358.dat 20.08.2008 17:09:41 54900 byte 2 days old -- cteng_1_1_131219194325.dat 20.08.2008 17:09:41 58212 byte 2 days old -- cteng_1_1_141219040257.dat 20.08.2008 17:09:43 91548 byte 2 days old -- cteng_1_1_41219131594.dat 20.08.2008 17:09:43 66468 byte 2 days old -- cteng_1_1_211219185421.dat 20.08.2008 17:09:44 60812 byte 2 days old -- cteng_1_1_91219130257.dat 20.08.2008 17:09:45 210368 byte 2 days old -- cteng_1_2_141218866554.dat 20.08.2008 17:09:46 237712 byte 2 days old -- cteng_1_2_151218259946.dat 20.08.2008 17:09:47 254628 byte 2 days old -- cteng_1_2_161218810656.dat 20.08.2008 17:09:48 244628 byte 2 days old -- cteng_1_2_181219126656.dat 20.08.2008 17:09:48 274004 byte 2 days old -- cteng_1_2_171219123956.dat 20.08.2008 17:09:50 299924 byte 2 days old -- cteng_1_2_211219208555.dat 20.08.2008 17:09:52 300012 byte 2 days old -- cteng_1_2_71219190662.dat 20.08.2008 17:44:55 16384 byte 2 days old -- ~WRF0000.tmp 20.08.2008 18:33:05 862 byte 2 days old -- ~WRD0005.doc 20.08.2008 18:42:54 455600 byte 2 days old -- _is1.exe 20.08.2008 18:45:33 (DIR) 0 byte 2 days old -- {97232E5D-525E-4750-938F-AEFCE2F56D04} 20.08.2008 18:45:42 5421 byte 2 days old -- ~WRS0003.tmp 20.08.2008 18:49:26 (DIR) 0 byte 2 days old -- {47D8183A-523F-40C6-AB9B-81E5AB9989C3} 20.08.2008 21:39:54 (DIR) 0 byte 2 days old -- plugtmp-1 21.08.2008 04:22:58 (DIR) 0 byte 1 days old -- msohtml1 21.08.2008 16:00:25 (DIR) 0 byte 1 days old -- F-Secure 21.08.2008 16:08:24 (DIR) 0 byte 1 days old -- plugtmp-2 21.08.2008 16:18:16 311296 byte 1 days old -- ~DF31FF.tmp 21.08.2008 16:49:56 (DIR) 0 byte 1 days old -- plugtmp-3 21.08.2008 17:15:03 31664 byte 1 days old -- cteng_1_1_101219302166.dat 21.08.2008 17:15:04 52196 byte 1 days old -- cteng_1_1_181219301262.dat 21.08.2008 17:15:04 54468 byte 1 days old -- cteng_1_1_161219303964.dat 21.08.2008 17:15:05 43888 byte 1 days old -- cteng_1_1_81219299459.dat 21.08.2008 17:15:05 54212 byte 1 days old -- cteng_1_1_71219294958.dat 21.08.2008 17:15:06 323740 byte 1 days old -- cteng_1_2_131219304863.dat 21.08.2008 17:15:06 321024 byte 1 days old -- cteng_1_2_201219298566.dat 21.08.2008 17:15:07 246692 byte 1 days old -- cteng_1_2_221219297820.dat 21.08.2008 17:15:08 265080 byte 1 days old -- cteng_1_2_41219300363.dat 21.08.2008 17:15:09 6124 byte 1 days old -- cteng_8_2_11219319937.dat 21.08.2008 18:17:00 (DIR) 0 byte 1 days old -- plugtmp-4 21.08.2008 19:16:18 8200 byte 1 days old -- etilqs_eiAjd3F9HbFfpbuGXH4Z 21.08.2008 19:17:52 (DIR) 0 byte 1 days old -- AVK_UpdateBase1 21.08.2008 19:19:49 966 byte 1 days old -- _GEAREXT.WO_IDENT.TXT 21.08.2008 20:10:33 (DIR) 0 byte 1 days old -- plugtmp-5 21.08.2008 20:31:20 (DIR) 0 byte 1 days old -- plugtmp-6 21.08.2008 21:25:17 44216 byte 1 days old -- cteng_1_1_201219340190.dat 21.08.2008 21:25:17 158056 byte 1 days old -- cteng_1_2_231219341246.dat 21.08.2008 22:25:21 565 byte 1 days old -- cteng_index.dat 22.08.2008 02:26:06 (DIR) 0 byte 0 days old -- _avast4_ 22.08.2008 04:13:03 (DIR) 0 byte 0 days old -- hsperfdata_Frank 22.08.2008 04:13:12 416 byte 0 days old -- java_install_reg.log 22.08.2008 14:00:59 (DIR) 0 byte 0 days old -- IM 22.08.2008 14:02:07 40960 byte 0 days old -- rtdrvmon.exe 22.08.2008 14:04:14 16384 byte 0 days old -- Perflib_Perfdata_784.dat 22.08.2008 14:09:53 136623 byte 0 days old -- fla39.tmp 22.08.2008 14:10:37 (DIR) 0 byte 0 days old -- plugtmp-7 22.08.2008 14:15:17 24600 byte 0 days old -- etilqs_GncwCHaI8QQ6WqI2U56D 22.08.2008 14:18:56 43380 byte 0 days old -- Setup Log 2008-08-22 #001.txt 22.08.2008 14:50:47 5604 byte 0 days old -- Log.txt 22.08.2008 14:55:53 16384 byte 0 days old -- ~DFE636.tmp 22.08.2008 15:00:03 16384 byte 0 days old -- ~DFD0E7.tmp 22.08.2008 15:00:28 57 byte 0 days old -- systemscan.ini 22.08.2008 15:00:31 (DIR) 0 byte 0 days old -- nsoAC.tmp 22.08.2008 15:00:31 16384 byte 0 days old -- ~DF3F89.tmp ===================== MASTER BOOT RECORD ===================== device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK malicious code @ sector 0x132c4977 size 0x1e4 ! copy of MBR has been found in sector 62 ! ===================== SUSPICIOUS FILES ===================== EXE and DLL files packed with runtime packers, found in: C:\; C:\WINDOWS\; C:\WINDOWS\system32\ C:\WINDOWS\DBReg.exe --> is compressed with aspack C:\WINDOWS\Nircmd.exe --> is compressed with UPX C:\WINDOWS\swreg.exe --> is compressed with UPX C:\WINDOWS\swsc.exe --> is compressed with UPX C:\WINDOWS\system32\SrchSTS.exe --> is compressed with UPX ========================================== Scan completed in 1,5 minutes End of report ~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~ SystemScan uses some freeware tools that remain property of their authors: * SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts " * dumphive (Markus Stephany)--> "Registry scan" * Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules" * Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record" ---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log Thanks to all of them for their hard work Dieser Beitrag wurde am 22.08.2008 um 15:07 Uhr von MaxPeter editiert.
|
|
|
|
|
|
|
22.08.2008, 17:58
Ehrenmitglied
Beiträge: 29434 |
#14
Avenger
http://virus-protect.org/artikel/tools/avenger.html setze ein Häkchen in: "Automatically disable any rootkits found" Das Häkchen "Scan for Rootkits" sollte angehakt sein. kopiere in das weisse Feld: Zitat registry keys to delete:schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten) Klicke: Execute bestätige, dass der Rechner neu gestartet wird - klicke "yes" poste das log, was nach neustart erscheint ----------- Zuerst müssen (proactieve defense) aktive scanner de-aktiviert werden Wenn Guards benutzt werden, auch de-aktivieren ( z.b. Teatimer und alle anderen virenscanner) «« Man muss die MBR.exe direkt in den Root auf C:\ downloaden du kannst dein mbr auf c:\ verschieben Dann via Start - Ausführen >> schreibe rein: cmd reinkopieren : C:\mbr.exe -f poste das log, was erscheint ------------- ~ dann starten den Rechner in den abgesicherten modus und wende sdfix an + poste den report __________ MfG Sabina rund um die PC-Sicherheit |
|
|
|
|
|
|
22.08.2008, 19:26
Member
Themenstarter Beiträge: 29 |
#15
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK malicious code @ sector 0x132c4977 size 0x1e4 ! copy of MBR has been found in sector 62 ! Dieser Beitrag wurde am 24.08.2008 um 10:12 Uhr von MaxPeter editiert.
|
|
|
|
|
|
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!
bitte erst » hier kostenlos registrieren!!
Folgende Themen könnten Dich auch interessieren:
Copyright © 2024, Protecus.de - Protecus Team - Impressum / Mediadaten
Ich hoffe ich mache nichts falsch hier ansonsten Bitte ich um Nachsicht
Vielen Dank im voraus.
Kann mir Bitte jemand sagen ob ich einen Rootkit habe?
Das ist das log File von MBR.Exe
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x132c4977 size 0x1e4 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
Ich benutze GData InternetSecurity 2008 und Spyboot - Search & Destroy