IE autostart + manche Installationen starten nicht

Thema ist geschlossen!
Thema ist geschlossen!
#0
20.08.2009, 23:11
Member

Beiträge: 15
#1 Grüße Euch,

seit kurzem hab ich auch das problem mit dem startendem IE nur kommt dabei die fehlermeldung das iertutil.dll nicht gefunden wurde (benutze firefox)
Ausserdem lassen sich viele .exe nicht starten (1sek. sanduhr ,das wars, keine fehlermeldung nichts)
Angefangen hats als ich ein browsergame gespielt habe auf dieser adresse
hxxp://armorgames.com/play/2377/straw-hat-samurai
nach 5 min ca. hatte ich 7 viren meldungen im Temp ordner


F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\maccsnet.tmp
[FUND] Ist das Trojanische Pferd TR/FraudPack.qfj
F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\prun.tmp
[FUND] Ist das Trojanische Pferd TR/Crypt.PEPM.Gen
F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\rasesnet.tmp
[FUND] Ist das Trojanische Pferd TR/TDss.aoif
F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\rasvsnet.tmp
[FUND] Ist das Trojanische Pferd TR/Dldr.FraudLoad.wgdu.1
F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\wrascnomxe.tmp
[FUND] Ist das Trojanische Pferd TR/FraudPack.qfj
F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\xcpbetrqqy.tmp
[FUND] Ist das Trojanische Pferd TR/TDss.aoif
F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\xpre.tmp
[FUND] Ist das Trojanische Pferd TR/Crypt.PEPM.Gen

ist scheinbar einer der ganz fiesen sorte darum bitte ich als laie um etwas hilfe danke im vorraus

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:50:31, on 20.08.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Avira\AntiVir Desktop\sched.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
F:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
F:\WINDOWS\System32\svchost.exe
F:\Programme\CDBurnerXP\NMSAccessU.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
F:\Programme\Analog Devices\Core\smax4pnp.exe
F:\Programme\Analog Devices\SoundMAX\smax4.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Programme\Avira\AntiVir Desktop\avgnt.exe
F:\WINDOWS\System32\svchost.exe
F:\Programme\Mozilla Firefox\firefox.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.ask.com?o=15183&l=dis
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - F:\Programme\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - F:\Programme\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Programme\rpbrowserrecordplugin.dll
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - F:\WINDOWS\system32\msxml71.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - F:\Programme\Windows Live\Toolbar\wltcore.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] F:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "F:\Programme\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "F:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Monopod] F:\DOKUME~1\tommy\LOKALE~1\Temp\7.tmp.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bitmeter2.lnk = F:\Programme\Codebox\BitMeter\BitMeter2.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - F:\Programme\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - F:\Programme\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - F:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - F:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212587922996
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212588038715
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: Antiwpa - F:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - F:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - F:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - F:\DOKUME~1\tommy\LOKALE~1\Temp\AVSETUP_49cf19ba\basic\avupgsvc.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - G:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - F:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - F:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NMSAccessU - Unknown owner - F:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SeaPort - Unknown owner - F:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7501 bytes
Seitenanfang Seitenende
21.08.2009, 00:12
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#2 Reinige dein Rechner mit CCleaner

MalwareBytes' Anti-Malware
Platform: Windows NT/2000/XP/2003 Server/Vista/2008 Server
Download MalwareBytes' Anti-Malware

Doppelklick mbam-setup und waehle Deutsch ,das Program wird jetzt ge-updatet

Wähle bei Reiter:
“Scanner”>> "Quick-scan durchführen".
Scan laufen lassen
Wenn am Ende infizierungen gefunden werden,anhaken und entfernen lassen

Unter Scanberichte stet das log (mbam-log-XX-XX-XXXX.txt)
Poste dessen inhalt hier ins Forum
Note:
Wenn MBAM Schwierigkeiten damit hat Daten zu entfernen wird es gemeldet und klicke OK
Danach wird gefragt den Rechner neu zu starten,lass es zu
Malwarebytes Anti-Malware kann man nachher behalten !

Später kann man noch ein "Vollständiger Suchlauf“durchführen

Und wieder ein log von Hijack This
__________
MfG Argus
Seitenanfang Seitenende
21.08.2009, 00:46
Member

Themenstarter

Beiträge: 15
#3 Malwarebytes lässt sich nun installieren, startet aber nicht
Seitenanfang Seitenende
21.08.2009, 01:20
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#4 Benenne die mbam.exe aus C:\Programme\Malwarebytes' Anti-Malware mal in test.exe um und versuche es dann...
__________
MfG Argus
Seitenanfang Seitenende
21.08.2009, 02:18
Member

Themenstarter

Beiträge: 15
#5 Ok hab jetzt alles im abgesicherten modus gemacht und es hat scheinbar geklappt (zumindest versucht IE nicht mehr zu starten)

MBAM log:
Malwarebytes' Anti-Malware 1.40
Datenbank Version: 2551
Windows 5.1.2600 Service Pack 2

21.08.2009 02:08:36
mbam-log-2009-08-21 (02-08-36).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 102422
Laufzeit: 2 minute(s), 23 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 5
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 2

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
F:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Not selected for removal.

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
F:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.

_____________________________________________________

Hijack

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:17:12, on 21.08.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Programme\Lavasoft\Ad-Aware\AAWService.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Programme\Avira\AntiVir Desktop\sched.exe
F:\WINDOWS\system32\svchost.exe
F:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
F:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
F:\WINDOWS\System32\svchost.exe
F:\Programme\CDBurnerXP\NMSAccessU.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\Programme\Analog Devices\Core\smax4pnp.exe
F:\Programme\Analog Devices\SoundMAX\smax4.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Programme\Avira\AntiVir Desktop\avgnt.exe
F:\Programme\DAEMON Tools Lite\daemon.exe
F:\Programme\Codebox\BitMeter\BitMeter2.exe
F:\WINDOWS\System32\svchost.exe
F:\Programme\Mozilla Firefox\firefox.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.ask.com?o=15183&l=dis
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - F:\Programme\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - F:\Programme\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - F:\Programme\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - F:\Programme\Windows Live\Toolbar\wltcore.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] F:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "F:\Programme\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "F:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [a-squared] "F:\Programme\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "F:\Programme\Malwarebytes' Anti-Malware\winlogon.exe.exe" /runcleanupscript
O4 - HKCU\..\Run: [DAEMON Tools Lite] "F:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bitmeter2.lnk = F:\Programme\Codebox\BitMeter\BitMeter2.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - F:\Programme\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - F:\Programme\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - F:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - F:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Programme\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212587922996
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212588038715
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - F:\Programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: Antiwpa - F:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - F:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - F:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - F:\DOKUME~1\tommy\LOKALE~1\Temp\AVSETUP_49cf19ba\basic\avupgsvc.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - G:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - F:\Programme\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - F:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - F:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NMSAccessU - Unknown owner - F:\Programme\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SeaPort - Unknown owner - F:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7723 bytes
Seitenanfang Seitenende
21.08.2009, 04:05
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#6 Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

Zitat

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.ask.com?o=15183&l=dis
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - F:\Programme\Windows Live\Toolbar\wltcore.dll (file missing)
O23 - Service: Avira Upgrade Service (AntiVirUpgradeService) - Unknown owner - F:\DOKUME~1\tommy\LOKALE~1\Temp\AVSETUP_49cf19ba\basic\avupgsvc.exe (file missing)
O23 - Service: SeaPort - Unknown owner - F:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (file missing)
Klicke Fixed checked

Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst

Update Malwarebytes' Anti-Malware
Datenbank Version: 2551

Meins
Datenbank Version: 2667

Und scanne nochmal

Poste die Daten von http://board.protecus.de/t23188.htm
Unter Punkt 4 , 6 und ein Log von ComboFix

ComboFix(by sUBs)
Download ComboFix und speichert es auf den Desktop!
Download link 1 ComboFix
Download link 2 ComboFix
Note:Wenn wehrend du Combofix runterlaedst oder anwendet ein Meldung deines Virenscanner kommt oder ein anderen Realtime scanner
Schalte diese scanner dann aus und download ComboFix erneut
Es gibt scanner die bestimmte komponente die durch CF benutzt werden als verdaechtig ansehen und versucht sie zu blokkieren oder zu entfernen

Starte combofix.exe
Folge den Instruktionen in das Fenster
Wenn ComboFix schon vorher benutzt worden ist kann es sein das du eine Meldung bekommst das es ein Update gibt
Erlaube diesen Update und klicke OK im "NirCmd“ fenster klicke nach ablauf auf "ja“um den Scan zu starten
Während Combofix lauft NICHT ins Fenster klicken sonst erfriert dein Rechner
Wenn das Tool fertig ist,oeffnet sich ein logfile (C:\ combofix.txt)
nun das KOMPLETTE Log mit rechtem Mausklick ab kopieren und ins Forum mit rechtem Mausklick "einfügen"
Befolge diese Anleitung
__________
MfG Argus
Seitenanfang Seitenende
21.08.2009, 20:49
Member

Themenstarter

Beiträge: 15
#7 So da bin ich wieder, war nen hartes stück arbeit (zeit)

Anmerkung: Ich hab die schädlichen datein ,so gut wie ich es mit malewarebytes/GMER/Hijackthis konnte, beseitigt und am ende Combofix gestartet, falls es da unreimheiten in den einzelnen informationen geben sollte



Uninstall Liste

Code

32 Bit HP CIO Components Installer
7-Zip 4.57
AC3Filter (remove only)
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Media Player
Adobe Media Player
Adobe Photoshop 7.0
Adobe Reader 8.1.3 - Deutsch
Adobe Shockwave Player 11.5
Alarm Clock v1.0
ANNO 1602 Königs-Edition
Anno 1701
Apple Software Update
ASIO4ALL
aTuner (remove only)
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
AVS Video Converter 6
BitMeter
Black and White
Blender (remove only)
BlueSoleil
Call of Duty(R) - World at War(TM)
Call of Duty(R) 4 - Modern Warfare(TM)
cc3edit
cc3edit (F:\Programme\cc3edit\)
[url="http://www.ccleaner.de"]CCleaner[/url] (remove only)
CD Audio Reader Filter (remove only)
CDBurnerXP
Choice Guard
Collab
Combined Community Codec Pack 2008-09-21 16:18
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Compatibility Pack for the 2007 Office system
Counter-Strike
Curse Client
DC-Bass Source 1.1.1
Dead Space™
Diablo II
DirectVobSub (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DS2 All*Saves v2
DScaler 5 Mpeg Decoders
Dual-Core Optimizer
Dungeon Siege 2
Empire Earth II
EVEREST Home Edition v2.20
Fallout 3
Fallout 3 - The Garden of Eden Creation Kit
ffdshow [rev 1685] [2007-12-06]
FLV Player 2.0 (build 25)
Free YouTube Download 2.2
Free YouTube to Mp3 Converter version 3.1
Google Earth
GPGNet
Haali Media Splitter
Half-Life
Hamachi 1.0.3.0
Hellgate: London
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
HP Customer Participation Program 9.0
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 2.01
HP Product Assistant
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPSSupply
ICQ6.5
Indeo® software
IrfanView (remove only)
IsoBuster 2.5
Jagged Alliance 2
Java(TM) 6 Update 6
Java(TM) 6 Update 7
JMB36X Raid Configurer
Junk Mail filter update
Konvertor
Lava Lamp 3.2.0.1
Logitech Desktop Messenger
Logitech ImageStudio
Logitech QuickCam
Logitech QuickCam-Treiberpaket
Magic ISO Maker v5.5 (build 0272)
MAGIX Foto Manager 2007 4.2.0.176 (D)
MAGIX Music Maker 2008 13.0.0.16 (D)
Malwarebytes' Anti-Malware
MathmosScreensaver
MemInfo (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (German) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office Excel Viewer
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove MUI (German) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Office Word Viewer 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual J# 2.0 Redistributable Package
mIRC
Mozilla Firefox (3.0.13)
MSVCRT
MSXML 6.0 Parser (KB925673)
Natural Selection 3.2
nLite 1.4.9.1
NVIDIA Drivers
NVIDIA PhysX
Oil Tycoon 2
OpenSource Flash Video Splitter (remove only)
PC Inspector File Recovery
PC Probe II
PFPortChecker 1.0.30
PowerISO
ProtectDisc Driver, Version 11
ProtectDisc Helper Driver 10
PunkBuster Services
Quake 4(TM)
QuickTime
Railroad Tycoon II - Platinum
RealMedia (remove only)
RealPlayer
Revo Uninstaller 1.83
Security Task Manager 1.7h
Segoe UI
SHOUTcast Source (remove only)
SimCity 3000
SimCity 4
SoundMAX
SpeedFan (remove only)
SPORE™
Starfield Simulator Pro 1.0.1
Steam
Streamripper (Remove only)
TeamSpeak 2 RC2
TeamViewer 4
Titan Quest
Titan Quest Immortal Throne
Tom Clancy's Rainbow Six Vegas 2
Toribash 3.32
Tweak UI
Uniblue RegistryBooster 2009
Uniblue RegistryBooster 2009
Uninstall 1.0.0.1
VC80CRTRedist - 8.0.50727.762
VH Dissector Pro
VideoLAN VLC media player 0.8.6h
Warhammer Online: Age of Reckoning
Winamp
Winamp Remote
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Anmelde-Assistent
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Fotogalerie
Windows Live Mail
Windows Live Messenger
Windows Live Sync
Windows Live Toolbar
Windows Live Writer
Windows Live-Uploadtool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows Vista Sounds Pack
Windows Workflow Foundation
Windows XP Service Pack 2
Windows-Treiberpaket - Advanced Micro Devices (AmdK8) Processor  (05/27/2006 1.3.2.0)
WinRAR
World of Warcraft
YAWLE 0.5b
ZoneAlarm
Zoom Player (remove only)
____________________________________________________

GMER log

Code

GMER 1.0.15.15077 [lykvqh5n.exe] - http://www.gmer.net
Rootkit scan 2009-08-21 19:31:10
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

INT 0x62  ?                                                                                                                                 8A153BF8
INT 0x63  ?                                                                                                                                 8A1C2BF8
INT 0x73  ?                                                                                                                                 8A1C2BF8
INT 0x83  ?                                                                                                                                 8A1C2BF8
INT 0xB4  ?                                                                                                                                 8A1C5BF8

Code      89FE3480                                                                                                                          ZwEnumerateKey
Code      89F744A0                                                                                                                          ZwFlushInstructionCache
Code      8A009DD6                                                                                                                          IofCallDriver
Code      89FD9F16                                                                                                                          IofCompleteRequest
Code      89F74465                                                                                                                          ZwSaveKey
Code      8A00BB3D                                                                                                                          ZwSaveKeyEx

---- Kernel code sections - GMER 1.0.15 ----

.text     ntoskrnl.exe!IofCallDriver                                                                                                        804E19BC 5 Bytes  JMP 8A009DDB
.text     ntoskrnl.exe!IofCompleteRequest                                                                                                   804E1DD2 5 Bytes  JMP 89FD9F1B
.text     ntoskrnl.exe!ZwSaveKey                                                                                                            804E4890 5 Bytes  JMP 89F7446A
.text     ntoskrnl.exe!ZwSaveKeyEx                                                                                                          804E48A9 5 Bytes  JMP 8A00BB42
?         speh.sys                                                                                                                          Das System kann die angegebene Datei nicht finden. !
.text     USBPORT.SYS!DllUnload                                                                                                             BA54A62C 5 Bytes  JMP 89F8E4E0

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT       \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint]                                                                8A1C52D8
IAT       pci.sys[ntoskrnl.exe!IoDetachDevice]                                                                                              [F7508C4C] speh.sys
IAT       pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack]                                                                                 [F7508CA0] speh.sys
IAT       atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                [F74D8040] speh.sys
IAT       atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                        [F74D813C] speh.sys
IAT       atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                               [F74D80BE] speh.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                       [F74D87FC] speh.sys
IAT       atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                               [F74D86D2] speh.sys
IAT       \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                                [F74E8048] speh.sys
IAT       \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint]                                                              89F8E5E0

---- Devices - GMER 1.0.15 ----

Device    \FileSystem\Ntfs \Ntfs                                                                                                            8A1511F8
Device    \Driver\usbohci \Device\USBPDO-0                                                                                                  8A0081F8
Device    \Driver\Ftdisk \Device\HarddiskVolume1                                                                                            8A1C31F8
Device    \Driver\sptd \Device\3689351102                                                                                                   speh.sys
Device    \Driver\Ftdisk \Device\HarddiskVolume2                                                                                            8A1C31F8
Device    \Driver\Ftdisk \Device\HarddiskVolume3                                                                                            8A1C31F8
Device    \Driver\atapi \Device\Ide\IdePort0                                                                                                8A1531F8
Device    \Driver\atapi \Device\Ide\IdePort1                                                                                                8A1531F8
Device    \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3                                                                                       8A1531F8
Device    \Driver\Ftdisk \Device\HarddiskVolume4                                                                                            8A1C31F8
Device    \Driver\PCI_PNP6102 \Device\0000005d                                                                                              speh.sys
Device    \Driver\PCI_PNP6102 \Device\0000005d                                                                                              speh.sys
Device    \Driver\usbohci \Device\USBFDO-0                                                                                                  8A0081F8
Device    \Driver\nvata \Device\NvAta0                                                                                                      8A1C21F8
Device    \Driver\nvata \Device\NvAta1                                                                                                      8A1C21F8
Device    \Driver\nvata \Device\NvAta2                                                                                                      8A1C21F8
Device    \Driver\Ftdisk \Device\FtControl                                                                                                  8A1C31F8
Device    \Driver\nvata \Device\0000007f                                                                                                    8A1C21F8
Device    \Driver\ajmni3ko \Device\Scsi\ajmni3ko1Port6Path0Target1Lun0                                                                      8A0181F8
Device    \Driver\ajmni3ko \Device\Scsi\ajmni3ko1                                                                                           8A0181F8
Device    \Driver\JRAID \Device\Scsi\JRAID1                                                                                                 8A1521F8
Device    \Driver\ajmni3ko \Device\Scsi\ajmni3ko1Port6Path0Target0Lun0                                                                      8A0181F8
Device    \FileSystem\Cdfs \Cdfs                                                                                                            89F481F8
---- Processes - GMER 1.0.15 ----

Library   \\?\globalroot\systemroot\system32\UACbfqyteikrn.dll (*** hidden *** ) @ F:\WINDOWS\system32\svchost.exe [532]                    0x10000000                                                    
Library   \\?\globalroot\systemroot\system32\UACiqkdvwvumm.dll (*** hidden *** ) @ F:\WINDOWS\system32\svchost.exe [532]                    0x00740000                                                    
Library   \\?\globalroot\systemroot\system32\UACbfqyteikrn.dll (*** hidden *** ) @ F:\WINDOWS\system32\svchost.exe [636]                    0x10000000                                                    
Library   \\?\globalroot\systemroot\system32\UACiqkdvwvumm.dll (*** hidden *** ) @ F:\WINDOWS\system32\svchost.exe [636]                    0x00740000                                                    
Library   \\?\globalroot\systemroot\system32\UACufpaqfqpwk.dll (*** hidden *** ) @ F:\WINDOWS\Explorer.EXE [948]                            0x00BC0000                                                    

---- Services - GMER 1.0.15 ----

Service   F:\WINDOWS\system32\drivers\UACusjnrdlscb.sys (*** hidden *** )                                                                   [SYSTEM] UACd.sys                                              <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                                  
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                               F:\Programme\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                               0
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                            0xBA 0xD8 0x9D 0x40 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                                        
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                      0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                   0x07 0xA9 0x3D 0x00 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                                  
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                             0x43 0xF6 0x3F 0xFD ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41                                  
Reg       HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                             0xA6 0x56 0x7F 0x14 ...
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys                                                                                  
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@start                                                                             1
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@type                                                                              1
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@imagepath                                                                         \systemroot\system32\drivers\UACusjnrdlscb.sys
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys@group                                                                             file system
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules                                                                          
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACd                                                                      \\?\globalroot\systemroot\system32\drivers\UACusjnrdlscb.sys
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@UACc                                                                      \\?\globalroot\systemroot\system32\UACcoiedxelnd.dll
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacbbr                                                                    \\?\globalroot\systemroot\system32\UACbfqyteikrn.dll
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacsr                                                                     \\?\globalroot\systemroot\system32\UACjxrmsqxrht.dat
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacmal                                                                    \\?\globalroot\systemroot\system32\UACnpomqmliky.db
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacrem                                                                    \\?\globalroot\systemroot\system32\UACiqkdvwvumm.dll
Reg       HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys\modules@uacserf                                                                   \\?\globalroot\systemroot\system32\UACufpaqfqpwk.dll
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                              
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                   F:\Programme\DAEMON Tools Lite\
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                   0
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                0xBA 0xD8 0x9D 0x40 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)                    
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                          0x20 0x01 0x00 0x00 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                       0x07 0xA9 0x3D 0x00 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)              
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                 0x43 0xF6 0x3F 0xFD ...
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)              
Reg       HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                                 0xA6 0x56 0x7F 0x14 ...
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys (not active ControlSet)                                                              
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start                                                                                 1
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type                                                                                  1
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath                                                                             \systemroot\system32\drivers\UACusjnrdlscb.sys
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group                                                                                 file system
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules (not active ControlSet)                                                      
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACd                                                                          \\?\globalroot\systemroot\system32\drivers\UACusjnrdlscb.sys
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@UACc                                                                          \\?\globalroot\systemroot\system32\UACcoiedxelnd.dll
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacbbr                                                                        \\?\globalroot\systemroot\system32\UACbfqyteikrn.dll
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacsr                                                                         \\?\globalroot\systemroot\system32\UACjxrmsqxrht.dat
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacmal                                                                        \\?\globalroot\systemroot\system32\UACnpomqmliky.db
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacrem                                                                        \\?\globalroot\systemroot\system32\UACiqkdvwvumm.dll
Reg       HKLM\SYSTEM\ControlSet003\Services\UACd.sys\modules@uacserf                                                                       \\?\globalroot\systemroot\system32\UACufpaqfqpwk.dll
Reg       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout                                                15
Reg       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota                                                   10000
Reg       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                                                                 yes
Reg       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                                                                
Reg       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout                                                90
Reg       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota                                                  10000
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}  
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}  
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\InprocServer32@                                                F:\Programme\QuickTime\QTPlugin.ocx
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\InprocServer32@ThreadingModel                                  Apartment
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\MiscStatus@                                                    0
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\MiscStatus\1                                                  
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\MiscStatus\1@                                                  131473
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\ProgID@                                                        QuickTime.QuickTime.9
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\ToolboxBitmap32@                                               F:\Programme\QuickTime\QTPlugin.ocx, 102
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\TreatAs@                                                       {4063BE15-3B08-470D-A0D5-B37161CFFD69}
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\TypeLib@                                                       {02BF25D2-8C17-4B23-BC80-D3488ABDDC6B}
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\Version@                                                       9.0
Reg       HKLM\SOFTWARE\Classes\CLSID\{6226BB20-A4E9-DEBE-E2EF-AE13E43088FF}\VersionIndependentProgID@                                      QuickTime.QuickTime

---- Files - GMER 1.0.15 ----

File      F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\UAC1be9.tmp                                                        83968 bytes executable
File      F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\UAC8537.tmp                                                        343040 bytes executable
File      F:\WINDOWS\system32\drivers\UACusjnrdlscb.sys                                                                                     54784 bytes executable                                         <-- ROOTKIT !!!
File      F:\WINDOWS\system32\UACbfqyteikrn.dll                                                                                             74240 bytes executable
File      F:\WINDOWS\system32\UACcoiedxelnd.dll                                                                                             26624 bytes executable
File      F:\WINDOWS\system32\uacinit.dll                                                                                                   6580 bytes
File      F:\WINDOWS\system32\UACiqkdvwvumm.dll                                                                                             30208 bytes executable
File      F:\WINDOWS\system32\UACjxrmsqxrht.dat                                                                                             174 bytes
File      F:\WINDOWS\system32\UACnpomqmliky.db                                                                                              1110399 bytes
File      F:\WINDOWS\system32\UACufpaqfqpwk.dll                                                                                             19968 bytes executable

---- EOF - GMER 1.0.15 ----
_____________________________________________________


Combofix log

Code

ComboFix 09-08-20.03 - Administrator 21.08.2009 20:36.1.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.2.1252.49.1031.18.3070.2756 [GMT 2:00]
ausgeführt von:: f:\dokumente und einstellungen\tommy\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\dokumente und einstellungen\tommy\Anwendungsdaten\.#
f:\dokumente und einstellungen\tommy\Anwendungsdaten\.#\MBX@E8@3741A8.###
f:\dokumente und einstellungen\tommy\Anwendungsdaten\.#\MBX@E8@3741D8.###
f:\dokumente und einstellungen\tommy\Anwendungsdaten\.#\MBX@E8@374208.###
f:\windows\system32\AutoRun.inf
f:\windows\system32\BReWErS.dll
f:\windows\system32\Drivers\vkdlc.sys
f:\windows\system32\OGACheckControl.dll

.
(((((((((((((((((((((((((((((((((((((((   Treiber/Dienste   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_negpf
-------\Service_negpf


(((((((((((((((((((((((   Dateien erstellt von 2009-07-21 bis 2009-08-21  ))))))))))))))))))))))))))))))
.

2030-08-29 13:22 . 2030-08-29 13:22    56832    ------w-    f:\windows\system32\Iyvu9_32.dll
2009-08-21 00:04 . 2009-08-21 00:04    --------    d-----w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\Malwarebytes
2009-08-20 23:47 . 2007-04-23 16:38    5376    ----a-w-    f:\windows\system32\antiwpa.dll
2009-08-20 23:15 . 2009-08-20 23:15    --------    d-----r-    f:\dokumente und einstellungen\Administrator\Eigene Dateien
2009-08-20 23:12 . 2009-08-20 23:12    --------    d-----w-    f:\dokumente und einstellungen\Administrator\Anwendungsdaten\Malwarebytes
2009-08-20 22:56 . 2009-08-03 11:36    38160    ----a-w-    f:\windows\system32\drivers\mbamswissarmy.sys
2009-08-20 22:56 . 2009-08-20 23:01    --------    d-----w-    f:\programme\Malwarebytes' Anti-Malware
2009-08-20 22:56 . 2009-08-20 22:56    --------    d-----w-    f:\dokume~1\ALLUSE~1\ANWEND~1\Malwarebytes
2009-08-20 22:56 . 2009-08-03 11:36    19096    ----a-w-    f:\windows\system32\drivers\mbam.sys
2009-08-20 22:23 . 2009-08-20 22:23    --------    d-----w-    f:\programme\[url="http://www.ccleaner.de"]CCleaner[/url]
2009-08-20 22:19 . 2009-08-20 22:19    --------    d-----w-    f:\programme\Bullfrog
2009-08-20 21:12 . 2009-07-03 14:49    15688    ----a-w-    f:\windows\system32\lsdelete.exe
2009-08-20 21:10 . 2009-07-03 14:49    64160    ----a-w-    f:\windows\system32\drivers\Lbd.sys
2009-08-20 21:10 . 2009-08-20 21:10    --------    dc-h--w-    f:\dokume~1\ALLUSE~1\ANWEND~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-20 21:10 . 2009-08-20 21:10    --------    d-----w-    f:\dokume~1\ALLUSE~1\ANWEND~1\Lavasoft
2009-08-20 21:10 . 2009-08-20 21:10    --------    d-----w-    f:\programme\Lavasoft
2009-08-20 20:14 . 2009-08-20 20:14    --------    d-----w-    f:\programme\Trend Micro
2009-08-20 17:29 . 2009-08-21 05:23    19968    ----a-w-    f:\windows\system32\UACufpaqfqpwk.dll
2009-08-20 17:29 . 2009-08-21 05:23    30208    ----a-w-    f:\windows\system32\UACiqkdvwvumm.dll
2009-08-20 17:29 . 2009-08-21 05:23    174    ----a-w-    f:\windows\system32\UACjxrmsqxrht.dat
2009-08-20 17:29 . 2009-08-20 17:29    26624    ----a-w-    f:\windows\system32\UACcoiedxelnd.dll
2009-08-20 11:26 . 2009-08-20 11:26    --------    d-----w-    f:\dokume~1\ALLUSE~1\ANWEND~1\Canneverbe Limited
2009-08-20 11:25 . 2009-08-20 11:25    --------    d-----w-    f:\programme\CDBurnerXP
2009-08-18 00:46 . 2009-08-18 00:46    --------    d-----w-    f:\programme\PFPortChecker
2009-08-16 11:59 . 2009-08-16 11:59    --------    d-----w-    f:\programme\Astonsoft
2009-08-16 11:53 . 2009-08-16 11:53    --------    d-----w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\Canneverbe_Limited
2009-08-15 12:41 . 2007-01-01 18:03    40960    ----a-r-    f:\windows\system32\psfind.dll
2009-08-15 03:36 . 2009-08-15 03:51    26515    ----a-w-    f:\windows\DIIUnin.dat
2009-08-15 03:36 . 2009-08-15 03:36    2829    ----a-w-    f:\windows\DIIUnin.pif
2009-08-15 03:36 . 2009-08-15 03:36    102400    ----a-w-    f:\windows\DIIUnin.exe
2009-08-10 21:53 . 2009-08-10 21:53    --------    d-----w-    f:\dokumente und einstellungen\tommy\Lokale Einstellungen\Anwendungsdaten\fabi.me
2009-08-10 21:45 . 2009-08-10 21:47    --------    d-----w-    f:\dokumente und einstellungen\tommy\Lokale Einstellungen\Anwendungsdaten\Nemex
2009-08-07 19:01 . 2009-08-07 19:01    --------    d-----w-    f:\dokumente und einstellungen\tommy\Lokale Einstellungen\Anwendungsdaten\DOSBox
2009-08-07 19:01 . 2009-08-20 20:06    --------    d-----w-    f:\programme\DOSBox-0.73
2009-08-05 02:48 . 2009-08-05 02:49    --------    d-----w-    f:\windows\system32\MathmosScreensaver dir
2009-08-05 02:48 . 2009-08-05 02:48    520192    ----a-w-    f:\windows\system32\MathmosScreensaver.scr
2009-08-05 02:44 . 2009-08-05 02:44    --------    d-----w-    f:\programme\Lava Lamp
2009-07-30 23:11 . 2009-08-21 16:05    --------    d-----w-    f:\dokume~1\ALLUSE~1\ANWEND~1\Bitmeter2
2009-07-30 23:11 . 2009-08-09 18:08    --------    d-----w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\Bitmeter2
2009-07-30 23:11 . 2009-07-30 23:11    --------    d-----w-    f:\programme\Codebox
2009-07-30 23:11 . 2009-07-30 23:11    --------    d-----w-    f:\programme\Bandwidth Meter
2009-07-29 05:18 . 2009-07-29 07:03    --------    d-----w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\mIRC
2009-07-29 05:18 . 2009-07-29 05:19    --------    d-----w-    f:\programme\mIRC
2009-07-23 07:25 . 2009-07-25 05:24    --------    d-----w-    f:\programme\Free Download Manager

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-21 04:59 . 2008-06-04 13:53    --------    d--h--w-    f:\programme\InstallShield Installation Information
2009-08-21 04:59 . 2008-06-20 12:18    --------    d-----w-    f:\programme\Electronic Arts
2009-08-21 04:59 . 2008-11-03 12:24    5036    ----a-w-    f:\windows\system32\ealregsnapshot1.reg
2009-08-21 04:58 . 2008-12-23 16:03    --------    d-----w-    f:\programme\Google
2009-08-21 04:58 . 2008-10-01 16:00    --------    d-----w-    f:\programme\Image-Line
2009-08-21 04:57 . 2008-10-01 21:24    --------    d-----w-    f:\dokume~1\ALLUSE~1\ANWEND~1\MAGIX
2009-08-21 04:57 . 2009-01-14 10:01    --------    d-----w-    f:\programme\MONOGRAM AMR SplitterDecoder
2009-08-21 04:51 . 2009-04-25 08:58    --------    d-----w-    f:\programme\AVS4YOU
2009-08-21 04:50 . 2008-12-05 08:27    --------    d-----w-    f:\programme\Gemeinsame Dateien\AquaSoft
2009-08-21 00:00 . 2001-08-18 12:00    507392    ----a-w-    f:\windows\system32\winlogon.exe
2009-08-20 22:52 . 2009-08-20 22:53    60928    ----a-w-    f:\windows\Internet Logs\xDB26.tmp
2009-08-20 22:52 . 2009-08-20 22:53    2191360    ----a-w-    f:\windows\Internet Logs\xDB27.tmp
2009-08-20 22:15 . 2008-06-10 20:06    --------    d-----w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\BitTorrent
2009-08-20 17:26 . 2009-03-29 22:53    18696224    --sha-w-    f:\windows\system32\drivers\fidbox.dat
2009-08-20 15:19 . 2008-06-22 09:51    7609811    ----a-w-    f:\programme\Temp Log.log
2009-08-20 11:18 . 2009-03-30 17:52    --------    d-----w-    f:\programme\nLite
2009-08-20 11:18 . 2008-10-24 22:22    --------    d-----w-    f:\programme\SpeedFan
2009-08-17 22:15 . 2009-03-29 22:53    221096    --sha-w-    f:\windows\system32\drivers\fidbox.idx
2009-08-15 13:29 . 2008-06-05 19:31    98304    ----a-w-    f:\windows\system32\CmdLineExt.dll
2009-08-15 05:15 . 2008-06-22 07:59    --------    d-----w-    f:\programme\Ashampoo
2009-08-15 03:50 . 2008-09-03 03:47    21840    ----atw-    f:\windows\system32\SIntfNT.dll
2009-08-15 03:50 . 2008-09-03 03:47    17212    ----atw-    f:\windows\system32\SIntf32.dll
2009-08-15 03:50 . 2008-09-03 03:47    12067    ----atw-    f:\windows\system32\SIntf16.dll
2009-08-12 03:04 . 2008-07-06 13:21    --------    d-----w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\LimeWire
2009-08-11 12:52 . 2009-08-11 12:53    2103296    ----a-w-    f:\windows\Internet Logs\xDB25.tmp
2009-08-11 12:52 . 2009-08-11 12:53    3109888    ----a-w-    f:\windows\Internet Logs\xDB24.tmp
2009-08-10 16:04 . 2008-06-04 15:28    --------    d---a-w-    f:\dokume~1\ALLUSE~1\ANWEND~1\TEMP
2009-08-09 21:38 . 2009-05-24 14:44    2721480    ----a-w-    f:\windows\Internet Logs\tvDebug.zip
2009-08-06 03:42 . 2009-03-29 06:54    55656    ----a-w-    f:\windows\system32\drivers\avgntflt.sys
2009-08-05 12:51 . 2009-06-20 07:31    --------    d-----w-    f:\programme\NifTools
2009-07-30 23:11 . 2008-06-04 14:30    87880    ----a-w-    f:\dokumente und einstellungen\tommy\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-07-29 14:41 . 2009-07-29 14:42    2010624    ----a-w-    f:\windows\Internet Logs\xDB23.tmp
2009-07-29 13:29 . 2009-07-29 13:30    2010112    ----a-w-    f:\windows\Internet Logs\xDB22.tmp
2009-07-29 13:29 . 2009-07-29 13:30    106496    ----a-w-    f:\windows\Internet Logs\xDB21.tmp
2009-07-28 12:04 . 2009-07-28 12:05    2007040    ----a-w-    f:\windows\Internet Logs\xDB20.tmp
2009-07-28 12:04 . 2009-07-28 12:05    421376    ----a-w-    f:\windows\Internet Logs\xDB1F.tmp
2009-07-28 12:03 . 2009-07-28 12:04    2006528    ----a-w-    f:\windows\Internet Logs\xDB1E.tmp
2009-07-24 00:57 . 2009-07-24 00:58    2002944    ----a-w-    f:\windows\Internet Logs\xDB1D.tmp
2009-07-24 00:57 . 2009-07-24 00:58    260608    ----a-w-    f:\windows\Internet Logs\xDB1C.tmp
2009-07-23 02:45 . 2008-06-27 20:38    --------    d-----w-    f:\programme\Gemeinsame Dateien\Adobe
2009-07-22 12:48 . 2009-04-15 09:34    --------    d-----w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\Move Networks
2009-07-21 22:30 . 2009-07-21 22:31    1984000    ----a-w-    f:\windows\Internet Logs\xDB1B.tmp
2009-07-21 22:30 . 2009-07-21 22:31    225792    ----a-w-    f:\windows\Internet Logs\xDB1A.tmp
2009-07-17 19:19 . 2009-07-17 19:10    --------    d-----w-    f:\programme\ICQ6.5
2009-07-17 19:18 . 2009-07-17 19:18    --------    d-----w-    f:\programme\ICQ6Toolbar
2009-07-17 19:18 . 2009-07-17 19:17    --------    d-----w-    f:\dokume~1\ALLUSE~1\ANWEND~1\ICQ
2009-07-17 19:11 . 2008-09-17 04:52    --------    d-----w-    f:\programme\ICQ6
2009-07-12 12:40 . 2009-07-12 02:20    96    ---ha-w-    f:\windows\system32\HsInfo.dat
2009-07-12 02:20 . 2009-07-12 02:20    --------    d-----w-    f:\programme\Gemeinsame Dateien\DirectX
2009-07-10 11:40 . 2009-07-05 14:17    --------    d-----w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\Spore
2009-07-04 14:09 . 2009-07-04 14:10    1936384    ----a-w-    f:\windows\Internet Logs\xDB19.tmp
2009-07-04 14:09 . 2009-07-04 14:10    60928    ----a-w-    f:\windows\Internet Logs\xDB18.tmp
2009-07-02 15:02 . 2009-07-02 15:01    --------    d-----w-    f:\programme\Microsoft Games for Windows - LIVE
2009-07-02 14:55 . 2009-06-16 05:01    184816    ----a-w-    f:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2009-07-02 14:54 . 2001-08-18 12:00    81840    ----a-w-    f:\windows\system32\perfc007.dat
2009-07-02 14:54 . 2001-08-18 12:00    450164    ----a-w-    f:\windows\system32\perfh007.dat
2009-07-01 09:59 . 2009-07-01 10:02    1903104    ----a-w-    f:\windows\Internet Logs\xDB17.tmp
2009-06-30 11:32 . 2009-06-30 11:33    3094528    ----a-w-    f:\windows\Internet Logs\xDB16.tmp
2009-06-23 01:57 . 2009-06-23 01:57    67233    ----a-w-    f:\windows\Internet Logs\vsmon_2nd_2009_06_23_03_51_04_small.dmp.zip
2009-06-23 01:48 . 2009-06-23 01:52    1894912    ----a-w-    f:\windows\Internet Logs\xDB15.tmp
2009-06-11 05:04 . 2008-06-04 13:54    25280    ----a-w-    f:\windows\system32\drivers\hamachi.sys
2009-06-06 08:01 . 2008-07-26 12:27    160021    ----a-w-    f:\windows\hpoins14.dat
2009-05-26 22:25 . 2009-05-26 22:25    390664    ----a-w-    f:\dokumente und einstellungen\tommy\Anwendungsdaten\Real\RealPlayer\Update\RealPlayer11.exe
2008-08-24 06:26 . 2008-08-24 06:26    28    ----a-w-    f:\programme\deviceinfo
2008-05-18 22:37 . 2008-05-18 22:37    256528    ----a-w-    f:\programme\Core Temp.exe
2008-05-15 12:49 . 2008-05-15 12:49    107    ----a-w-    f:\programme\Settings.ini
2009-02-24 19:34 . 2009-02-24 19:34    1044480    ----a-w-    f:\programme\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34    200704    ----a-w-    f:\programme\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2002-08-29 01:43    521728    616896B708286DA98D6A099293F181D7    f:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-03 22:58    507392    2B6A0BAF33A9918F09442D873848FF72    f:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2009-08-21 00:00    507392    DB37D307003055ED09711CB3417814C7    f:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="f:\programme\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="f:\programme\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"avgnt"="f:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - f:\windows\system32\nwiz.exe [2009-02-18 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="f:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

f:\dokume~1\ALLUSE~1\STARTM~1\PROGRA~1\AUTOST~1\
Bitmeter2.lnk - f:\programme\Codebox\BitMeter\BitMeter2.exe [2008-11-1 1462272]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Gamma Loader.lnk]
path=f:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Gamma Loader.lnk
backup=f:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Bitmeter2.lnk]
path=f:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Bitmeter2.lnk
backup=f:\windows\pss\Bitmeter2.lnkCommon Startup

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^BlueSoleil.lnk]
backup=f:\windows\pss\BlueSoleil.lnkCommon Startup
path=f:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\BlueSoleil.lnk

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^HP Digital Imaging Monitor.lnk]
path=f:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\HP Digital Imaging Monitor.lnk
backup=f:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Logitech Desktop Messenger.lnk]
backup=f:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^tommy^Startmenü^Programme^Autostart^Adobe Media Player.lnk]
backup=f:\windows\pss\Adobe Media Player.lnkStartup

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^tommy^Startmenü^Programme^Autostart^hamachi.lnk]
backup=f:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^tommy^Startmenü^Programme^Autostart^MemInfo.lnk]
backup=f:\windows\pss\MemInfo.lnkStartup

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^tommy^Startmenü^Programme^Autostart^OpenOffice.org 3.0.lnk]
path=f:\dokumente und einstellungen\tommy\Startmenü\Programme\Autostart\OpenOffice.org 3.0.lnk
backup=f:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\F:^Dokumente und Einstellungen^tommy^Startmenü^Programme^Autostart^Xfire.lnk]
backup=f:\windows\pss\Xfire.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"ose"=3 (0x3)
"gusvc"=2 (0x2)
"ICQ Service"=2 (0x2)
"vsmon"=2 (0x2)
"npggsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"BlueSoleil Hid Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"g:\\BitTorrent\\bittorrent.exe"=
"f:\\Programme\\Winamp Remote\\bin\\Orb.exe"=
"f:\\Programme\\Winamp Remote\\bin\\OrbTray.exe"=
"f:\\Programme\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"f:\\WINDOWS\\system32\\PnkBstrA.exe"=
"f:\\WINDOWS\\system32\\PnkBstrB.exe"=
"f:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"f:\\Programme\\Microsoft Office\\Office12\\GROOVE.EXE"=
"f:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"g:\\Programme\\Curse\\CurseClient.exe"=
"g:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"g:\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"f:\\Programme\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"g:\\Dungeon Siege 2\\DungeonSiege2.exe"=
"f:\\Programme\\Windows Live\\Messenger\\wlcsdk.exe"=
"f:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"f:\\Programme\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"g:\\Warcraft III\\Warcraft III.exe"=
"g:\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"g:\\Call of Duty - World at War\\CoDWaWmp.exe"=
"g:\\Call of Duty - World at War\\CoDWaW.exe"=
"g:\\Call of Duty - World at War\\CoDWaW.unpacked.exe"=
"c:\\Steam\\steamapps\\wintershol@hotmail.com\\half-life\\hl.exe"=
"g:\\CoH\\RelicCOH.exe"=
"f:\\Programme\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"f:\\Programme\\Messenger\\msmsgs.exe"=
"f:\\Programme\\ICQ6.5\\ICQ.exe"=
"g:\\Hellgate\\Launcher.exe"=

R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [20.08.2009 23:10 64160]
R1 SSHDRV86;SSHDRV86;f:\windows\system32\drivers\SSHDRV86.sys [07.09.2008 11:59 81408]
R2 acedrv10;acedrv10;f:\windows\system32\drivers\ACEDRV10.sys [27.07.2007 10:13 330144]
R2 acedrv11;acedrv11;f:\windows\system32\drivers\ACEDRV11.sys [23.01.2008 10:19 501560]
R2 acehlp10;acehlp10;f:\windows\system32\drivers\acehlp10.sys [27.07.2007 12:46 251680]
R2 AntiVirSchedulerService;Avira AntiVir Planer;f:\programme\Avira\AntiVir Desktop\sched.exe [29.03.2009 08:54 108289]
R2 fssfltr;FssFltr;f:\windows\system32\drivers\fssfltr_tdi.sys [27.01.2009 16:37 55136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\programme\Lavasoft\Ad-Aware\AAWService.exe [03.07.2009 16:49 1029456]
R2 SVKP;SVKP;f:\windows\system32\SVKP.sys [22.06.2008 13:18 2368]
S2 AntiVirUpgradeService;Avira Upgrade Service;"f:\dokume~1\tommy\LOKALE~1\Temp\AVSETUP_49cf19ba\basic\avupgsvc.exe" /TEMPSTART:""f:\dokume~1\tommy\LOKALE~1\Temp\AVSETUP_49cf19ba\basic\setup.exe" /NOTEMPCLEANUP /CROSSUPGRADE" --> f:\dokume~1\tommy\LOKALE~1\Temp\AVSETUP_49cf19ba\basic\avupgsvc.exe [?]
S3 fsssvc;Windows Live Family Safety;f:\programme\Windows Live\Family Safety\fsssvc.exe [08.12.2008 18:01 533344]
S3 krdpdre;krdpdre;\??\f:\dokume~1\tommy\LOKALE~1\Temp\krdpdre.sys --> f:\dokume~1\tommy\LOKALE~1\Temp\krdpdre.sys [?]
S4 npggsvc;nProtect GameGuard Service;f:\windows\system32\GameMon.des -service --> f:\windows\system32\GameMon.des -service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
Inhalt des "geplante Tasks" Ordners

2009-08-20 f:\windows\Tasks\Ad-Aware Update (Weekly).job
- f:\programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-15 f:\windows\Tasks\AppleSoftwareUpdate.job
- f:\programme\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-a-squared - f:\programme\a-squared Anti-Malware\a2guard.exe
MSConfigStartUp-Comrade - (no file)


.
------- Zusätzlicher Suchlauf -------
.
IE: Nach Microsoft E&xel exportieren - f:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - f:\programme\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - f:\dokumente und einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\cp9z0zn4.default\
FF - plugin: f:\dokumente und einstellungen\All Users\Anwendungsdaten\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: f:\programme\Microsoft\Office Live\npOLW.dll
FF - plugin: f:\programme\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: f:\programme\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: f:\programme\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: f:\programme\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-21 20:40
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="f:\windows\system32\GameMon.des -service"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-507921405-1897051121-839522115-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:2e,6a,cb,87,ea,eb,d0,3c,99,fc,ec,a0,0e,2a,9c,18,f1,8a,f2,46,fa,24,59,
   97,61,9f,59,91,b4,61,ca,7c,a2,59,e6,74,8d,30,ba,dd,44,b6,f4,42,e4,92,58,5e,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-507921405-1897051121-839522115-1004\Software\SecuROM\License information*]
"datasecu"=hex:3c,16,23,57,f0,3a,f3,25,c2,3a,17,27,76,0a,cf,37,c1,eb,f9,05,ca,
   d6,e6,d4,66,97,a1,0c,db,ee,b5,04,6e,7f,7c,ca,ab,bf,60,7f,7f,53,6f,0e,29,33,\
"rkeysecu"=hex:0a,0d,fa,01,75,b2,9e,9f,40,a3,16,96,80,b1,c1,58
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'explorer.exe'(2524)
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
f:\windows\system32\ZoneLabs\vsmon.exe
f:\programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
f:\windows\system32\nvsvc32.exe
f:\programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
f:\windows\system32\wbem\unsecapp.exe
f:\windows\system32\wscntfy.exe
f:\windows\system32\rundll32.exe
f:\programme\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-08-21 20:43 - PC wurde neu gestartet [tommy]
ComboFix-quarantined-files.txt  2009-08-21 18:43

Vor Suchlauf: 7.445.184.512 Bytes frei
Nach Suchlauf: 7.527.178.240 Bytes frei

323
Dieser Beitrag wurde am 21.08.2009 um 20:53 Uhr von Etris editiert.
Seitenanfang Seitenende
22.08.2009, 01:25
Moderator

Beiträge: 5694
#8 Dein Masterbootrecorder wurde infiziert. Zudem hast DU Rootkits auf Deinem System.

Falls Du Ebanking machst oder heikle Daten auf dem System hast, dann sichere diese und setze das System komplett Neu auf.

Eine Reinigung wäre möglich, aber mit viel Arbeit verbunden und man hat auch nicht die Sicherheit, dass bereits unbefugte Zutritt auf das System verschaffen haben.

Nun liegt es an Dir. Neu Aufsetzen oder Reinigen?

Falls Reinigen, dann mach foglendes:

>>
Versteckte Dateien sichtbar machen:
1. Klicke unter Start auf Arbeitsplatz.
2. Klicke im Menü Extras auf Ordneroptionen.
3. Dateien und Ordner/Erweiterungen bei bekannten Dateitypen ausblenden --> Haken entfernen
4. Geschützte und Systemdateien ausblenden --> Haken entfernen
5. Versteckte Dateien und Ordner/Alle Dateien und Ordner anzeigen --> Haken setzen.

Bei "Geschützte Systemdateien ausblenden" darf kein Häkchen sein und "Alle Dateien und Ordner anzeigen" muss aktiviert sein.
http://virus-protect.org/invisible.html

>>
Lasse folgende Datei bei VIRUSTOTAL prüfen und poste das Ergebnis:

f:\windows\system32\SVKP.sys

Auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren mit Strg V) --> Klick auf die zu prüfende Datei und öffnen--> klick auf "Senden der Datei"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> hier kopieren

>>
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere in das weisse Feld:

Zitat

drivers to disable:
UACusjnrdlscb.sys
UACusjnrdlscb

drivers to delete:
UACusjnrdlscb.sys
UACusjnrdlscb

registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
HKLM\SYSTEM\ControlSet003\Services\UACd.sys

Files to delete:
F:\WINDOWS\system32\drivers\UACusjnrdlscb.sys
F:\WINDOWS\system32\UACbfqyteikrn.dll
F:\WINDOWS\system32\UACcoiedxelnd.dll
F:\WINDOWS\system32\uacinit.dll
F:\WINDOWS\system32\UACiqkdvwvumm.dll
F:\WINDOWS\system32\UACjxrmsqxrht.dat
F:\WINDOWS\system32\UACnpomqmliky.db
F:\WINDOWS\system32\UACufpaqfqpwk.dll
F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\UAC8537.tmp
F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\UAC1be9.tmp
- schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)

- Klicke: Execute

- bestätige, dass der Rechner neu gestartet wird - klicke "yes"
- nach dem Neustart erscheint automatisch ein Log vom Avenger - (C:\avenger.txt), kopiere es ab - mit rechtem Mausklick - kopieren - einfügen

>>
MBR
Deaktiviere bitte alle Hintergrundwächter (antiviren Programm usw)

Lade Dir die mbr.exe von gmer auf den Desktop und führe die Datei mit Administrator-Rechten aus.
Poste bitte das Logfile
Halte dich dafür bitte an diese Anleitung:
rootkit in master boot record

Gruss Swiss
Seitenanfang Seitenende
22.08.2009, 02:59
Member

Themenstarter

Beiträge: 15
#9 Mit "system neu aufsetzen" ist gemeint das ich alle partitionen lösche oder nur die ,auf der windows liegt?
Ich versuchs erstmal auf die harte tour ;), wenn in 2 tagen keine besserung in sicht ist, windows-kill
Seitenanfang Seitenende
22.08.2009, 03:00
Moderator

Beiträge: 5694
#10 Es geht vorallem um Ebanking.
Na dann mach mal was ich oben geschrieben habe ;)

Gruss Swiss
Seitenanfang Seitenende
22.08.2009, 06:25
Member

Themenstarter

Beiträge: 15
#11

Code

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  could not open driver "UACusjnrdlscb.sys"
Disablement of driver "UACusjnrdlscb.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  could not open driver "UACusjnrdlscb"
Disablement of driver "UACusjnrdlscb" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\UACusjnrdlscb.sys" not found!
Deletion of driver "UACusjnrdlscb.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\UACusjnrdlscb" not found!
Deletion of driver "UACusjnrdlscb" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  registry key "HKLM\SYSTEM\ControlSet003\Services\UACd.sys" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet003\Services\UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "F:\WINDOWS\system32\drivers\UACusjnrdlscb.sys" not found!
Deletion of file "F:\WINDOWS\system32\drivers\UACusjnrdlscb.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "F:\WINDOWS\system32\UACbfqyteikrn.dll" not found!
Deletion of file "F:\WINDOWS\system32\UACbfqyteikrn.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "F:\WINDOWS\system32\UACcoiedxelnd.dll" deleted successfully.

Error:  file "F:\WINDOWS\system32\uacinit.dll" not found!
Deletion of file "F:\WINDOWS\system32\uacinit.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "F:\WINDOWS\system32\UACiqkdvwvumm.dll" not found!
Deletion of file "F:\WINDOWS\system32\UACiqkdvwvumm.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "F:\WINDOWS\system32\UACjxrmsqxrht.dat" deleted successfully.
File "F:\WINDOWS\system32\UACnpomqmliky.db" deleted successfully.
File "F:\WINDOWS\system32\UACufpaqfqpwk.dll" deleted successfully.

Error:  file "F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\UAC8537.tmp" not found!
Deletion of file "F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\UAC8537.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\UAC1be9.tmp" not found!
Deletion of file "F:\Dokumente und Einstellungen\tommy\Lokale Einstellungen\Temp\UAC1be9.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.
_______________________________________________________

alle partitionen versucht, kam immer dieser log

Code

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
_____________________________________________________________

aber neuerdings meldet sich antivir jetzt immer mit einem Virus
TR/Alureon.BF.2' [trojan]
egal ob ich lösche, alle 1-2 std kommt ein fund
Seitenanfang Seitenende
22.08.2009, 11:39
Moderator

Beiträge: 5694
#12 >>
Was ist damit:

Zitat

Lasse folgende Datei bei VIRUSTOTAL prüfen und poste das Ergebnis:

f:\windows\system32\SVKP.sys

Auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren mit Strg V) --> Klick auf die zu prüfende Datei und öffnen--> klick auf "Senden der Datei"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> hier kopieren
>>
Combofix entfernen:
Start - Ausführen - Kopiere rein: Combofix /U - klicke "OK"
(oder, wenn es nicht funktioniert: C:\QooBox löschen)

>>
Scanne mit Superantispyware und poste das Log:
http://board.protecus.de/t31252.htm

>>
Rootkitscan mit RootRepeal

* Gehe hierhin, scrolle runter und downloade RootRepeal.zip.
* Entpacke die Datei auf Deinen Desktop.
* Doppelklicke die RootRepeal.exe, um den Scanner zu starten.
* Klicke auf den Reiter Report und dann auf den Button Scan.
* Mache einen Haken bei den folgenden Elementen und klicke Ok.
.
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

.
* Im Anschluss wirst Du gefragt, welche Laufwerke gescannt werden sollen.
* Wähle C:\ und klicke wieder Ok.
* Der Suchlauf beginnt automatisch, es wird eine Weile dauern, bitte Geduld.
* Wenn der Suchlauf beendet ist, klicke auf Save Report.
* Speichere das Logfile als RootRepeal.txt auf dem Desktop.
* Kopiere den Inhalt hier in den Thread.

>>
Scanne erneut mit GMER und poste das neue Log.
Seitenanfang Seitenende
23.08.2009, 02:01
Member

Themenstarter

Beiträge: 15
#13 oh sorry ! virustotal

MD5: f05028b163b92c302a74409d683ac9b0
First received: 2006.05.24 17:39:54 UTC
Datum 2009.08.17 17:28:01 UTC [>5D]
Ergebnisse 0/41
Seitenanfang Seitenende
23.08.2009, 02:04
Member

Themenstarter

Beiträge: 15
#14 muss viel arbeiten deswegen zieht sich das alles so hin, den rest werd ich morgen nachreichen
Seitenanfang Seitenende
24.08.2009, 15:05
Member

Themenstarter

Beiträge: 15
#15 So, mein system lief bis jetzt problemlos und schnell
bei Rootrepeal frierte das system unter dem punkt Files ein, hab es deswegen ausgelassen

Code

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:        2009/08/24 13:49
Program Version:        Version 1.3.5.0
Windows Version:        Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_nvata.sys
Image Path: F:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xB6C19000    Size: 106496    File Visible: No    Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: F:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA660000    Size: 8192    File Visible: No    Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xBA671000    Size: 1664    File Visible: No    Signed: -
Status: -

Name: PCI_PNP9270
Image Path: \Driver\PCI_PNP9270
Address: 0x00000000    Size: 0    File Visible: No    Signed: -
Status: -

Name: rootrepeal.sys
Image Path: F:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB59FF000    Size: 49152    File Visible: No    Signed: -
Status: -

Name: spdj.sys
Image Path: spdj.sys
Address: 0xB9EA7000    Size: 1048576    File Visible: No    Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xBA5AC000    Size: 5248    File Visible: No    Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000    Size: 0    File Visible: No    Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xB9CE8000    Size: 81920    File Visible: No    Signed: -
Status: -

SSDT
-------------------
#: 037    Function Name: NtCreateFile
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e00930

#: 041    Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xba7e3706

#: 047    Function Name: NtCreateProcess
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e0a870

#: 048    Function Name: NtCreateProcessEx
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e0aaa0

#: 050    Function Name: NtCreateSection
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e0dfd0

#: 053    Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7e36fc

#: 062    Function Name: NtDeleteFile
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e00f20

#: 063    Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xba7e370b

#: 065    Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xba7e3715

#: 068    Function Name: NtDuplicateObject
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e0a580

#: 071    Function Name: NtEnumerateKey
Status: Hooked by "spdj.sys" at address 0xb9ec6ca2

#: 073    Function Name: NtEnumerateValueKey
Status: Hooked by "spdj.sys" at address 0xb9ec7030

#: 098    Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xba7e371a

#: 116    Function Name: NtOpenFile
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e00d70

#: 119    Function Name: NtOpenKey
Status: Hooked by "spdj.sys" at address 0xb9ea80c0

#: 122    Function Name: NtOpenProcess
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e0a350

#: 128    Function Name: NtOpenThread
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e0a150

#: 160    Function Name: NtQueryKey
Status: Hooked by "spdj.sys" at address 0xb9ec7108

#: 177    Function Name: NtQueryValueKey
Status: Hooked by "spdj.sys" at address 0xb9ec6f88

#: 192    Function Name: NtRenameKey
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e0d250

#: 193    Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7e3724

#: 204    Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7e371f

#: 210    Function Name: NtSecureConnectPort
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e04220

#: 224    Function Name: NtSetInformationFile
Status: Hooked by "F:\WINDOWS\System32\vsdatant.sys" at address 0xb6e01120

#: 247    Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xba7e3710

#: 257    Function Name: NtTerminateProcess
Status: Hooked by "F:\Programme\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb6d1b0b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System    Address: 0x8a4c21f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System    Address: 0x8a4521f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System    Address: 0x8a3191f8    Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System    Address: 0x8a4c41f8    Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System    Address: 0x8a4c41f8    Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a4c41f8    Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System    Address: 0x8a4c41f8    Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a4c41f8    Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System    Address: 0x8a4c41f8    Size: 121

Object: Hidden Code [Driver: akevfknu؅అ扏济KeyboardClas, IRP_MJ_CREATE]
Process: System    Address: 0x8a3991f8    Size: 121

Object: Hidden Code [Driver: akevfknu؅అ扏济KeyboardClas, IRP_MJ_CLOSE]
Process: System    Address: 0x8a3991f8    Size: 121

Object: Hidden Code [Driver: akevfknu؅అ扏济KeyboardClas, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a3991f8    Size: 121

Object: Hidden Code [Driver: akevfknu؅అ扏济KeyboardClas, IRP_MJ_POWER]
Process: System    Address: 0x8a3991f8    Size: 121

Object: Hidden Code [Driver: akevfknu؅అ扏济KeyboardClas, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a3991f8    Size: 121

Object: Hidden Code [Driver: akevfknu؅అ扏济KeyboardClas, IRP_MJ_PNP]
Process: System    Address: 0x8a3991f8    Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System    Address: 0x8a4c31f8    Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System    Address: 0x8a4c31f8    Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a4c31f8    Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a4c31f8    Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System    Address: 0x8a4c31f8    Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a4c31f8    Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System    Address: 0x8a4c31f8    Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System    Address: 0x891251f8    Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System    Address: 0x891251f8    Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System    Address: 0x891251f8    Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System    Address: 0x891251f8    Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x891251f8    Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System    Address: 0x891251f8    Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x891251f8    Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System    Address: 0x891251f8    Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System    Address: 0x8a3091f8    Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System    Address: 0x8a3091f8    Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a3091f8    Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a3091f8    Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System    Address: 0x8a3091f8    Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a3091f8    Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System    Address: 0x8a3091f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System    Address: 0x8a4531f8    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System    Address: 0x892a6500    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System    Address: 0x892a6500    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x892a6500    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x892a6500    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System    Address: 0x892a6500    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System    Address: 0x892a6500    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System    Address: 0x890ec3d0    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_CREATE]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_CLOSE]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_READ]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_QUERY_INFORMATION]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_SET_INFORMATION]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_DIRECTORY_CONTROL]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_LOCK_CONTROL]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_CLEANUP]
Process: System    Address: 0x890ad500    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ捃䙐ࠁᰂ궠袡, IRP_MJ_PNP]
Process: System    Address: 0x890ad500    Size: 121

==EOF==

________________________________________________________

GMER log

Code

GMER 1.0.15.15077 [lykvqh5n.exe] - http://www.gmer.net
Rootkit scan 2009-08-24 14:41:20
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwConnectPort [0xB6E04040]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwCreateFile [0xB6E00930]
SSDT            BA7E3706                                                                                                                                       ZwCreateKey
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwCreatePort [0xB6E04510]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwCreateProcess [0xB6E0A870]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwCreateProcessEx [0xB6E0AAA0]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwCreateSection [0xB6E0DFD0]
SSDT            BA7E36FC                                                                                                                                       ZwCreateThread
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwCreateWaitablePort [0xB6E04600]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwDeleteFile [0xB6E00F20]
SSDT            BA7E370B                                                                                                                                       ZwDeleteKey
SSDT            BA7E3715                                                                                                                                       ZwDeleteValueKey
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwDuplicateObject [0xB6E0A580]
SSDT            spdj.sys                                                                                                                                       ZwEnumerateKey [0xB9EC6CA2]
SSDT            spdj.sys                                                                                                                                       ZwEnumerateValueKey [0xB9EC7030]
SSDT            BA7E371A                                                                                                                                       ZwLoadKey
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwOpenFile [0xB6E00D70]
SSDT            spdj.sys                                                                                                                                       ZwOpenKey [0xB9EA80C0]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwOpenProcess [0xB6E0A350]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwOpenThread [0xB6E0A150]
SSDT            spdj.sys                                                                                                                                       ZwQueryKey [0xB9EC7108]
SSDT            spdj.sys                                                                                                                                       ZwQueryValueKey [0xB9EC6F88]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwRenameKey [0xB6E0D250]
SSDT            BA7E3724                                                                                                                                       ZwReplaceKey
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwRequestWaitReplyPort [0xB6E03C00]
SSDT            BA7E371F                                                                                                                                       ZwRestoreKey
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwSecureConnectPort [0xB6E04220]
SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                                    ZwSetInformationFile [0xB6E01120]
SSDT            BA7E3710                                                                                                                                       ZwSetValueKey
SSDT            \??\F:\Programme\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com)                                      ZwTerminateProcess [0xB6D1B0B0]

INT 0x62        ?                                                                                                                                              8A4C4BF8
INT 0x63        ?                                                                                                                                              8A452BF8
INT 0x73        ?                                                                                                                                              8A452BF8
INT 0x73        ?                                                                                                                                              8A387BF8
INT 0x73        ?                                                                                                                                              8A452BF8
INT 0xA4        ?                                                                                                                                              8A455BF8
INT 0xB4        ?                                                                                                                                              8A452BF8

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2BED                                                                                                           805037ED 11 Bytes  [45, E0, B6, 70, A8, E0, B6, ...]
?               spdj.sys                                                                                                                                       Das System kann die angegebene Datei nicht finden. !
?               srescan.sys                                                                                                                                    Das System kann die angegebene Datei nicht finden. !
.text           USBPORT.SYS!DllUnload                                                                                                                          B9BC162C 5 Bytes  JMP 8A3871D8
.text           akevfknu.SYS                                                                                                                                   B938B384 1 Byte  [20]
.text           akevfknu.SYS                                                                                                                                   B938B384 37 Bytes  [20, 00, 00, 68, 00, 00, 00, ...]
.text           akevfknu.SYS                                                                                                                                   B938B3AA 24 Bytes  [00, 00, 20, 00, 00, E0, 00, ...]
.text           akevfknu.SYS                                                                                                                                   B938B3C4 3 Bytes  [00, 00, 00]
.text           akevfknu.SYS                                                                                                                                   B938B3C9 1 Byte  [00]
.text           ...                                                                                                                                            

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT             atapi.sys[HAL.dll!READ_PORT_UCHAR]                                                                                                             [B9EA9040] spdj.sys
IAT             atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                                                     [B9EA913C] spdj.sys
IAT             atapi.sys[HAL.dll!READ_PORT_USHORT]                                                                                                            [B9EA90BE] spdj.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                                                    [B9EA97FC] spdj.sys
IAT             atapi.sys[HAL.dll!WRITE_PORT_UCHAR]                                                                                                            [B9EA96D2] spdj.sys
IAT             \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]                                                                             [B9EB9048] spdj.sys
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!KfAcquireSpinLock]                                                                           0A64D90F
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!READ_PORT_UCHAR]                                                                             046FD406
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!KeGetCurrentIrql]                                                                            1672C31D
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!KfRaiseIrql]                                                                                 1879CE14
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!KfLowerIrql]                                                                                 3248ED2B
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!HalGetInterruptVector]                                                                       3C43E022
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!HalTranslateBusAddress]                                                                      2E5EF739
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!KeStallExecutionProcessor]                                                                   2055FA30
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!KfReleaseSpinLock]                                                                           EC01B79A
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]                                                                     E20ABA93
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!READ_PORT_USHORT]                                                                            F017AD88
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]                                                                    FE1CA081
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[HAL.dll!WRITE_PORT_UCHAR]                                                                            D42D83BE
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[WMILIB.SYS!WmiSystemControl]                                                                         C83B99AC
IAT             \SystemRoot\System32\Drivers\akevfknu.SYS[WMILIB.SYS!WmiCompleteRequest]                                                                       C63094A5
IAT             \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol]                                                                       [B6E08CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter]                                                                            [B6E091C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter]                                                                           [B6E09320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                     [B6E08E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol]                                                                        [B6E08CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter]                                                                            [B6E09320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter]                                                                             [B6E091C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol]                                                                      [B6E08E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter]                                                                              [B6E09320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol]                                                                          [B6E08CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]                                                                               [B6E091C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                       [B6E08E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol]                                                                         [B6E08CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter]                                                                              [B6E091C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter]                                                                             [B6E09320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter]                                                                            [B6E09320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter]                                                                             [B6E091C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                      [B6E08E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol]                                                                        [B6E08CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol]                                                                        [B6E08CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol]                                                                      [B6E08E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter]                                                                            [B6E09320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT             \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter]                                                                             [B6E091C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- User IAT/EAT - GMER 1.0.15 ----

IAT             F:\WINDOWS\Explorer.EXE[1420] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile]                                                      [012A2F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\Explorer.EXE[1420] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile]                                             [012A2CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\Explorer.EXE[1420] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose]                                                           [012A2D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\Explorer.EXE[1420] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject]                                                 [012A2CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Codebox\BitMeter\BitMeter2.exe[1868] @ F:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtCreateFile]                                  [00802F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Codebox\BitMeter\BitMeter2.exe[1868] @ F:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDeviceIoControlFile]                         [00802CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Codebox\BitMeter\BitMeter2.exe[1868] @ F:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtClose]                                       [00802D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Codebox\BitMeter\BitMeter2.exe[1868] @ F:\WINDOWS\system32\KERNEL32.dll [ntdll.dll!NtDuplicateObject]                             [00802CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Dokumente und Einstellungen\tommy\Desktop\antiwurm\lykvqh5n.exe[2080] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile]           [00802F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Dokumente und Einstellungen\tommy\Desktop\antiwurm\lykvqh5n.exe[2080] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile]  [00802CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Dokumente und Einstellungen\tommy\Desktop\antiwurm\lykvqh5n.exe[2080] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose]                [00802D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Dokumente und Einstellungen\tommy\Desktop\antiwurm\lykvqh5n.exe[2080] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject]      [00802CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\system32\wscntfy.exe[2496] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile]                                              [008C2F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\system32\wscntfy.exe[2496] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile]                                     [008C2CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\system32\wscntfy.exe[2496] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose]                                                   [008C2D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\system32\wscntfy.exe[2496] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject]                                         [008C2CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Analog Devices\Core\smax4pnp.exe[2692] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile]                                [00AE2F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Analog Devices\Core\smax4pnp.exe[2692] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile]                       [00AE2CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Analog Devices\Core\smax4pnp.exe[2692] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose]                                     [00AE2D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Analog Devices\Core\smax4pnp.exe[2692] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject]                           [00AE2CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\system32\RUNDLL32.EXE[2808] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile]                                             [00AB2F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\system32\RUNDLL32.EXE[2808] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile]                                    [00AB2CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\system32\RUNDLL32.EXE[2808] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose]                                                  [00AB2D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\WINDOWS\system32\RUNDLL32.EXE[2808] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject]                                        [00AB2CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Avira\AntiVir Desktop\avgnt.exe[2920] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile]                                 [00B72F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Avira\AntiVir Desktop\avgnt.exe[2920] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile]                        [00B72CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Avira\AntiVir Desktop\avgnt.exe[2920] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose]                                      [00B72D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Avira\AntiVir Desktop\avgnt.exe[2920] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject]                            [00B72CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Analog Devices\SoundMAX\smax4.exe[2968] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile]                               [00AC2F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Analog Devices\SoundMAX\smax4.exe[2968] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile]                      [00AC2CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Analog Devices\SoundMAX\smax4.exe[2968] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose]                                    [00AC2D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\Analog Devices\SoundMAX\smax4.exe[2968] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject]                          [00AC2CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\DAEMON Tools Lite\daemon.exe[2984] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile]                                    [00A22F30] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\DAEMON Tools Lite\daemon.exe[2984] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile]                           [00A22CA0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\DAEMON Tools Lite\daemon.exe[2984] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose]                                         [00A22D00] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT             F:\Programme\DAEMON Tools Lite\daemon.exe[2984] @ F:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject]                               [00A22CD0] F:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                                                                         8A4C21F8
Device          \Driver\USBSTOR \Device\0000008e                                                                                                               891251F8
Device          \Driver\USBSTOR \Device\0000008e                                                                                                               sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\Tcpip \Device\Ip                                                                                                                       vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device          \Driver\usbohci \Device\USBPDO-0                                                                                                               8A3091F8
Device          \Driver\Tcpip \Device\Tcp                                                                                                                      vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                      fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                      Lbd.sys (Boot Driver/Lavasoft AB)

Device          \Driver\sptd \Device\1830550520                                                                                                                spdj.sys
Device          \Driver\PCI_PNP9270 \Device\00000063                                                                                                           spdj.sys
Device          \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                         8A4531F8
Device          \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                         8A4531F8
Device          \Driver\Cdrom \Device\CdRom0                                                                                                                   8A3191F8
Device          \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                         8A4531F8
Device          \Driver\Cdrom \Device\CdRom1                                                                                                                   8A3191F8
Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                             8A4C41F8
Device          \Driver\atapi \Device\Ide\IdePort0                                                                                                             sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                             8A4C41F8
Device          \Driver\atapi \Device\Ide\IdePort1                                                                                                             sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3                                                                                                    8A4C41F8
Device          \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3                                                                                                    sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\Ftdisk \Device\HarddiskVolume4                                                                                                         8A4531F8
Device          \Driver\Cdrom \Device\CdRom2                                                                                                                   8A3191F8
Device          \Driver\Ftdisk \Device\HarddiskVolume5                                                                                                         8A4531F8
Device          \Driver\NetBT \Device\NetBT_Tcpip_{C65AC7F4-1980-44DF-992E-D33CCB0D1B79}                                                                       892A6500
Device          \Driver\NetBT \Device\NetBt_Wins_Export                                                                                                        892A6500
Device          \Driver\USBSTOR \Device\00000090                                                                                                               891251F8
Device          \Driver\USBSTOR \Device\00000090                                                                                                               sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\NetBT \Device\NetbiosSmb                                                                                                               892A6500
Device          \Driver\nvata \Device\00000086                                                                                                                 8A4521F8
Device          \Driver\nvata \Device\00000086                                                                                                                 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\Tcpip \Device\Udp                                                                                                                      vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device          \Driver\Tcpip \Device\RawIp                                                                                                                    vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device          \Driver\usbohci \Device\USBFDO-0                                                                                                               8A3091F8
Device          \Driver\nvata \Device\NvAta0                                                                                                                   8A4521F8
Device          \Driver\nvata \Device\NvAta0                                                                                                                   sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\Tcpip \Device\IPMULTICAST                                                                                                              vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device          \Driver\nvata \Device\NvAta1                                                                                                                   8A4521F8
Device          \Driver\nvata \Device\NvAta1                                                                                                                   sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \FileSystem\MRxSmb \Device\LanmanDatagramReceiver                                                                                              890EC3D0
Device          \Driver\nvata \Device\NvAta2                                                                                                                   8A4521F8
Device          \Driver\nvata \Device\NvAta2                                                                                                                   sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \FileSystem\MRxSmb \Device\LanmanRedirector                                                                                                    890EC3D0
Device          \Driver\Ftdisk \Device\FtControl                                                                                                               8A4531F8
Device          \Driver\akevfknu \Device\Scsi\akevfknu1Port6Path0Target1Lun0                                                                                   8A3991F8
Device          \Driver\akevfknu \Device\Scsi\akevfknu1Port6Path0Target1Lun0                                                                                   sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\akevfknu \Device\Scsi\akevfknu1                                                                                                        8A3991F8
Device          \Driver\akevfknu \Device\Scsi\akevfknu1                                                                                                        sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\akevfknu \Device\Scsi\akevfknu1Port6Path0Target0Lun0                                                                                   8A3991F8
Device          \Driver\akevfknu \Device\Scsi\akevfknu1Port6Path0Target0Lun0                                                                                   sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device          \Driver\JRAID \Device\Scsi\JRAID1                                                                                                              8A4C31F8
Device          \FileSystem\Cdfs \Cdfs                                                                                                                         890AD500

---- Registry - GMER 1.0.15 ----

Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1                                                                                             771343423
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2                                                                                             285507792
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0                                                                                             1
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4                                                              
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                            F:\Programme\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                            0
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                         0xBA 0xD8 0x9D 0x40 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001                                                      
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                   0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                                0x07 0xA9 0x3D 0x00 ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40                                                
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                          0x7A 0xE5 0x26 0x6E ...
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41                                                
Reg             HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                                          0x4B 0x50 0x7E 0x0E ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)                                          
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0                                                                F:\Programme\DAEMON Tools Lite\
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0                                                                0
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh                                                             0xBA 0xD8 0x9D 0x40 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)                                  
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0                                                       0x20 0x01 0x00 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh                                                    0x07 0xA9 0x3D 0x00 ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)                            
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh                                              0x7A 0xE5 0x26 0x6E ...
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)                            
Reg             HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh                                              0x4B 0x50 0x7E 0x0E ...

---- EOF - GMER 1.0.15 ----
______________________________________________________

Superantispy log

Code

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/24/2009 at 02:57 PM

Application Version : 4.27.1002

Core Rules Database Version : 4067
Trace Rules Database Version: 2007

Scan type       : Complete Scan
Total Scan Time : 00:11:58

Memory items scanned      : 459
Memory threats detected   : 0
Registry items scanned    : 7032
Registry threats detected : 1
File items scanned        : 17312
File threats detected     : 1

Adware.Tracking Cookie
    F:\Dokumente und Einstellungen\tommy\Cookies\tommy@adtech[1].txt

Registry Cleaner Trial
    HKCR\.03
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: