Windows Security Alert Problem |
||
---|---|---|
#0
| ||
28.08.2009, 17:05
...neu hier
Beiträge: 2 |
||
|
||
28.08.2009, 17:38
Member
Beiträge: 3716 |
||
|
||
31.08.2009, 04:36
...neu hier
Themenstarter Beiträge: 2 |
#3
Hey,
so endlich mal alles gemacht Malwarebytes-Bericht: Malwarebytes' Anti-Malware 1.39 Datenbank Version: 2421 Windows 5.1.2600 Service Pack 3 30.08.2009 22:55:04 mbam-log-2009-08-30 (22-55-00).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 90153 Laufzeit: 11 minute(s), 16 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 7 Infizierte Registrierungswerte: 17 Infizierte Dateiobjekte der Registrierung: 1 Infizierte Verzeichnisse: 2 Infizierte Dateien: 24 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\evdoserver (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\evdoserver (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\evdoserver (Backdoor.Bot) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\protect (Rootkit.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Rootkit.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Protection System (Rogue.ProtectionSystem) -> No action taken. Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\12cfg214-k641-12sf-n85p (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\taskman (Backdoor.Bot) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\id (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\host (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\security center (Trojan.FakeAlert) -> No action taken. Infizierte Dateiobjekte der Registrierung: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. Infizierte Verzeichnisse: C:\Programme\Protection System (Rogue.ProtectionSystem) -> No action taken. C:\Dokumente und Einstellungen\Salih\Startmenü\Programme\Protection System (Rogue.ProtectionSystem) -> No action taken. Infizierte Dateien: c:\WINDOWS\system32\EvdoServer.dll (Backdoor.Bot) -> No action taken. c:\WINDOWS\system32\EvdoServer.dllx (Backdoor.Bot) -> No action taken. c:\WINDOWS\system32\drivers\protect.sys (Rootkit.Agent) -> No action taken. c:\dokumente und einstellungen\Salih\startmenü\programme\protection system\Live Support.lnk (Rogue.ProtectionSystem) -> No action taken. c:\dokumente und einstellungen\Salih\startmenü\programme\protection system\Protection System.lnk (Rogue.ProtectionSystem) -> No action taken. c:\dokumente und einstellungen\Salih\startmenü\programme\protection system\Uninstall.lnk (Rogue.ProtectionSystem) -> No action taken. C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\4.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\5.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\6.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\7.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\8.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\9.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\A.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\B.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\C.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\D.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\E.tmp (Trojan.Agent) -> No action taken. c:\WINDOWS\system32\F.tmp (Trojan.Agent) -> No action taken. C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> No action taken. C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> No action taken. C:\Dokumente und Einstellungen\Salih\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken. C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> No action taken. C:\WINDOWS\sc.exe (Trojan.FakeAlert) -> No action taken. Gmer-Bericht: GMER 1.0.15.15077 [22m7zc8d.exe] - http://www.gmer.net Rootkit scan 2009-08-30 22:55:51 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.15 ---- INT 0x62 ? 8A890BF8 INT 0x63 ? 8A890BF8 INT 0x63 ? 8A890BF8 INT 0x63 ? 8A5E4BF8 INT 0x63 ? 8A5E4BF8 INT 0x63 ? 8A890BF8 INT 0x82 ? 8A890BF8 INT 0x84 ? 8A5E4BF8 INT 0x94 ? 8A5E4BF8 INT 0xA4 ? 8A5E4BF8 INT 0xB1 ? 8A822BF8 INT 0xB1 ? 8A822BF8 Code 8A7137E8 ZwEnumerateKey Code 8A7137B0 ZwFlushInstructionCache Code 8A44137E ZwSaveKey Code 8A4AB25E ZwSaveKeyEx Code 8A448B8E IofCallDriver Code 8A492EBE IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 8A448B93 .text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 8A492EC3 PAGE ntoskrnl.exe!ZwEnumerateKey 80578E14 5 Bytes JMP 8A7137EC PAGE ntoskrnl.exe!ZwFlushInstructionCache 80587BFB 5 Bytes JMP 8A7137B4 PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA82 80609E00 16 Bytes [FF, 75, 14, 52, 52, 52, 52, ...] PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EA93 80609E11 136 Bytes [8D, 46, 14, 89, 45, E8, 66, ...] PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EB1C 80609E9A 89 Bytes [75, 65, 72, 79, 52, 65, 67, ...] PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EB76 80609EF4 90 Bytes [FF, 90, 41, 00, 63, 00, 74, ...] PAGE ntoskrnl.exe!ZwSetTimerResolution + 1EBD1 80609F4F 56 Bytes [0F, 84, EF, 41, FD, FF, 8D, ...] PAGE ... PAGE ntoskrnl.exe!CcMdlRead + 76 8061BBBF 5 Bytes [CC, FF, 75, D8, 57] {INT 3 ; PUSH DWORD [EBP-0x28]; PUSH EDI} PAGE ntoskrnl.exe!CcMdlRead + 7C 8061BBC5 3 Bytes CALL 804F1D86 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CcMdlRead + 80 8061BBC9 19 Bytes [F6, 46, 02, 02, 74, 17, 83, ...] {TEST BYTE [ESI+0x2], 0x2; JZ 0x1d; CMP DWORD [ESI+0x44], 0x0; JNZ 0x1d; PUSH DWORD [EBP+0x10]; MOV EDI, [EBP+0xc]; PUSH EDI} PAGE ntoskrnl.exe!CcMdlRead + 94 8061BBDD 12 Bytes CALL 8050228D \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CcMdlRead + A1 8061BBEA 15 Bytes [05, 80, F5, 55, 80, C7, 05, ...] {ADD EAX, 0x8055f580; MOV DWORD [0x80553028], 0x8055f578} PAGE ... PAGE ntoskrnl.exe!CcMdlReadComplete + E 8061BE0A 200 Bytes [48, 08, 8B, 49, 28, 85, C9, ...] PAGE ntoskrnl.exe!CmUnRegisterCallback + 3C 8061BED3 32 Bytes CALL 8064C8C6 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CmUnRegisterCallback + 5D 8061BEF4 82 Bytes CALL 8064CAA4 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CmUnRegisterCallback + B1 8061BF48 12 Bytes [CC, CC, CC, CC, CC, CC, 90, ...] PAGE ntoskrnl.exe!CmRegisterCallback + 2 8061BF55 67 Bytes [55, 8B, EC, 51, 53, 56, 57, ...] PAGE ntoskrnl.exe!CmRegisterCallback + 46 8061BF99 2 Bytes [76, 10] {JBE 0x12} PAGE ntoskrnl.exe!CmRegisterCallback + 4A 8061BF9D 2 Bytes CALL 805511E8 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!CmRegisterCallback + 4D 8061BFA0 6 Bytes [57, 56, E8, 3F, 52, F3] PAGE ntoskrnl.exe!CmRegisterCallback + 54 8061BFA7 21 Bytes JMP 8061C042 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!FsRtlMdlReadDev + 7 8061C190 38 Bytes CALL 804E2E83 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlMdlReadDev + 2E 8061C1B7 37 Bytes [45, D4, 13, 4B, 04, 89, 4D, ...] PAGE ntoskrnl.exe!FsRtlMdlReadDev + 54 8061C1DD 66 Bytes CALL 804E195E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlMdlReadDev + 97 8061C220 64 Bytes [53, 57, 8B, 45, E0, FF, 50, ...] PAGE ntoskrnl.exe!FsRtlMdlReadDev + D8 8061C261 47 Bytes [45, 1C, C7, 00, 11, 00, 00, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 95 8061C49C 3 Bytes CALL 804E1961 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 99 8061C4A0 1 Byte [C6] PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 99 8061C4A0 4 Bytes [C6, 45, E4, 01] {MOV BYTE [EBP-0x1c], 0x1} PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + 9E 8061C4A5 23 Bytes [0A, 6A, 01, FF, 76, 08, E8, ...] PAGE ntoskrnl.exe!FsRtlPrepareMdlWriteDev + B7 8061C4BE 20 Bytes [1C, 89, 4D, D8, 8B, FB, 33, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlPrepareMdlWrite + 11 8061C818 89 Bytes [F0, 8B, 46, 08, 8B, 40, 28, ...] PAGE ntoskrnl.exe!FsRtlPrepareMdlWrite + 6B 8061C872 30 Bytes [75, 10, FF, 75, 0C, 57, E8, ...] PAGE ntoskrnl.exe!FsRtlMdlWriteCompleteDev + 2 8061C891 78 Bytes [55, 8B, EC, 8B, 45, 08, F6, ...] PAGE ntoskrnl.exe!FsRtlIncrementCcFastReadNotPossible 8061C8E1 34 Bytes [64, A1, 20, 00, 00, 00, FF, ...] PAGE ntoskrnl.exe!FsRtlCopyRead + 7 8061C904 15 Bytes CALL 804E2E83 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlCopyRead + 17 8061C914 26 Bytes [0F, 00, 00, 8B, 4D, 10, 8D, ...] PAGE ntoskrnl.exe!FsRtlCopyRead + 32 8061C92F 19 Bytes [8B, 3B, 8B, 53, 04, 33, C0, ...] {MOV EDI, [EBX]; MOV EDX, [EBX+0x4]; XOR EAX, EAX; OR ESI, -0x1; SUB ESI, EDI; MOV ECX, 0x7fffffff; SBB ECX, EDX} PAGE ntoskrnl.exe!FsRtlCopyRead + 46 8061C943 22 Bytes [C8, 7F, 1B, 7C, 05, 3B, 75, ...] PAGE ntoskrnl.exe!FsRtlCopyRead + 5D 8061C95A 1 Byte [32] PAGE ... PAGE ntoskrnl.exe!FsRtlCopyWrite + 6C 8061CC6F 20 Bytes [89, 48, 04, 85, C9, 0F, 84, ...] PAGE ntoskrnl.exe!FsRtlCopyWrite + 81 8061CC84 39 Bytes [00, 00, 80, 7D, 14, 00, 0F, ...] PAGE ntoskrnl.exe!FsRtlCopyWrite + A9 8061CCAC 92 Bytes CALL 804E195E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlCopyWrite + 106 8061CD09 178 Bytes [00, 8A, 4E, 05, 84, C9, 0F, ...] PAGE ntoskrnl.exe!FsRtlCopyWrite + 1B9 8061CDBC 13 Bytes [8B, 48, 08, 8B, 49, 28, 8B, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 2 8061D329 39 Bytes [55, 8B, EC, 56, 57, 8B, 7D, ...] PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 2A 8061D351 57 Bytes [75, 10, FF, 75, 0C, 57, FF, ...] PAGE ntoskrnl.exe!FsRtlMdlWriteComplete + 64 8061D38B 33 Bytes [5F, 5E, 5D, C2, 0C, 00, 90, ...] PAGE ntoskrnl.exe!FsRtlInitializeMcb + 2 8061D3AD 8 Bytes [55, 8B, EC, 5D, E9, A4, E8, ...] PAGE ntoskrnl.exe!FsRtlInitializeMcb + B 8061D3B6 101 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] PAGE ntoskrnl.exe!FsRtlSyncVolumes + 5 8061D41C 23 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] PAGE ntoskrnl.exe!FsRtlSyncVolumes + 1D 8061D434 58 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] PAGE ntoskrnl.exe!FsRtlSyncVolumes + 58 8061D46F 3 Bytes CALL 804E17BE \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!FsRtlSyncVolumes + 5C 8061D473 32 Bytes [5D, C2, 08, 00, CC, CC, CC, ...] PAGE ntoskrnl.exe!FsRtlSyncVolumes + 7D 8061D494 83 Bytes [08, 3B, F7, 75, 16, BE, E3, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + C 8061D683 34 Bytes [74, 77, 57, 33, FF, 3B, F7, ...] PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 2F 8061D6A6 29 Bytes [3B, 35, 18, A0, 69, 80, 75, ...] PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 4D 8061D6C4 4 Bytes [A1, 14, A0, 69] PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 52 8061D6C9 23 Bytes [83, F8, FF, 74, 0D, 50, E8, ...] PAGE ntoskrnl.exe!FsRtlDeregisterUncProvider + 6A 8061D6E1 6 Bytes [FF, FF, 0D, 28, A0, 69] PAGE ... PAGE ntoskrnl.exe!FsRtlDissectDbcs + 5E 8061D76A 143 Bytes [83, 3C, 53, 00, 74, 01, 47, ...] PAGE ntoskrnl.exe!FsRtlDoesDbcsContainWildCards + 45 8061D7FA 100 Bytes [0F, BE, C9, 0F, B6, 0C, 39, ...] PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 38 8061D85F 28 Bytes [FF, 0F, 84, F6, 03, 00, 00, ...] PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 55 8061D87C 10 Bytes [00, 8B, 48, 04, 80, 39, 2A, ...] PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 60 8061D887 1 Byte [00] PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 60 8061D887 177 Bytes [00, 00, 8B, 08, 8B, 40, 04, ...] PAGE ntoskrnl.exe!FsRtlIsDbcsInExpression + 112 8061D939 129 Bytes [4D, 0C, 66, 8B, 45, A8, 66, ...] PAGE ... PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 1B 8061DCA3 126 Bytes [4D, 0C, 74, 2A, 66, 83, FA, ...] PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 9A 8061DD22 18 Bytes [FF, FF, 84, C0, 74, 14, 66, ...] PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + AD 8061DD35 93 Bytes [66, 81, FA, FF, 00, 76, 04, ...] PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 10B 8061DD93 115 Bytes [0F, B6, D0, 0F, B6, 14, 1A, ...] PAGE ntoskrnl.exe!FsRtlIsHpfsDbcsLegal + 17F 8061DE07 10 Bytes [CC, CC, CC, 90, 90, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI} PAGE ntoskrnl.exe!FsRtlNotifyChangeDirectory + 3 8061DE12 7 Bytes [8B, EC, 33, C0, 50, 50, 50] {MOV EBP, ESP; XOR EAX, EAX; PUSH EAX; PUSH EAX; PUSH EAX} PAGE ntoskrnl.exe!FsRtlNotifyChangeDirectory + C 8061DE1B 6 Bytes [20, FF, 75, 1C, 6A, 01] {AND BH, BH; JNZ 0x20; PUSH 0x1} PAGE ntoskrnl.exe!FsRtlNotifyChangeDirectory + 14 8061DE23 43 Bytes [18, FF, 75, 10, FF, 75, 0C, ...] PAGE ntoskrnl.exe!FsRtlNotifyFullChangeDirectory + 8 8061DE4F 17 Bytes [75, 2C, FF, 75, 28, FF, 75, ...] {JNZ 0x2e; PUSH DWORD [EBP+0x28]; PUSH DWORD [EBP+0x24]; PUSH DWORD [EBP+0x20]; PUSH DWORD [EBP+0x1c]; PUSH DWORD [EBP+0x18]} PAGE ntoskrnl.exe!FsRtlNotifyFullChangeDirectory + 1A 8061DE61 116 Bytes [75, 14, FF, 75, 10, FF, 75, ...] PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 17 8061DED6 74 Bytes [75, 14, FF, 75, 10, FF, 75, ...] PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 62 8061DF21 75 Bytes [45, 18, 76, 03, 89, 45, 18, ...] PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + AE 8061DF6D 101 Bytes [03, C8, 13, 55, FC, 83, C1, ...] PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 114 8061DFD3 105 Bytes [32, 45, 08, 88, 59, 03, 24, ...] PAGE ntoskrnl.exe!FsRtlNotifyFullReportChange + 17E 8061E03D 21 Bytes CALL 804FCA10 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!IoSetPartitionInformation + 2 8061E1ED 27 Bytes [55, 8B, EC, 83, EC, 40, 53, ...] PAGE ntoskrnl.exe!IoSetPartitionInformation + 1E 8061E209 195 Bytes [73, 03, 89, 5D, F8, 8B, 55, ...] PAGE ntoskrnl.exe!IoSetPartitionInformation + E2 8061E2CD 95 Bytes [03, 01, 00, 00, 75, 10, 56, ...] PAGE ntoskrnl.exe!IoSetPartitionInformation + 142 8061E32D 5 Bytes [74, 0B, FF, 45, F0] {JZ 0xd; INC DWORD [EBP-0x10]} PAGE ntoskrnl.exe!IoSetPartitionInformation + 148 8061E333 62 Bytes [4D, 08, 39, 4D, F0, 74, 0D, ...] PAGE ... PAGE ntoskrnl.exe!IoWritePartitionTable + 1 8061E460 159 Bytes [FF, 55, 8B, EC, 83, EC, 6C, ...] PAGE ntoskrnl.exe!IoWritePartitionTable + A1 8061E500 27 Bytes [88, 45, FD, 75, 4C, 80, 7E, ...] PAGE ntoskrnl.exe!IoWritePartitionTable + BD 8061E51C 101 Bytes CALL 38686E23 PAGE ntoskrnl.exe!IoWritePartitionTable + 123 8061E582 58 Bytes [C4, 50, FF, 75, EC, 0F, 94, ...] PAGE ntoskrnl.exe!IoWritePartitionTable + 15E 8061E5BD 5 Bytes [3D, 03, 01, 00, 00] {CMP EAX, 0x103} PAGE ... PAGE ntoskrnl.exe!IoWritePartitionTableEx + 1C 8061F6B6 26 Bytes [3B, C3, 0F, 8C, DD, 00, 00, ...] PAGE ntoskrnl.exe!IoWritePartitionTableEx + 38 8061F6D2 3 Bytes JMP 8061F78A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoWritePartitionTableEx + 3C 8061F6D6 43 Bytes [00, 00, 8D, 45, 08, 50, 53, ...] PAGE ntoskrnl.exe!IoWritePartitionTableEx + 68 8061F702 56 Bytes [00, 00, 8B, 5D, 08, 8B, 53, ...] PAGE ntoskrnl.exe!IoWritePartitionTableEx + A1 8061F73B 28 Bytes [75, FC, A5, A5, A5, A5, E8, ...] PAGE ... PAGE ntoskrnl.exe!IoVerifyPartitionTable + 26 8061F7DA 7 Bytes [8B, F0, 85, F6, 7C, 25, 8B] PAGE ntoskrnl.exe!IoVerifyPartitionTable + 2E 8061F7E2 32 Bytes CALL C8796BE7 PAGE ntoskrnl.exe!IoVerifyPartitionTable + 4F 8061F803 9 Bytes CALL 805C0ABA \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoVerifyPartitionTable + 59 8061F80D 5 Bytes [C6, 5E, 5D, C2, 08] PAGE ntoskrnl.exe!IoVerifyPartitionTable + 5F 8061F813 13 Bytes [CC, CC, CC, CC, CC, 90, 90, ...] {INT 3 ; INT 3 ; INT 3 ; INT 3 ; INT 3 ; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EDI, EDI; PUSH EBP} PAGE ... PAGE ntoskrnl.exe!IoCreateDisk 8061F9A7 179 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...] PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 5D 8061FA5B 20 Bytes [FF, EB, 13, 0F, B6, 40, 08, ...] PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 72 8061FA70 170 Bytes [FF, 8B, F0, 85, FF, 74, 06, ...] PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 11E 8061FB1C 16 Bytes [FF, 75, 08, FF, 15, 98, 80, ...] {PUSH DWORD [EBP+0x8]; CALL [0x804d8098]; MOV [EBX+0x8], EAX; MOVZX EAX, BYTE [EBP+0x23]} PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 12F 8061FB2D 2 Bytes [43, 04] PAGE ntoskrnl.exe!IoSetPartitionInformationEx + 132 8061FB30 11 Bytes [45, 10, 89, 43, 0C, C7, 45, ...] {INC EBP; ADC [ECX+0x45c70c43], CL; OR AL, 0x20; ADD [EAX], EAX} PAGE ... PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 6 8061FC9A 22 Bytes [45, 08, 03, 56, 8B, 75, 08, ...] PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 1D 8061FCB1 77 Bytes [80, EB, 4D, 53, EB, 37, 8D, ...] PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + 6B 8061FCFF 79 Bytes [C0, 5B, 5F, 5E, 5D, C2, 0C, ...] PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + BB 8061FD4F 1 Byte [75] PAGE ntoskrnl.exe!IoCheckQuotaBufferValidity + BB 8061FD4F 46 Bytes [75, 08, 33, DB, 66, 83, 3E, ...] PAGE ... PAGE ntoskrnl.exe!IoEnqueueIrp + 2B 8061FFB3 15 Bytes [32, FF, 15, 30, 80, 4D, 80, ...] {XOR BH, BH; ADC EAX, 0x804d8030; POP EDI; POP ESI; POP EBP; RET 0x4; INT 3 ; INT 3 } PAGE ntoskrnl.exe!IoEnqueueIrp + 3B 8061FFC3 33 Bytes [CC, CC, CC, 90, 90, 90, 90, ...] PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 1A 8061FFE5 21 Bytes [FC, 8B, 45, 08, 57, 89, 85, ...] PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 30 8061FFFB 7 Bytes [F3, AB, 8B, 45, 10, 0D, 00] PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 38 80620003 10 Bytes [20, 00, 33, DB, 43, 89, 85, ...] PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 43 8062000E 4 Bytes [8D, 85, 6C, FF] PAGE ntoskrnl.exe!IoFastQueryNetworkAttributes + 48 80620013 9 Bytes [FF, 66, C7, 85, 04, FF, FF, ...] PAGE ... PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 2 806200D2 46 Bytes [55, 8B, EC, 83, EC, 54, A1, ...] PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 31 80620101 31 Bytes [40, 60, 8B, 40, 04, 85, C0, ...] PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 52 80620122 71 Bytes [66, 83, 7B, 08, 00, 75, F2, ...] PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 9A 8062016A 1 Byte [43] PAGE ntoskrnl.exe!IoIsValidNameGraftingBuffer + 9A 8062016A 202 Bytes [43, 14, 66, 83, F8, 2E, 74, ...] PAGE ... PAGE ntoskrnl.exe!IoRegisterLastChanceShutdownNotification + 18 8062061B 222 Bytes [75, 07, B8, 9A, 00, 00, C0, ...] PAGE ntoskrnl.exe!IoSetInformation + 9B 806206FA 20 Bytes [8B, F0, 3B, F7, 75, 11, 57, ...] PAGE ntoskrnl.exe!IoSetInformation + B0 8062070F 84 Bytes [00, 00, 89, 5E, 64, 64, A1, ...] PAGE ntoskrnl.exe!IoSetInformation + 105 80620764 4 Bytes [15, 2C, 80, 4D] PAGE ntoskrnl.exe!IoSetInformation + 10A 80620769 132 Bytes [8B, 56, 50, 81, C2, 10, 02, ...] PAGE ntoskrnl.exe!IoSetInformation + 18F 806207EE 5 Bytes [EB, 1F, 83, F8, 0A] {JMP 0x21; CMP EAX, 0xa} PAGE ... PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + 27 8062093B 10 Bytes [08, 8B, 50, 0C, 3B, 55, 0C, ...] PAGE ntoskrnl.exe!IoUnregisterFsRegistrationChange + 32 80620946 92 Bytes [3B, C1, 74, 16, EB, EB, EB, ...] PAGE ntoskrnl.exe!IoVerifyVolume + 1F 806209A3 3 Bytes CALL 804DC401 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoVerifyVolume + 23 806209A7 56 Bytes [8B, 46, 24, F6, 40, 04, 01, ...] PAGE ntoskrnl.exe!IoVerifyVolume + 5C 806209E0 7 Bytes [75, FC, FF, 15, 88, B7, 55] PAGE ntoskrnl.exe!IoVerifyVolume + 64 806209E8 123 Bytes [8B, D0, 3B, D3, 75, 0A, BF, ...] PAGE ntoskrnl.exe!IoVerifyVolume + E0 80620A64 131 Bytes CALL 805BE6B2 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoCancelFileOpen + 1F 80620AE8 49 Bytes CALL 68620AED PAGE ntoskrnl.exe!IoCancelFileOpen + 51 80620B1A 98 Bytes CALL 804F2874 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoCancelFileOpen + B4 80620B7D 51 Bytes CALL 8053281E \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoCancelFileOpen + E8 80620BB1 62 Bytes [89, 7F, 04, 89, 3F, FF, 15, ...] PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 16 80620BF1 16 Bytes [FC, 50, EB, 30, 8D, 45, FC, ...] {CLD ; PUSH EAX; JMP 0x34; LEA EAX, [EBP-0x4]; PUSH EAX; PUSH DWORD [EBP-0x4]; PUSH ESI; PUSH 0x1; PUSH 0x1} PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 27 80620C02 18 Bytes CALL 8058AA03 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoQueryFileDosDeviceName + 3A 80620C15 60 Bytes [05, F3, FF, 81, 7D, F8, 05, ...] PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 1 80620C52 2 Bytes [FF, 55] PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 4 80620C55 49 Bytes [EC, 51, 53, 56, 57, 6A, 01, ...] PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 36 80620C87 57 Bytes [45, 10, 89, 38, 76, 07, C7, ...] PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 70 80620CC1 3 Bytes CALL 804DC59A \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoEnumerateRegisteredFiltersList + 74 80620CC5 82 Bytes [8B, 45, FC, 5F, 5E, 5B, C9, ...] PAGE ... PAGE ntoskrnl.exe!IoAttachDevice + 2B 80620DFA 2 Bytes [DC, 18] {FCOMP QWORD [EAX]} PAGE ntoskrnl.exe!IoAttachDevice + 2E 80620DFD 1 Byte [00] PAGE ntoskrnl.exe!IoAttachDevice + 31 80620E00 27 Bytes CALL 80621005 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoAttachDevice + 4D 80620E1C 51 Bytes [50, 56, FF, 35, 58, 0D, 56, ...] PAGE ntoskrnl.exe!IoAttachDevice + 81 80620E50 19 Bytes CALL 804E190C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ... PAGE ntoskrnl.exe!ZwOpenIoCompletion + 20 806210F3 43 Bytes [88, 45, E0, 8B, 75, 08, 3A, ...] PAGE ntoskrnl.exe!ZwOpenIoCompletion + 4C 8062111F 14 Bytes CALL 8057027C \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwOpenIoCompletion + 5B 8062112E 42 Bytes [45, FC, 01, 00, 00, 00, 8B, ...] PAGE ntoskrnl.exe!ZwOpenIoCompletion + 86 80621159 15 Bytes [8B, 45, DC, EB, 24, 90, 90, ...] {MOV EAX, [EBP-0x24]; JMP 0x29; NOP ; NOP ; NOP ; NOP ; NOP ; MOV EAX, [EBP-0x14]; MOV EAX, [EAX]} PAGE ntoskrnl.exe!ZwOpenIoCompletion + 96 80621169 121 Bytes CALL 805E13B3 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwQueryIoCompletion + 4F 806211E3 3 Bytes [D4, 7E, 56] {AAM 0x7e; PUSH ESI} PAGE ntoskrnl.exe!ZwQueryIoCompletion + 53 806211E7 22 Bytes [3B, C8, 72, 02, 89, 38, 8B, ...] PAGE ntoskrnl.exe!ZwQueryIoCompletion + 6A 806211FE 37 Bytes [7D, 14, 04, 74, 0E, B8, 04, ...] PAGE ntoskrnl.exe!ZwQueryIoCompletion + 91 80621225 10 Bytes CALL 8056C557 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!ZwQueryIoCompletion + 9C 80621230 36 Bytes [75, DC, 89, 75, C4, 89, 45, ...] PAGE ... PAGE ntoskrnl.exe!NtQueryEaFile + 47 80621367 39 Bytes [03, 89, 03, 8B, 43, 04, 89, ...] PAGE ntoskrnl.exe!NtQueryEaFile + 6F 8062138F 14 Bytes [01, EB, 02, 8B, 00, 89, 45, ...] PAGE ntoskrnl.exe!NtQueryEaFile + 7E 8062139E 61 Bytes [00, 00, 8B, 7D, 20, 3B, FE, ...] PAGE ntoskrnl.exe!NtQueryEaFile + BC 806213DC 3 Bytes CALL 804E8763 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtQueryEaFile + C0 806213E0 30 Bytes [89, 45, E0, 8B, 4D, 20, 8B, ...] PAGE ... PAGE ntoskrnl.exe!NtSetEaFile + 2F 80621896 91 Bytes [8B, 75, 0C, 3B, F0, 72, 02, ...] PAGE ntoskrnl.exe!NtSetEaFile + 8B 806218F2 2 Bytes [65, E8] PAGE ntoskrnl.exe!NtSetEaFile + 8E 806218F5 5 Bytes [75, CC, E9, 4B, 02] PAGE ntoskrnl.exe!NtSetEaFile + 94 806218FB 43 Bytes [00, 8B, 75, 0C, 53, 8D, 45, ...] PAGE ntoskrnl.exe!NtSetEaFile + C0 80621927 91 Bytes [46, 33, C0, 40, 8D, 4F, 44, ...] PAGE ... PAGE ntoskrnl.exe!NtSetQuotaInformationFile + 8 80621BB7 58 Bytes [75, 14, FF, 75, 10, FF, 75, ...] PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 1B 80621BF2 68 Bytes [7D, D8, 64, A1, 24, 01, 00, ...] PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 60 80621C37 145 Bytes [5D, 24, 85, DB, 74, 47, 8D, ...] PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + F2 80621CC9 355 Bytes [89, 45, E0, 89, 45, D8, 8B, ...] PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 256 80621E2D 12 Bytes [45, E6, 50, 8B, 43, 2C, C1, ...] PAGE ntoskrnl.exe!NtQueryQuotaInformationFile + 263 80621E3A 85 Bytes [FF, 50, FF, 75, DC, 53, E8, ...] PAGE ... PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 43 80622130 1 Byte [88] PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 43 80622130 13 Bytes [88, 45, BB, 84, C0, 74, 6A, ...] PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 52 8062213F 26 Bytes [00, 8A, 86, 94, 24, 62, 80, ...] PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 6D 8062215A 13 Bytes JMP 80622481 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!NtSetVolumeInformationFile + 7B 80622168 72 Bytes [3B, C8, 72, 02, 89, 38, 8B, ...] PAGE ... PAGE ntoskrnl.exe!ZwReadFileScatter + 7E 8062252D 56 Bytes [41, 2C, 83, F8, 08, 74, 22, ...] PAGE ntoskrnl.exe!ZwReadFileScatter + B7 80622566 85 Bytes CALL 0A522877 PAGE ntoskrnl.exe!ZwReadFileScatter + 10D 806225BC 8 Bytes [ED, CB, 02, 00, A1, D4, 7E, ...] PAGE ntoskrnl.exe!ZwReadFileScatter + 116 806225C5 7 Bytes [8B, 4D, 24, 3B, C8, 72, 02] {MOV ECX, [EBP+0x24]; CMP ECX, EAX; JB 0x9} PAGE ntoskrnl.exe!ZwReadFileScatter + 11E 806225CD 187 Bytes [18, 8B, 01, 89, 45, 9C, 8B, ...] PAGE ... PAGE ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx + 1F 806247DC 26 Bytes [33, FF, 85, C9, 7E, 0D, 57, ...] PAGE ntoskrnl.exe!IoReleaseRemoveLockAndWaitEx + 3A 806247F7 64 Bytes CALL 805511E4 \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoAssignResources + 25 80624838 132 Bytes [F6, 40, 7E, 02, 0F, 85, 51, ...] PAGE ntoskrnl.exe!IoAssignResources + AA 806248BD 13 Bytes [40, 14, 3B, C3, 0F, 84, BD, ...] PAGE ntoskrnl.exe!IoAssignResources + B9 806248CC 9 Bytes CALL 80532DBF \WINDOWS\system32\ntoskrnl.exe (NT-Kernel und -System/Microsoft Corporation) PAGE ntoskrnl.exe!IoAssignResources + C3 806248D6 2 Bytes [00, 00] {ADD [EAX], AL} PAGE ntoskrnl.exe!IoAssignResources + C6 806248D9 15 Bytes [40, 14, 05, 94, 00, 00, 00, ...] PAGE ... PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 19 8062531F 7 Bytes [00, 68, 50, 70, 20, 20, 68] PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 21 80625327 1 Byte [04] PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 21 80625327 3 Bytes [04, 00, 00] PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 25 8062532B 1 Byte [01] PAGE ntoskrnl.exe!IoPnPDeliverServicePowerNotification + 25 8062532B 5 Bytes [01, E8, D4, BC, F2] PAGE ... PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 54 80625447 28 Bytes [3B, F0, 74, 4D, 57, 50, 56, ...] PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 71 80625464 32 Bytes [3B, F0, 74, 30, 57, 50, 56, ...] PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 92 80625485 154 Bytes [12, 8B, 4B, 18, 83, F9, FF, ...] PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 12D 80625520 11 Bytes [89, 45, D4, 8B, 45, 10, 53, ...] PAGE ntoskrnl.exe!IoReportTargetDeviceChange + 139 8062552C 41 Bytes [89, 45, D8, FF, 15, 18, 81, ...] PAGE ... PAGE ntoskrnl.exe!ZwSaveKey 8065616E 5 Bytes JMP 8A441382 PAGE ntoskrnl.exe!ZwSaveKeyEx 80656259 5 Bytes JMP 8A4AB262 ? splg.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload BAD558AC 5 Bytes JMP 8A5E41D8 ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\WINDOWS\system32\winlogon.exe[280] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 .text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\WINDOWS\system32\services.exe[324] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 .text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FF9491A .text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FF949A9 .text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FF949B6 .text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FF94C3A .text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FF9499F .text C:\WINDOWS\system32\lsass.exe[340] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FF949F7 .rsrc C:\WINDOWS\system32\svchost.exe[496] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040] .rsrc C:\WINDOWS\system32\svchost.exe[496] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100A34F] .rsrc C:\WINDOWS\system32\svchost.exe[620] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040] .rsrc C:\WINDOWS\system32\svchost.exe[620] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100A34F] .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\WINDOWS\system32\svchost.exe[620] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 .text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\Programme\Lavasoft\Ad-Aware\AAWService.exe[692] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 .rsrc C:\WINDOWS\system32\svchost.exe[744] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x5600, 0xE0000040] .rsrc C:\WINDOWS\system32\svchost.exe[744] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100A34F] .text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\WINDOWS\system32\svchost.exe[744] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 .text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\WINDOWS\system32\wbem\unsecapp.exe[848] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\WINDOWS\system32\wbem\wmiprvse.exe[936] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 .reloc C:\WINDOWS\Explorer.EXE[1232] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x8800, 0xE0000040] .reloc C:\WINDOWS\Explorer.EXE[1232] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x010FE940] .text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\WINDOWS\Explorer.EXE[1232] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 .text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtCreateFile 7C91D0AE 5 Bytes CALL 7FFA491A .text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtCreateProcess 7C91D14E 5 Bytes CALL 7FFA49A9 .text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes CALL 7FFA49B6 .text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtDeviceIoControlFile 7C91D27E 5 Bytes CALL 7FFA4C3A .text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtOpenFile 7C91D59E 5 Bytes CALL 7FFA499F .text C:\Dokumente und Einstellungen\Salih\Desktop\22m7zc8d.exe[1400] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes CALL 7FFA49F7 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A8222D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750A93C] splg.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F750A990] splg.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74DB040] splg.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74DB13C] splg.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74DB0BE] splg.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74DB7FC] splg.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74DB6D2] splg.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A5E42D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74EAD92] splg.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A88F1F8 Device \FileSystem\Fastfat \FatCdrom 8A30F1F8 Device \FileSystem\Udfs \UdfsCdRom 8A309500 Device \FileSystem\Udfs \UdfsDisk 8A309500 Device \Driver\NDIS \Device\Ndis [8A5F0984] NDIS.sys[.reloc] Device \Driver\usbuhci \Device\USBPDO-0 8A6EF1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A6EF1F8 Device \Driver\usbuhci \Device\USBPDO-2 8A6EF1F8 Device \Driver\usbuhci \Device\USBPDO-3 8A6EF1F8 Device \Driver\usbehci \Device\USBPDO-4 8A7A53A8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8201F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8201F8 Device \Driver\Cdrom \Device\CdRom0 8A7B7408 Device \Driver\Ftdisk \Device\HarddiskVolume3 8A8201F8 Device \Driver\Cdrom \Device\CdRom1 8A7B7408 Device \Driver\Cdrom \Device\CdRom2 8A7B7408 Device \Driver\Cdrom \Device\CdRom3 8A7B7408 Device \Driver\usbstor \Device\00000081 8A41D500 Device \Driver\Cdrom \Device\CdRom4 8A7B7408 Device \Driver\Cdrom \Device\CdRom5 8A7B7408 Device \Driver\sptd \Device\520438528 splg.sys Device \Driver\Cdrom \Device\CdRom6 8A7B7408 Device \Driver\usbstor \Device\00000084 8A41D500 Device \Driver\usbstor \Device\00000085 8A41D500 Device \Driver\PCI_PNP3528 \Device\0000004c splg.sys Device \Driver\PCI_PNP3528 \Device\0000004c splg.sys Device \Driver\usbstor \Device\00000086 8A41D500 Device \Driver\PCI_PNP3528 \Device\0000004d splg.sys Device \Driver\PCI_PNP3528 \Device\0000004d splg.sys Device \Driver\usbstor \Device\00000087 8A41D500 Device \Driver\usbuhci \Device\USBFDO-0 8A6EF1F8 Device \Driver\usbuhci \Device\USBFDO-1 8A6EF1F8 Device \Driver\sptd \Device\520594778 splg.sys Device \Driver\usbuhci \Device\USBFDO-2 8A6EF1F8 Device \Driver\usbuhci \Device\USBFDO-3 8A6EF1F8 Device \Driver\usbehci \Device\USBFDO-4 8A7A53A8 Device \Driver\Ftdisk \Device\FtControl 8A8201F8 Device \Driver\ajzievs9 \Device\Scsi\ajzievs91Port4Path0Target3Lun0 8A5AB1F8 Device \Driver\ajzievs9 \Device\Scsi\ajzievs91Port4Path0Target0Lun0 8A5AB1F8 Device \Driver\ajzievs9 \Device\Scsi\ajzievs91 8A5AB1F8 Device \Driver\ajzievs9 \Device\Scsi\ajzievs91Port4Path0Target2Lun0 8A5AB1F8 Device \Driver\a5s4f91n \Device\Scsi\a5s4f91n1 8A7A3500 Device \Driver\ajzievs9 \Device\Scsi\ajzievs91Port4Path0Target1Lun0 8A5AB1F8 Device \Driver\a5s4f91n \Device\Scsi\a5s4f91n1Port5Path0Target0Lun0 8A7A3500 Device \FileSystem\Fastfat \Fat 8A30F1F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 8A3001F8 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\kbiwkmeoirpjbg.sys (*** hidden *** ) [SYSTEM] kbiwkmoyunqjwq <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@WinPos800x600(1).left 88 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@WinPos800x600(1).top 116 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@WinPos800x600(1).right 688 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@WinPos800x600(1).bottom 520 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@WinPos800x600(1).left 88 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@WinPos800x600(1).top 116 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@WinPos800x600(1).right 688 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@WinPos800x600(1).bottom 520 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@FFlags 1 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@Vid {65F125E5-7BE1-4810-BA9D-D271C8432CE3} Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@Mode 6 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\4\Shell@ScrollPos800x600(1).y 2 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\41\Shell@WinPos800x600(1).left 44 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\41\Shell@WinPos800x600(1).top 58 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\41\Shell@WinPos800x600(1).right 644 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\41\Shell@WinPos800x600(1).bottom 462 ---- EOF - GMER 1.0.15 ---- Hijackthis-Logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 04:33:12, on 31.08.2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\TUProgSt.exe C:\WINDOWS\system32\UTSCSI.EXE C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Programme\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\msdrive32.exe C:\Dokumente und Einstellungen\Salih\ms18_word.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\dwwin.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\TEMP\VRT6.tmp C:\WINDOWS\TEMP\VRT5.tmp C:\WINDOWS\System32\reader_s.exe C:\Programme\AVG\AVG8\avgui.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\AVG\AVG8\avgscanx.exe C:\Programme\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\svchost.exe C:\Dokumente und Einstellungen\Salih\reader_s.exe C:\WINDOWS\system32\sofatnet.exe C:\WINDOWS\system32\wiawow32.sys C:\Programme\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\AVG\AVG8\avgcsrvx.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file) R3 - URLSearchHook: (no name) - - (no file) R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Programme\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Programme\AVG\AVG8\avgssie.dll O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file) O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O4 - HKLM\..\Run: [ms18_word] C:\WINDOWS\system32\ms18_word.exe O4 - HKLM\..\Run: [14627] C:\WINDOWS\system32\49.tmp.exe O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AntiSpyware Service] C:\DOKUME~1\Salih\LOKALE~1\Temp\wr19jr .exe O4 - HKCU\..\Run: [ms18_word] C:\Dokumente und Einstellungen\Salih\ms18_word.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Dokumente und Einstellungen\Salih\reader_s.exe (User 'Default user') O8 - Extra context menu item: &Download All by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm O8 - Extra context menu item: &Download by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll O9 - Extra button: Add to TimeLeft Auction Watch - {21196042-830F-419f-A594-F9D456A6C29A} - C:\Programme\TimeLeft3\TLIntergIE.html O9 - Extra 'Tools' menuitem: Add to TimeLeft Auction Watch - {21196042-830F-419f-A594-F9D456A6C29A} - C:\Programme\TimeLeft3\TLIntergIE.html O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programme\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://tky09.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_de_DE.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {6F3AC18F-3DCB-4C8E-A1DE-F48E19739576} (SesliSistem Control) - http://www.seslisistem.com/newcab/ss.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE3C3BE-4DB7-4878-AE2B-721911662E30}: NameServer = 195.50.140.248 195.50.140.114 O17 - HKLM\System\CS4\Services\Tcpip\..\{1EE3C3BE-4DB7-4878-AE2B-721911662E30}: NameServer = 195.50.140.248 195.50.140.114 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Intelligenter Hintergrundübertragungsdienst (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: Google Update Service (gupdate1c98661365edd8a) (gupdate1c98661365edd8a) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe O23 - Service: iPod Service - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe O23 - Service: Usbest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE O23 - Service: Automatische Updates (wuauserv) - Unknown owner - C:\WINDOWS\ -- End of file - 9950 bytes Uninstall-Liste: 32 Bit HP CIO Components Installer 3GP Flash Video Converter V1.33 Ad-Aware Ad-Aware Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 8.1.3 - Deutsch Adobe Shockwave Player 11.5 Avanquest update AVG Free 8.5 Backgammon Pro für Windows V1.5 Backspin Billiards Batak 4 Ýhaleli Calc 3D CCleaner (remove only) ClearProg 1.6.0 Final Convert Doc DivX Player DivX Web Player EphPod Ext2 IFS 1.11 for Windows XP FlashGet 2.0 FlvGrabber FM Modifier 2.22 FMRTE Football Manager 2009 Football Manager 2009 Türkçe Foto-Mosaik 4.1.0 GIMP 2.4.0 Google Earth Google Earth Plugin Google Update Helper HijackThis 2.0.2 Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix für Windows XP (KB952287) HP Customer Participation Program 10.0 HP Document Manager 1.0 HP Foto- und Bildbearbeitung 2.0 - All-in-One HP Foto und Bildbearbeitung 2.0 - hp psc 1200 series HP Foto- und Bildbearbeitung 2.0 All-in-One Treiber HP Imaging Device Functions 10.0 HP Officejet J4500 Series hp psc 1200 series HP Smart Web Printing HP Solution Center 10.0 HP Speicher-Disc HP Update ICQ Away Reader 1.4 ICQ6.5 ImageBlizzard 1.0 iPodLibrary v1.2b IrfanView (remove only) IsoBuster 2.4 iTunes Java(TM) 6 Update 3 Java(TM) 6 Update 5 JellyFish Light 3.5 kikin Plugin (JDownloader Edition) 1.11 K-Lite Codec Pack 3.5.3 Full Lizardtech DjVu Control (autoinstall) Malwarebytes' Anti-Malware Messenger Plus! Live Microsoft .NET Framework 2.0 Language Pack - DEU Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 3.5 SP1 Microsoft Office PowerPoint Viewer 2003 Microsoft Reader Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Windows-Journal-Viewer MinuteMan Mozilla Firefox (3.0.13) MSN MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 6.0 Parser (KB933579) Nero 7 Ultra Edition neroxml NET Installation Assistance for VB6 App (Runtime Only) Nuclear Coffee - VideoGet NVIDIA Drivers OCR Software by I.R.I.S. 10.0 Okey+ 2.1 OpenOffice.org 2.3 Opera 9.50 Oxin's Style! 3D Sexvilla 2 ever lust Picasa 2 Pop Art Studio 3.0 PowerQuest PartitionMagic 8.0 PowerQuest PartitionMagic 8.0 Pretty Good Solitaire version 12.0.1 Pro Evolution Soccer 2009 QuickTime Real Alternative 1.8.0 Realtek High Definition Audio Driver Shop for HP Supplies Sicherheitsupdate für Windows Internet Explorer 8 (KB972260) Sicherheitsupdate für Windows Media Player (KB973540) Sicherheitsupdate für Windows XP (KB938464) Sicherheitsupdate für Windows XP (KB946648) Sicherheitsupdate für Windows XP (KB950759) Sicherheitsupdate für Windows XP (KB950762) Sicherheitsupdate für Windows XP (KB950974) Sicherheitsupdate für Windows XP (KB951066) Sicherheitsupdate für Windows XP (KB951376) Sicherheitsupdate für Windows XP (KB951376-v2) Sicherheitsupdate für Windows XP (KB951698) Sicherheitsupdate für Windows XP (KB951748) Sicherheitsupdate für Windows XP (KB952954) Sicherheitsupdate für Windows XP (KB953838) Sicherheitsupdate für Windows XP (KB956744) Sicherheitsupdate für Windows XP (KB960859) Sicherheitsupdate für Windows XP (KB961371) Sicherheitsupdate für Windows XP (KB961501) Sicherheitsupdate für Windows XP (KB968537) Sicherheitsupdate für Windows XP (KB969897) Sicherheitsupdate für Windows XP (KB969898) Sicherheitsupdate für Windows XP (KB970238) Sicherheitsupdate für Windows XP (KB971557) Sicherheitsupdate für Windows XP (KB971633) Sicherheitsupdate für Windows XP (KB971657) Sicherheitsupdate für Windows XP (KB972260) Sicherheitsupdate für Windows XP (KB973346) Sicherheitsupdate für Windows XP (KB973354) Sicherheitsupdate für Windows XP (KB973507) Sicherheitsupdate für Windows XP (KB973869) Sony Ericsson Media Manager 1.0 Sony Ericsson PC Suite 3.209.00 SopCast 1.1.2 SPEED-LINK DUAL SHOCK ADAPTER Spelling Dictionaries Support For Adobe Reader 8 Spybot - Search & Destroy Sweepi 5.4.00 The Godfather™ The Game thriXXX VirtuallyJenna-029.002 TimeLeft Total Video Converter 3.10 Trust WB-1400T Webcam Trust WB-3400T Webcam TuneUp Utilities 2008 TuneUp Utilities 2009 TVAnts 1.0 TVUPlayer 2.3.5.4 UltraISO Premium V9.3 UltraStar 0.6.1 Uninstall 1.0.0.1 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update für Windows Internet Explorer 8 (KB972636) Update für Windows XP (KB968389) Update für Windows XP (KB973815) VC80CRTRedist - 8.0.50727.762 Veetle TV 0.9.14 Veoh Player VeryPDF PDF2TXT v3.2 VideoLAN VLC media player 0.8.4a Virtualdub 1.4.9 Wheel of Fortune (remove only) Winamp Windows Internet Explorer 8 Windows Live Anmelde-Assistent Windows Live installer Windows Live Messenger Windows Live Writer Windows Media Format 11 runtime Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player 11 WinRAR So, ich hoffe ihr könnt mir mit meinem Problem weiterhelfen Lg Alexa |
|
|
||
31.08.2009, 09:03
Member
Beiträge: 35 |
#4
Ok da ist noch einiges was da nicht hin soll
Combofix downloaden und anwenden,anschliesend das Logfile posten. Hier ist eine Anleitung http://virus-protect.org/artikel/tools/combofix.html __________ Leet´s get ready to SUCK IT !!! |
|
|
||
31.08.2009, 12:49
Member
Beiträge: 3716 |
#5
Bitte update doch erst einmal MalwareBytes, dieses Programm war nicht auf dem neuesten Stand, dann full Scan und die Funde löschen, poste das Log. Danach kannst du Combofix anwenden, benenne es aber um in rejklli.exe
da du ein Rootkit auf dem System hast, könnte das sonst Schwierigkeiten geben, wenn du CF nicht umbenennst. Zu bedenken gebe ich weiterhin, wenn du Onlinebanking betreibst oder sonstige Geschäfte am PC solltest du deiner Bank das Problem mitteilen und über ein Formatieren deines PC'S nachdenken, teile mit, wie du verfahren möchtest. |
|
|
||
ich hab ein Problem mit einem Virus auf meinem PC. Ich hab diverse Foren durchgeforstet und denke ich sollte ein Logfile von Hijackthis schicken. Ich hoffe ihr könnt mir helfen.
Hijackthis-logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:32, on 28.08.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Dokumente und Einstellungen\Salih\ms18_word.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\msdrive32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wiwow64.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\49.tmp
C:\WINDOWS\system32\4A.tmp
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sofatnet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wiawow32.sys
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.speedbit.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Programme\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Programme\AVG\AVG8\avgssie.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programme\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [14627] C:\WINDOWS\system32\49.tmp.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [ms18_word] C:\WINDOWS\system32\ms18_word.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AntiSpyware Service] C:\DOKUME~1\Salih\LOKALE~1\Temp\wr19jr .exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKCU\..\Run: [ms18_word] C:\Dokumente und Einstellungen\Salih\ms18_word.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Security Center] C:\WINDOWS\sc.exe
O4 - HKCU\..\Run: [Protection System] C:\Programme\Protection System\psystem.exe
O4 - HKLM\..\Policies\Explorer\Run: [Microsoft Driver Setup] C:\WINDOWS\msdrive32.exe
O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Dokumente und Einstellungen\Salih\reader_s.exe (User 'Default user')
O8 - Extra context menu item: &Download All by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
O8 - Extra context menu item: &Download by FlashGet - C:\Programme\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Programme\kikin\ie_kikin.dll
O9 - Extra button: Add to TimeLeft Auction Watch - {21196042-830F-419f-A594-F9D456A6C29A} - C:\Programme\TimeLeft3\TLIntergIE.html
O9 - Extra 'Tools' menuitem: Add to TimeLeft Auction Watch - {21196042-830F-419f-A594-F9D456A6C29A} - C:\Programme\TimeLeft3\TLIntergIE.html
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in &Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: HP Intelligente Auswahl - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Programme\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://tky09.celartem.com/en/download/data/djvu_autoinstall/DjVuControl_de_DE.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {6F3AC18F-3DCB-4C8E-A1DE-F48E19739576} (SesliSistem Control) - http://www.seslisistem.com/newcab/ss.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE3C3BE-4DB7-4878-AE2B-721911662E30}: NameServer = 195.50.140.248 195.50.140.114
O17 - HKLM\System\CS3\Services\Tcpip\..\{1EE3C3BE-4DB7-4878-AE2B-721911662E30}: NameServer = 195.50.140.248 195.50.140.114
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intelligenter Hintergrundübertragungsdienst (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate1c98661365edd8a) (gupdate1c98661365edd8a) - Google Inc. - C:\Programme\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: sofatnet Service (sofatnet) - Sigma Designs In - C:\WINDOWS\system32\sofatnet.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Usbest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Automatische Updates (wuauserv) - Unknown owner - C:\WINDOWS\
--
End of file - 9886 bytes
Dankeschön schonmal im Voraus
Lg Alexa