Home » Spyware & Browser Hijacker Support Forum » Habe Non-Stop Traffic! » Themenansicht

Firefox Tipp: Instantfox - Quick Search Add-On!

Seite(n): 1 2

Antworten

Habe Non-Stop Traffic!

19.01.2010, 15:40

K4MF5T4RN

Member

Beiträge: 38

#1 Hallo Forum,

ich benötige mal wieder euren teuren Rat. Mein Rechner ist krank und ich weiss nicht mehr weiter an dieser Stelle. Hier einmal die Logs:

GMER Log:

Zitat

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-19 15:31:19
Windows 6.1.7600
Running: fic5sve1.exe; Driver: C:\Users\BENUTZ~1\AppData\Local\Temp\agkiakog.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C31AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C31104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C313F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1A2D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C311DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C31958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C316F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C31F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C321A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C91579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CB5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spre.sys Das System kann den angegebenen Pfad nicht finden. !
? System32\Drivers\tmdoszlk.sys Ein an das System angeschlossenes Gerät funktioniert nicht. !
.text USBPORT.SYS!DllUnload 8DD45CA0 5 Bytes JMP 8600A4E0
.text ac1bb6v4.SYS 8E789000 12 Bytes [44, C8, C1, 82, EE, C6, C1, ...]
.text ac1bb6v4.SYS 8E78900D 9 Bytes [A7, C1, 82, 48, CB, C1, 82, ...]
.text ac1bb6v4.SYS 8E789017 170 Bytes [00, DE, F7, D1, 88, E6, F5, ...]
.text ac1bb6v4.SYS 8E7890C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ac1bb6v4.SYS 8E7890CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text peauth.sys 9D738C9D 28 Bytes [9E, EE, ED, D3, E6, D9, 17, ...]
.text peauth.sys 9D738CC1 28 Bytes [9E, EE, ED, D3, E6, D9, 17, ...]
? C:\Users\BENUTZ~1\AppData\Local\Temp\catchme.sys Das System kann die angegebene Datei nicht finden. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS Das System kann die angegebene Datei nicht finden. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[704] ole32.dll!CoCreateInstance 75F057FC 5 Bytes JMP 0064000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88C23042] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88C236D6] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88C23800] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88C2313E] \SystemRoot\System32\Drivers\spre.sys
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\ac1bb6v4.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [7429250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [74292494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [74275624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [742756E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74288573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [74284D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [742850CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [742851A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [742866D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [742882CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74288819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7428907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7428E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1872] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [74284C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86273670
Device \FileSystem\Ntfs \Ntfs 85D371F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9C7E51A3-3F33-4808-9CE3-911716F8DEA3} 863CF1F8
Device \Driver\volmgr \Device\VolMgrControl 850B51F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{CB5BE36B-7CB2-4509-B93F-C66C30380A2C} 863CF1F8
Device \Driver\usbohci \Device\USBPDO-0 86453500
Device \Driver\usbohci \Device\USBPDO-1 86453500
Device \Driver\usbehci \Device\USBPDO-2 8643A500
Device \Driver\usbohci \Device\USBPDO-3 86453500
Device \Driver\usbohci \Device\USBPDO-4 86453500
Device \Driver\usbehci \Device\USBPDO-5 8643A500
Device \Driver\PCI_PNP6634 \Device\00000063 spre.sys
Device \Driver\usbohci \Device\USBPDO-6 86453500
Device \Driver\volmgr \Device\HarddiskVolume1 850B51F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 850B51F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 862771F8
Device \Driver\ACPI_HAL \Device\00000059 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\sptd \Device\3962335384 spre.sys
Device \Driver\cdrom \Device\CdRom1 862771F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 85D351F8
Device \Driver\atapi \Device\Ide\IdePort0 85D351F8
Device \Driver\atapi \Device\Ide\IdePort1 85D351F8
Device \Driver\atapi \Device\Ide\IdePort2 85D351F8
Device \Driver\atapi \Device\Ide\IdePort3 85D351F8
Device \Driver\atapi \Device\Ide\IdePort4 85D351F8
Device \Driver\atapi \Device\Ide\IdePort5 85D351F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-4 85D351F8
Device \Driver\cdrom \Device\CdRom2 862771F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 863CF1F8
Device \Driver\usbohci \Device\USBFDO-0 86453500
Device \Driver\usbohci \Device\USBFDO-1 86453500
Device \Driver\usbehci \Device\USBFDO-2 8643A500
Device \Driver\usbohci \Device\USBFDO-3 86453500
Device \Driver\usbohci \Device\USBFDO-4 86453500
Device \Driver\usbehci \Device\USBFDO-5 8643A500
Device \Driver\usbohci \Device\USBFDO-6 86453500
Device \Driver\ac1bb6v4 \Device\Scsi\ac1bb6v41Port6Path0Target0Lun0 865B1500
Device \Driver\ac1bb6v4 \Device\Scsi\ac1bb6v41 865B1500
Device -> \Driver\atapi \Device\Harddisk0\DR0 85DBB856

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011670b4ade
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDC 0xD6 0x4A 0x0B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x78 0xC4 0x34 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x85 0x33 0xC0 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBA 0x64 0xD9 0x17 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\tmdoszlk@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\tmdoszlk@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\tmdoszlk@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\tmdoszlk@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0011670b4ade (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x25 0x95 0x4B 0x33 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x78 0xC4 0x34 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x85 0x33 0xC0 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBA 0x64 0xD9 0x17 ...
Reg HKLM\SYSTEM\ControlSet002\services\tmdoszlk@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\tmdoszlk@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\tmdoszlk@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\tmdoszlk@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL BED8F194AACB576400B5CF12A1178B1F04E766816
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Tools\Install\Media Player Classic \x2013 Home Cinema v1.3.1249.0\Media Player Classic \x2013 Home Cinema v1.3.1249.0.exe 1

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Malware Log:

Zitat

Malwarebytes' Anti-Malware 1.44
Datenbank Version: 3598
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

19.01.2010 15:18:08
mbam-log-2010-01-19 (15-18-08).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 106214
Laufzeit: 3 minute(s), 10 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Windows\system32\Drivers\tmdoszlk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

HiJack Log:

Zitat

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:33:22, on 19.01.2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Logitech\SetPoint II\SetpointII.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Benutzername\Desktop\fic5sve1.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Benutzername\Desktop\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [OODefragTray] C:\Program Files\OO Software\Defrag\oodtray.exe
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - Global Startup: SetPointII.lnk = ?
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears-Einstellungen - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Program Files\OO Software\Defrag\oodag.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 8408 bytes

HiJack Uninstall Log:

Zitat

µTorrent
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
2007 Microsoft Office Suite Service Pack 2 (SP2)
AC3Filter 1.63b
ACDSee Pro 3
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Audition 3.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9.3 - Deutsch
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advertising Center
Air Mouse Server
Air Mouse Server
Allway Sync version 10.0.2
AMD USB Filter Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner
CDBurnerXP
ClearProg 1.6.0 Final
Condition Zero
Counter-Strike: Source
Creative Software AutoUpdate
Creative-Audiokonsole
Death Rally for Windows
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
DolbyFiles
Dual-Core Optimizer
Easy CD-DA Extractor 12
ESET Online Scanner v3
EVEREST Ultimate Edition v5.30
FlashGet 1.9.6.1073
FreeFileSync
Google Gears
Google Update Helper
GRID
Hex Workshop v6
HijackThis 2.0.2
iTunes
Java(TM) 6 Update 18
jv16 PowerTools 2009
LabelPrint 2.0
Logitech Gaming Software 5.08
Logitech SetPoint 5.20
Malwarebytes' Anti-Malware
Media Player Classic - Home Cinema v. 1.3.1249.0
Menu Templates - Starter Kit
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 4 Client Profile Beta 1
Microsoft .NET Framework 4 Client Profile Beta 1
Microsoft .NET Framework 4 Extended Beta 1
Microsoft .NET Framework 4 Extended Beta 1
Microsoft Choice Guard
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Access MUI (German) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office Groove MUI (German) 2007
Microsoft Office InfoPath MUI (German) 2007
Microsoft Office OneNote MUI (German) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 Beta 1 x86 Redistributable - 10.0.20506
Monkey's Audio
Mozilla Firefox (3.5.7)
Mp3tag v2.45a
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyPhoneExplorer
Nero 9
Nero BurnRights
Nero ControlCenter
Nero InfoTool
Nero Installer
Nero StartSmart
NeroBurningROM
NeroExpress
neroxml
NetSpeedMonitor 2.4.2.0 x86
NewBlue 3D Explosions for Windows
NewBlue 3D Transformations for Windows
NewBlue Art Blends for Windows
NewBlue Art Effects for Windows
NewBlue Film Effects for Windows
NewBlue Motion Blends for Windows
NewBlue Motion Effects for Windows
NewBlue Video Essentials for Windows
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
O&O Defrag Professional
O&O DiskRecovery
OpenAL
Panda ActiveScan 2.0
PDF Settings
PDFCreator
Photosynth 2.0109.1013.1319
plist Editor for Windows 1.0.1
PokerStars
Pro Evolution Soccer 2010
Prototype(TM)
PSP ISO Compressor
QuickTime
Realtek Ethernet Controller Driver For Windows Vista and Later
REAPER
Registry First Aid
Registry TuneUp
ReNamer
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB973704)
Security Update for Microsoft Office Excel 2007 (KB973593)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Shutdown4U
SpeedFan (remove only)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Steam
Tom Clancy's H.A.W.X
trouted! Aliases v1.2
TV-Browser 2.7.5
UltraISO Premium V9.35
Unlocker 1.8.8
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Word 2007 (KB974561)
Update for Outlook 2007 Junk Email Filter (kb977839)
Update für Microsoft Office Excel 2007 Help (KB963678)
Update für Microsoft Office Outlook 2007 Help (KB963677)
Update für Microsoft Office Powerpoint 2007 Help (KB963669)
Update für Microsoft Office Word 2007 Help (KB963665)
VC80CRTRedist - 8.0.50727.4053
Vegas Pro 9.0
VLC media player 1.0.3
WaveLab 6
Winamp
Windows Live Anmelde-Assistent
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Fotogalerie
Windows Live Messenger
Windows Live Movie Maker
Windows Live Sync
Windows Live Writer
Windows Live-Uploadtool
Windows XP Mode
WinRAR
WinSCP 4.2.5
WinZip 14.0
xGPS Manager 1.1.5
Xilisoft DVD Ripper Ultimate
Xilisoft Video Converter Ultimate
Zip Motion Block Video codec (Remove Only)

1000 Dank im vorraus !
__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

19.01.2010, 16:23

virenfinder

Member

Beiträge: 3716

#2 mach weiter mit combofix.

19.01.2010, 16:47

K4MF5T4RN

Member

Themenstarter

Beiträge: 38

#3 Danke für deine Hilfe und hier der

Combo-Fix Log:

Zitat

ComboFix 10-01-18.03 - Benutzername 19.01.2010 16:34:31.3.3 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.2045.1472 [GMT 1:00]
ausgeführt von:: c:\users\Benutzername\Desktop\Combo-Fix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data . . . . Nicht in der Lage zu löschen
c:\windows\system32\Data\CTGER.DAT . . . . Nicht in der Lage zu löschen

.
((((((((((((((((((((((( Dateien erstellt von 2009-12-19 bis 2010-01-19 ))))))))))))))))))))))))))))))
.

2010-01-19 15:40 . 2010-01-19 15:42 -------- d-----w- c:\users\Benutzername\AppData\Local\temp
2010-01-19 15:40 . 2010-01-19 15:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-19 15:40 . 2010-01-19 15:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-19 12:10 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-01-19 12:10 . 2010-01-19 12:10 -------- d-----w- c:\program files\Panda Security
2010-01-19 11:09 . 2010-01-19 11:09 -------- d-----w- c:\program files\ESET
2010-01-19 01:56 . 2010-01-19 01:56 -------- d-----w- c:\users\Benutzername\AppData\Roaming\AVS4YOU
2010-01-19 01:56 . 2010-01-19 01:56 -------- d-----w- c:\programdata\AVS4YOU
2010-01-19 01:55 . 2010-01-19 11:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-19 01:55 . 2008-08-13 10:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-01-19 01:55 . 2008-08-13 10:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-19 00:19 . 2010-01-19 00:19 -------- d-----w- c:\program files\Activision
2010-01-18 13:46 . 2010-01-18 13:46 -------- d-----w- c:\program files\Common Files\Java
2010-01-16 18:02 . 2010-01-16 18:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-01-13 15:22 . 2010-01-13 15:22 -------- d-----w- c:\program files\Winamp Detect
2010-01-13 11:12 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 11:12 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-08 12:06 . 2010-01-08 12:06 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-01-07 14:06 . 2010-01-07 14:07 -------- d-----w- c:\users\Benutzername\AppData\Local\ApplicationHistory
2010-01-07 14:06 . 2010-01-07 14:06 100 ----a-w- c:\users\Benutzername\AppData\Local\fusioncache.dat
2010-01-07 14:06 . 2001-10-28 15:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-01-07 14:06 . 2010-01-07 14:07 -------- d-----w- c:\program files\PDFCreator
2010-01-07 14:06 . 1998-07-06 16:56 125712 ----a-w- c:\windows\system32\VB6DE.DLL
2010-01-07 14:06 . 1998-07-06 16:55 158208 ----a-w- c:\windows\system32\MSCMCDE.DLL
2010-01-07 14:06 . 1998-07-06 16:55 64512 ----a-w- c:\windows\system32\MSCC2DE.DLL
2010-01-07 14:06 . 1998-07-05 23:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-01-06 20:32 . 2009-07-14 01:15 90624 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPWN7.DLL
2009-12-30 16:25 . 2009-12-30 16:26 -------- d-----w- c:\program files\jv16 PowerTools 2009
2009-12-30 16:18 . 2010-01-19 02:51 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-30 00:33 . 2009-12-30 00:34 -------- d-----w- c:\program files\Google
2009-12-30 00:33 . 2009-12-30 00:33 -------- d-----w- c:\users\Benutzername\AppData\Local\Google
2009-12-29 22:45 . 2010-01-12 21:02 -------- d-----w- c:\users\Benutzername\TV-Browser
2009-12-29 22:45 . 2009-12-29 22:45 -------- d-----w- c:\program files\TV-Browser
2009-12-27 21:24 . 2009-12-27 21:24 -------- d-----w- c:\program files\DIFX
2009-12-27 21:24 . 2009-10-19 13:45 31288 ----a-w- c:\windows\system32\drivers\usbfilter.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 15:44 . 2009-10-19 14:51 -------- d-----w- c:\users\Benutzername\AppData\Roaming\NetSpeedMonitor
2010-01-19 15:41 . 2009-10-19 14:16 -------- d-----w- c:\programdata\NVIDIA
2010-01-19 14:11 . 2009-10-19 16:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-19 03:23 . 2009-10-25 22:20 228 ----a-w- c:\windows\system32\edacded0.dat
2010-01-19 02:51 . 2009-10-19 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 00:24 . 2009-10-19 14:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-18 22:40 . 2009-10-19 17:47 -------- d-----w- c:\program files\Steam
2010-01-18 14:11 . 2009-10-19 15:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 13:46 . 2009-10-19 16:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-18 11:43 . 2009-07-14 08:47 724852 ----a-w- c:\windows\system32\perfh007.dat
2010-01-18 11:43 . 2009-07-14 08:47 152580 ----a-w- c:\windows\system32\perfc007.dat
2010-01-16 18:03 . 2009-10-19 15:46 -------- d-----w- c:\program files\Windows Live
2010-01-13 15:22 . 2009-10-19 16:15 -------- d-----w- c:\program files\Winamp
2010-01-13 11:14 . 2009-10-19 17:10 -------- d-----w- c:\programdata\Microsoft Help
2010-01-08 14:59 . 2009-10-19 15:06 -------- d-----w- c:\program files\Allway Sync
2010-01-08 12:35 . 2009-10-19 15:56 -------- d-----w- c:\programdata\RFA_Backups
2010-01-08 12:20 . 2009-10-19 19:31 -------- d-----w- c:\program files\Codemasters
2010-01-08 12:16 . 2009-10-19 14:31 110296 ----a-w- c:\users\Benutzername\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-07 15:07 . 2009-10-19 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2009-10-19 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 13:08 . 2009-10-19 16:34 -------- d-----w- c:\program files\WinSCP
2009-12-28 00:20 . 2009-12-14 00:23 142120 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-27 21:24 . 2009-10-22 10:38 -------- d-----w- c:\program files\AMD
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\NVIDIA Corporation
2009-12-17 15:11 . 2009-12-17 14:59 -------- d-----w- c:\program files\NewBlue
2009-12-17 14:59 . 2009-12-17 14:59 279172 ----a-w- c:\programdata\eSellerate\eWebClient.dll
2009-12-17 14:59 . 2009-12-17 14:59 -------- d-----w- c:\programdata\eSellerate
2009-12-17 14:55 . 2009-12-17 14:55 -------- d-----w- c:\users\Benutzername\AppData\Roaming\Publish Providers
2009-12-17 14:55 . 2009-12-17 14:43 -------- d-----w- c:\users\Benutzername\AppData\Roaming\Sony
2009-12-17 14:42 . 2009-12-17 14:42 -------- d-----w- c:\programdata\Sony
2009-12-17 14:42 . 2009-12-17 14:42 -------- d-----w- c:\program files\Sony
2009-12-17 14:18 . 2009-10-19 15:24 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-17 13:34 . 2009-10-19 21:05 -------- d-----w- c:\programdata\FLEXnet
2009-12-17 13:24 . 2009-12-17 13:24 -------- d-----w- c:\users\Benutzername\AppData\Roaming\No Company Name
2009-12-17 13:23 . 2009-10-19 14:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-03 22:35 . 2009-12-03 22:35 -------- d-----w- c:\programdata\CyberLink
2009-12-03 22:34 . 2009-12-03 22:34 -------- d-----w- c:\program files\CyberLink
2009-12-01 20:25 . 2009-11-19 14:31 -------- d-----w- c:\program files\DOSBox-0.73
2009-12-01 12:44 . 2009-10-19 15:32 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2009-12-01 12:05 . 2009-12-01 12:05 -------- d-----w- c:\programdata\Adobe Systems
2009-12-01 12:05 . 2009-12-01 12:05 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-11-30 21:59 . 2009-11-30 21:59 -------- d-----w- c:\program files\BreakPoint Software
2009-11-30 20:52 . 2009-10-19 15:48 -------- d-----w- c:\program files\Messenger Plus! Live
2009-11-30 19:48 . 2009-11-30 19:48 -------- d-----w- c:\programdata\InstallShield
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-30 16:09 . 2009-11-30 16:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-30 16:04 . 2009-11-19 15:15 -------- d-----w- c:\program files\REAPER
2009-11-30 15:59 . 2009-11-30 15:59 -------- d-----w- c:\users\Benutzername\AppData\Roaming\URSoft
2009-11-30 00:11 . 2009-10-19 15:48 -------- d-----w- c:\program files\Mp3tag
2009-11-26 17:56 . 2009-10-19 21:35 -------- d-----w- c:\program files\Realtek
2009-11-25 22:43 . 2009-11-25 22:43 -------- d-----w- c:\program files\SpeedFan
2009-11-25 01:10 . 2009-11-25 01:10 -------- d-----w- c:\program files\Shutdown4U
2009-11-24 12:34 . 2009-10-19 16:10 -------- d-----w- c:\programdata\WinZip
2009-11-24 12:22 . 2009-11-02 12:56 -------- d-----w- c:\users\Benutzername\AppData\Roaming\vlc
2009-11-23 15:39 . 2009-10-19 15:24 -------- d-----w- c:\program files\DivX
2009-11-20 19:33 . 2009-11-20 19:33 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-20 19:33 . 2009-11-20 19:33 1323624 ----a-w- c:\windows\system32\nvsvcr.dll
2009-11-20 19:33 . 2009-11-20 19:33 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 19:33 . 2009-11-20 19:33 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-20 19:33 . 2009-11-20 19:33 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-19 20:42 . 2009-10-19 14:15 592488 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-06 09:59 . 2009-11-06 09:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 09:59 . 2009-11-06 09:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-05 21:14 . 2009-11-26 17:56 230912 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2009-10-30 09:09 . 2009-10-30 09:09 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:22 . 2009-11-25 12:30 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 19:18 . 2009-10-27 19:18 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-16 153608]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2009-09-11 2524416]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2009-7-21 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [19.01.2010 13:10 28552]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [19.10.2009 17:01 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [20.11.2009 19:17 240232]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.sys [19.10.2009 15:10 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.sys [19.10.2009 15:10 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.sys [19.10.2009 15:10 566296]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [26.11.2009 18:56 230912]
R3 usbfilter;AMD USB Filter Driver;c:\windows\System32\drivers\usbfilter.sys [27.12.2009 22:24 31288]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30.12.2009 01:33 135664]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe [06.05.2009 08:08 104272]
S3 COMMONFX;COMMONFX;c:\windows\System32\drivers\COMMONFX.sys [19.10.2009 15:10 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [19.10.2009 15:22 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\System32\drivers\CTAUDFX.sys [19.10.2009 15:10 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.sys [19.10.2009 15:10 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\System32\drivers\CTERFXFX.sys [19.10.2009 15:10 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\System32\drivers\CTSBLFX.sys [19.10.2009 15:10 566296]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\System32\drivers\LGBusEnum.sys [14.07.2009 14:35 19720]

--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - tmdoszlk
.
Inhalt des "geplante Tasks" Ordners

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 00:33]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 00:33]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Alles mit FlashGet laden - c:\program files\FlashGet\jc_all.htm
IE: &Mit FlashGet laden - c:\program files\FlashGet\jc_link.htm
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Benutzername\AppData\Roaming\Mozilla\Firefox\Profiles\if6r9rrd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\DotNetAssistantExtension\
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85DBB856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x850ba9d8
QueryNameProcedure -> 0x850bab68
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\tmdoszlk]

.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30po\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30po"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30pp\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30pp"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30ppf\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30ppf"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xmp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="BED8F194AACB576400B5CF12A1178B1F04E
...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(1888)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\OO Software\Defrag\oodag.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-01-19 16:45:58 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-01-19 15:45

Vor Suchlauf: 11 Verzeichnis(se), 74.876.706.816 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 74.562.273.280 Bytes frei

- - End Of File - - 2ECC0A7F8BC5EA867ECE8E64BBC7BB6A

__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

19.01.2010, 17:16

raman

Moderator

Beiträge: 7805

#4 Kleine Ergaenzung.
Starte bite dieses Programm und waehle bitte uninstall. Nur das, sollte dir das nicht angeboten werden, brich den Vorgang ab. Sollte es dir angeboten werden, deinstalliere es und poste nach dem Neustart ein neuen Gmer Report

http://www.duplexsecure.com/download/SPTDinst-v162-x86.exe
__________
MfG Ralf
SEO-Spam Hunter

19.01.2010, 17:38

K4MF5T4RN

Member

Themenstarter

Beiträge: 38

#5 hier der LOG nach dem deinstallieren des SPTD:

Zitat

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-19 17:37:49
Windows 6.1.7600
Running: fic5sve1.exe; Driver: C:\Users\BENUTZ~1\AppData\Local\Temp\agkiakog.sys

---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83034AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83034104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830343F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301D2D8
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830341DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83034958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830346F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83034F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830351A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C4D579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C71F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\tmdoszlk.sys Ein an das System angeschlossenes Gerät funktioniert nicht. !
.text peauth.sys 9D34FC9D 28 Bytes [8F, C3, B7, 67, C5, 9F, 9B, ...]
.text peauth.sys 9D34FCC1 28 Bytes [8F, C3, B7, 67, C5, 9F, 9B, ...]
PAGE peauth.sys 9D355E20 101 Bytes [64, DB, 39, 51, 02, E3, EF, ...]
PAGE peauth.sys 9D35602C 102 Bytes [C7, 20, 68, 89, 13, 7B, 9D, ...]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [738D250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [738D2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [738B5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [738B56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [738C8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [738C4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [738C50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [738C51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [738C66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [738C82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [738C8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [738C907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [738CE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [738C4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 861B3218

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000059 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 85D78856

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011670b4ade
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x23 0xF5 0x0E 0x75 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x78 0xC4 0x34 0xE6 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x85 0x33 0xC0 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBA 0x64 0xD9 0x17 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\tmdoszlk@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\tmdoszlk@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\tmdoszlk@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\tmdoszlk@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0011670b4ade (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x23 0xF5 0x0E 0x75 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x78 0xC4 0x34 0xE6 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x48 0x85 0x33 0xC0 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xBA 0x64 0xD9 0x17 ...
Reg HKLM\SYSTEM\ControlSet002\services\tmdoszlk@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\tmdoszlk@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\tmdoszlk@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\tmdoszlk@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL BED8F194AACB576400B5CF12A1178B1F04E766816DA82CA5F79F85E742A313A2C75CD53DC9D7675D51D7A919A1CDF1D2ABBD4FAB612A7696EFB0F411B7E0A60AA3A625E9962D9CDEA813C548686BEAEE4058B66ADDB43D591C99734BCDCD050202C9477A906D35CA7D9B1D4D0E4896B125B54A583770A1ABE8BC7CBCAB8AED6476ABAE425D4C3438ADFDAFC9D0CA588E9FA23904611C07FDA34D9280A2CA6A3EF706CB8AC392E2707718835290F1D7AD57C5B9EEF60B9774FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A6A0AC4980AC7933FEBC9E127BECC74CD655575125D05F32F1BA6A0DD84A66A9A5799BC808A7558284A25DA4E712C3335F921D6CF2FD3B7612260D19EE8A902FCAC3979D0434D31CF2B54D00725350DE224EEFC7BF6D9BCD1CE484BB8C552F1AE71E7F6B669B9D4270FE770FB8D04AD9B55E6BB143143F1911131C2DA473844908076FF9F99D146F2E06E9C680605459166D306B597C2B6BD5A0A51D4E44154C99D48A032C8B5E51C423378EB1E756C825FA62A705C3260CB5D1F4ABC13B2B676FAE7436914E65C7AF05F6C2D6657AC5A65928926A1A3D775B3CE3EFDC5CD114BE93D8B76062D8EACDACC33222E8B02443AF2EC6D0C5415BD94F4DF3A3425BFDA252E49C73D42A8
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Tools\Install\Media Player Classic \x2013 Home Cinema v1.3.1249.0\Media Player Classic \x2013 Home Cinema v1.3.1249.0.exe 1

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

19.01.2010, 17:45

virenfinder

Member

Beiträge: 3716

#6 danke @raman, ist mir entfallen.
bitte weiter mit cf.

19.01.2010, 17:49

K4MF5T4RN

Member

Themenstarter

Beiträge: 38

#7 oben ist doch der combo-fix log oder soll ich noch einmal einen machen?
__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

19.01.2010, 17:58

virenfinder

Member

Beiträge: 3716

#8 sorry hatte ich übersehen in der eile, ich sehe ihn mir jetzt an.

19.01.2010, 18:03

K4MF5T4RN

Member

Themenstarter

Beiträge: 38

#9 habe ihn noch einmal gemacht in der verwirrung ;-)

Zitat

ComboFix 10-01-18.03 - Benutzername 19.01.2010 17:51:24.4.3 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.2045.1368 [GMT 1:00]
ausgeführt von:: c:\users\Benutzername\Desktop\Combo-Fix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data . . . . Nicht in der Lage zu löschen
c:\windows\system32\Data\CTGER.DAT . . . . Nicht in der Lage zu löschen

.
((((((((((((((((((((((( Dateien erstellt von 2009-12-19 bis 2010-01-19 ))))))))))))))))))))))))))))))
.

2010-01-19 16:56 . 2010-01-19 16:57 -------- d-----w- c:\users\Benutzername\AppData\Local\temp
2010-01-19 16:56 . 2010-01-19 16:56 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-19 16:56 . 2010-01-19 16:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-19 12:10 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-01-19 12:10 . 2010-01-19 12:10 -------- d-----w- c:\program files\Panda Security
2010-01-19 11:09 . 2010-01-19 11:09 -------- d-----w- c:\program files\ESET
2010-01-19 01:56 . 2010-01-19 01:56 -------- d-----w- c:\users\Benutzername\AppData\Roaming\AVS4YOU
2010-01-19 01:56 . 2010-01-19 01:56 -------- d-----w- c:\programdata\AVS4YOU
2010-01-19 01:55 . 2010-01-19 11:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-19 01:55 . 2008-08-13 10:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-01-19 01:55 . 2008-08-13 10:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-19 00:19 . 2010-01-19 00:19 -------- d-----w- c:\program files\Activision
2010-01-18 13:46 . 2010-01-18 13:46 -------- d-----w- c:\program files\Common Files\Java
2010-01-16 18:02 . 2010-01-16 18:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-01-13 15:22 . 2010-01-13 15:22 -------- d-----w- c:\program files\Winamp Detect
2010-01-13 11:12 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 11:12 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-08 12:06 . 2010-01-08 12:06 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-01-07 14:06 . 2010-01-07 14:07 -------- d-----w- c:\users\Benutzername\AppData\Local\ApplicationHistory
2010-01-07 14:06 . 2010-01-07 14:06 100 ----a-w- c:\users\Benutzername\AppData\Local\fusioncache.dat
2010-01-07 14:06 . 2001-10-28 15:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-01-07 14:06 . 2010-01-07 14:07 -------- d-----w- c:\program files\PDFCreator
2010-01-07 14:06 . 1998-07-06 16:56 125712 ----a-w- c:\windows\system32\VB6DE.DLL
2010-01-07 14:06 . 1998-07-06 16:55 158208 ----a-w- c:\windows\system32\MSCMCDE.DLL
2010-01-07 14:06 . 1998-07-06 16:55 64512 ----a-w- c:\windows\system32\MSCC2DE.DLL
2010-01-07 14:06 . 1998-07-05 23:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-01-06 20:32 . 2009-07-14 01:15 90624 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPWN7.DLL
2009-12-30 16:25 . 2009-12-30 16:26 -------- d-----w- c:\program files\jv16 PowerTools 2009
2009-12-30 16:18 . 2010-01-19 02:51 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-30 00:33 . 2009-12-30 00:34 -------- d-----w- c:\program files\Google
2009-12-30 00:33 . 2009-12-30 00:33 -------- d-----w- c:\users\Benutzername\AppData\Local\Google
2009-12-29 22:45 . 2010-01-12 21:02 -------- d-----w- c:\users\Benutzername\TV-Browser
2009-12-29 22:45 . 2009-12-29 22:45 -------- d-----w- c:\program files\TV-Browser
2009-12-27 21:24 . 2009-12-27 21:24 -------- d-----w- c:\program files\DIFX
2009-12-27 21:24 . 2009-10-19 13:45 31288 ----a-w- c:\windows\system32\drivers\usbfilter.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 16:58 . 2009-10-19 14:51 -------- d-----w- c:\users\Benutzername\AppData\Roaming\NetSpeedMonitor
2010-01-19 16:57 . 2009-10-19 14:16 -------- d-----w- c:\programdata\NVIDIA
2010-01-19 14:11 . 2009-10-19 16:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-19 03:23 . 2009-10-25 22:20 228 ----a-w- c:\windows\system32\edacded0.dat
2010-01-19 02:51 . 2009-10-19 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 00:24 . 2009-10-19 14:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-18 22:40 . 2009-10-19 17:47 -------- d-----w- c:\program files\Steam
2010-01-18 14:11 . 2009-10-19 15:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 13:46 . 2009-10-19 16:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-18 11:43 . 2009-07-14 08:47 724852 ----a-w- c:\windows\system32\perfh007.dat
2010-01-18 11:43 . 2009-07-14 08:47 152580 ----a-w- c:\windows\system32\perfc007.dat
2010-01-16 18:03 . 2009-10-19 15:46 -------- d-----w- c:\program files\Windows Live
2010-01-13 15:22 . 2009-10-19 16:15 -------- d-----w- c:\program files\Winamp
2010-01-13 11:14 . 2009-10-19 17:10 -------- d-----w- c:\programdata\Microsoft Help
2010-01-08 14:59 . 2009-10-19 15:06 -------- d-----w- c:\program files\Allway Sync
2010-01-08 12:35 . 2009-10-19 15:56 -------- d-----w- c:\programdata\RFA_Backups
2010-01-08 12:20 . 2009-10-19 19:31 -------- d-----w- c:\program files\Codemasters
2010-01-08 12:16 . 2009-10-19 14:31 110296 ----a-w- c:\users\Benutzername\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-07 15:07 . 2009-10-19 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2009-10-19 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 13:08 . 2009-10-19 16:34 -------- d-----w- c:\program files\WinSCP
2009-12-28 00:20 . 2009-12-14 00:23 142120 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-27 21:24 . 2009-10-22 10:38 -------- d-----w- c:\program files\AMD
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\NVIDIA Corporation
2009-12-17 15:11 . 2009-12-17 14:59 -------- d-----w- c:\program files\NewBlue
2009-12-17 14:59 . 2009-12-17 14:59 279172 ----a-w- c:\programdata\eSellerate\eWebClient.dll
2009-12-17 14:59 . 2009-12-17 14:59 -------- d-----w- c:\programdata\eSellerate
2009-12-17 14:55 . 2009-12-17 14:55 -------- d-----w- c:\users\Benutzername\AppData\Roaming\Publish Providers
2009-12-17 14:55 . 2009-12-17 14:43 -------- d-----w- c:\users\Benutzername\AppData\Roaming\Sony
2009-12-17 14:42 . 2009-12-17 14:42 -------- d-----w- c:\programdata\Sony
2009-12-17 14:42 . 2009-12-17 14:42 -------- d-----w- c:\program files\Sony
2009-12-17 14:18 . 2009-10-19 15:24 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-17 13:34 . 2009-10-19 21:05 -------- d-----w- c:\programdata\FLEXnet
2009-12-17 13:24 . 2009-12-17 13:24 -------- d-----w- c:\users\Benutzername\AppData\Roaming\No Company Name
2009-12-17 13:23 . 2009-10-19 14:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-03 22:35 . 2009-12-03 22:35 -------- d-----w- c:\programdata\CyberLink
2009-12-03 22:34 . 2009-12-03 22:34 -------- d-----w- c:\program files\CyberLink
2009-12-01 20:25 . 2009-11-19 14:31 -------- d-----w- c:\program files\DOSBox-0.73
2009-12-01 12:44 . 2009-10-19 15:32 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2009-12-01 12:05 . 2009-12-01 12:05 -------- d-----w- c:\programdata\Adobe Systems
2009-12-01 12:05 . 2009-12-01 12:05 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-11-30 21:59 . 2009-11-30 21:59 -------- d-----w- c:\program files\BreakPoint Software
2009-11-30 20:52 . 2009-10-19 15:48 -------- d-----w- c:\program files\Messenger Plus! Live
2009-11-30 19:48 . 2009-11-30 19:48 -------- d-----w- c:\programdata\InstallShield
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-30 16:09 . 2009-11-30 16:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-30 16:04 . 2009-11-19 15:15 -------- d-----w- c:\program files\REAPER
2009-11-30 15:59 . 2009-11-30 15:59 -------- d-----w- c:\users\Benutzername\AppData\Roaming\URSoft
2009-11-30 00:11 . 2009-10-19 15:48 -------- d-----w- c:\program files\Mp3tag
2009-11-26 17:56 . 2009-10-19 21:35 -------- d-----w- c:\program files\Realtek
2009-11-25 22:43 . 2009-11-25 22:43 -------- d-----w- c:\program files\SpeedFan
2009-11-25 01:10 . 2009-11-25 01:10 -------- d-----w- c:\program files\Shutdown4U
2009-11-24 12:34 . 2009-10-19 16:10 -------- d-----w- c:\programdata\WinZip
2009-11-24 12:22 . 2009-11-02 12:56 -------- d-----w- c:\users\Benutzername\AppData\Roaming\vlc
2009-11-23 15:39 . 2009-10-19 15:24 -------- d-----w- c:\program files\DivX
2009-11-20 19:33 . 2009-11-20 19:33 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-20 19:33 . 2009-11-20 19:33 1323624 ----a-w- c:\windows\system32\nvsvcr.dll
2009-11-20 19:33 . 2009-11-20 19:33 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 19:33 . 2009-11-20 19:33 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-20 19:33 . 2009-11-20 19:33 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-19 20:42 . 2009-10-19 14:15 592488 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-06 09:59 . 2009-11-06 09:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 09:59 . 2009-11-06 09:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-05 21:14 . 2009-11-26 17:56 230912 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2009-10-30 09:09 . 2009-10-30 09:09 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:22 . 2009-11-25 12:30 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 19:18 . 2009-10-27 19:18 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-19_15.42.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-19 14:52 . 2010-01-19 16:21 30660 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-01-19 16:30 29736 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-10-19 14:03 . 2010-01-19 15:41 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-19 14:03 . 2010-01-19 16:57 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-19 14:03 . 2010-01-19 16:57 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-19 14:03 . 2010-01-19 15:41 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2010-01-19 15:41 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-01-19 16:57 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-19 14:20 . 2010-01-19 16:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-19 14:20 . 2010-01-19 15:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-19 14:20 . 2010-01-19 15:08 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-19 14:20 . 2010-01-19 16:08 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-19 14:20 . 2010-01-19 16:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-19 14:20 . 2010-01-19 15:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-19 14:26 . 2010-01-19 16:30 8242 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1815439149-2110315595-3368890873-1000_UserData.bin
- 2010-01-19 15:32 . 2010-01-19 15:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-19 16:20 . 2010-01-19 16:57 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-10-19 14:06 . 2010-01-19 15:41 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-10-19 14:06 . 2010-01-19 16:57 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-16 153608]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2009-09-11 2524416]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2009-7-21 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [19.01.2010 13:10 28552]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [19.10.2009 17:01 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [20.11.2009 19:17 240232]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.sys [19.10.2009 15:10 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.sys [19.10.2009 15:10 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.sys [19.10.2009 15:10 566296]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [26.11.2009 18:56 230912]
R3 usbfilter;AMD USB Filter Driver;c:\windows\System32\drivers\usbfilter.sys [27.12.2009 22:24 31288]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30.12.2009 01:33 135664]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe [06.05.2009 08:08 104272]
S3 COMMONFX;COMMONFX;c:\windows\System32\drivers\COMMONFX.sys [19.10.2009 15:10 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [19.10.2009 15:22 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\System32\drivers\CTAUDFX.sys [19.10.2009 15:10 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.sys [19.10.2009 15:10 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\System32\drivers\CTERFXFX.sys [19.10.2009 15:10 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\System32\drivers\CTSBLFX.sys [19.10.2009 15:10 566296]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\System32\drivers\LGBusEnum.sys [14.07.2009 14:35 19720]

--- Andere Dienste/Treiber im Speicher ---

*Deregistered* - tmdoszlk
.
Inhalt des "geplante Tasks" Ordners

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 00:33]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 00:33]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Alles mit FlashGet laden - c:\program files\FlashGet\jc_all.htm
IE: &Mit FlashGet laden - c:\program files\FlashGet\jc_link.htm
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Benutzername\AppData\Roaming\Mozilla\Firefox\Profiles\if6r9rrd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\DotNetAssistantExtension\
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85F8E856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x852b8aa0
QueryNameProcedure -> 0x852b8c30
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\tmdoszlk]

.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30po\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30po"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30pp\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30pp"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30ppf\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30ppf"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xmp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="BED8F194AACB576400B5CF12A1178B1F04E766816DA82CA5F79F85E742A313A2C75CD53DC9D7675D51D7A919A1CDF1D2ABBD4FAB612A7696EFB0F411B7E0A60AA3A625E9962D9CDEA813C548686BEAEE4058B66ADDB43D591C99734BCDCD050202C9477A906D35CA7D9B1D4D0E4896B125B54A583770A1ABE8BC7CBCAB8AED6476ABAE425D4C3438ADFDAFC9D0CA588E9FA23904611C07FDA34D9280A2CA6A3EF706CB8AC392E2707718835290F1D7AD57C5B9EEF60B9774FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A6A0AC4980AC7933FEBC9E127BECC74CD655575125D05F32F1BA6A0DD84A66A9A5799BC808A7558284A25DA4E712C3335F921D6CF2FD3B7612260D19EE8A902FCAC3979D0434D31CF2B54D00725350DE224EEFC7BF6D9BCD1CE484BB8C552F1AE71E7F6B669B9D4270FE770FB8D04AD9B55E6BB143143F1911131C2DA473844908076FF9F99D146F2E06E9C680605459166D306B597C2B6BD5A0A51D4E44154C99D48A032C8B5E51C423378EB1E756C825FA62A705C3260CB5D1F4ABC13B2B676FAE7436914E65C7AF05F6C2D6657AC5A65928926A1A3D775B3CE3EFDC5CD114BE93D8B76062D8EACDACC33222E8B02443AF2EC6D0C5415BD94F4DF3A3425BFDA252E49C73D42A81E2F03B22E4172CE986F8A357279FC41D274793363A1DDD061A90C9F0C8480F0C95FA814A19266352E183BC48FD15A1D39AB91B286A2DB04185473D33857781B872C7BB57D965114AA87131910A27F249F30ECB2FA2CA72F62E437857EE2AC1EF672A95E7E633367594BABBA124EA987F527F13A675DD04A4BC243AC371C2CFC949C7BC1123041529C0291C59C88AB7293D9F60DB976588FABE60C2541AB1F193CE1A65DA195FB3F12EDC968D9A4338AC1D50299063F4EC5D29BF59D61C003350136F45BF72E35F0D41C6F287DBE5C5273FC966FAD6325B6550DEC50FCEC7E034976817B2003F256D43AF7C0376D751E6D49814C51456465F6FAFD7332DB90E2A3CFC9915B5B7D9B8DEB003B2F7918DF0F39C330EDFB0E1CAA4F5606FD69790CCCBF40F402CA4144A26B9D9BB91A1F37B95874867A5A3A8DEF1C9B3628CB982F0EE6EBE7F1DF22EB10C0DD8B596A841F117E3DC5672255680BE19AD1E380BC11A37DA7293E922C72E6AC15C2E025C73F33A8B7CD4F8BE6D4FD4A42AABE18B70039681F930174645B97CC143266F06CF56242FB8D08D8FB11A62818B843ACC759865FAA67DCA89CBFC624C71921F02DE9FDD51A42EACCAAE657B97379714F779FB5E355017D1A548D72275CD5D77C2EC8B554C5AC0F0352E6B14A3974965476C04A172510E1D6CE8DB232144E301CC8988DC49F5D31FA8439687B7996EC80A80B8"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(2592)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\OO Software\Defrag\oodag.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-01-19 18:01:07 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-01-19 17:01
ComboFix2.txt 2010-01-19 15:45

Vor Suchlauf: 11 Verzeichnis(se), 74.322.751.488 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 74.210.758.656 Bytes frei

- - End Of File - - CDACB68842E4304B55DBAA72B729B99B

dieses ding "tmdoszlk.sys" scheint irgendwie nicht ganz i.O. zu sein ?
__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

19.01.2010, 18:39

virenfinder

Member

Beiträge: 3716

#10 Rootkit::
File::
C:\Windows\System32\drivers\tmdoszlk
.sys
Driver::
tmdoszlk
Folder::
c:\windows\system32\Data
Registry::

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\tmdoszlk]
Mia::
C:\Windows\system32\drivers\atapi.sys
MBR::

gehe auf speichern unter, wähle alle dateien bei typ und speichere es auf dem desktop als CFScript .txt
nun ziehe die txt auf das combofix symbol. das programm wird starten, poste das log.

19.01.2010, 19:00

K4MF5T4RN

Member

Themenstarter

Beiträge: 38

#11 bitte sehr:

Zitat

ComboFix 10-01-18.03 - Benutzername 19.01.2010 18:48:36.5.3 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.49.1031.18.2045.1229 [GMT 1:00]
ausgeführt von:: c:\users\Benutzername\Desktop\Combo-Fix.exe
Benutzte Befehlsschalter :: c:\users\Benutzername\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

FILE ::
"c:\windows\System32\drivers\tmdoszlk"
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data . . . . Nicht in der Lage zu löschen
c:\windows\system32\Data\CTGER.DAT . . . . Nicht in der Lage zu löschen

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TMDOSZLK
-------\Service_tmdoszlk

((((((((((((((((((((((( Dateien erstellt von 2009-12-19 bis 2010-01-19 ))))))))))))))))))))))))))))))
.

2010-01-19 17:54 . 2010-01-19 17:54 -------- d-----w- C:\Device
2010-01-19 17:53 . 2010-01-19 17:55 -------- d-----w- c:\users\Benutzername\AppData\Local\temp
2010-01-19 17:53 . 2010-01-19 17:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-19 17:53 . 2010-01-19 17:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-19 12:10 . 2009-06-30 08:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-01-19 12:10 . 2010-01-19 12:10 -------- d-----w- c:\program files\Panda Security
2010-01-19 11:09 . 2010-01-19 11:09 -------- d-----w- c:\program files\ESET
2010-01-19 02:47 . 2010-01-19 17:54 756736 ----a-w- c:\windows\system32\drivers\tmdoszlk.sys
2010-01-19 01:55 . 2010-01-19 11:04 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-01-19 01:55 . 2008-08-13 10:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-01-19 01:55 . 2008-08-13 10:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-01-19 00:19 . 2010-01-19 00:19 -------- d-----w- c:\program files\Activision
2010-01-18 13:46 . 2010-01-18 13:46 -------- d-----w- c:\program files\Common Files\Java
2010-01-16 18:02 . 2010-01-16 18:02 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-01-13 15:22 . 2010-01-13 15:22 -------- d-----w- c:\program files\Winamp Detect
2010-01-13 11:12 . 2009-10-19 14:10 108544 ----a-w- c:\windows\system32\t2embed.dll
2010-01-13 11:12 . 2009-10-19 14:10 70656 ----a-w- c:\windows\system32\fontsub.dll
2010-01-08 12:06 . 2010-01-08 12:06 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2010-01-07 14:06 . 2010-01-07 14:07 -------- d-----w- c:\users\Benutzername\AppData\Local\ApplicationHistory
2010-01-07 14:06 . 2010-01-07 14:06 100 ----a-w- c:\users\Benutzername\AppData\Local\fusioncache.dat
2010-01-07 14:06 . 2001-10-28 15:42 116224 ----a-w- c:\windows\system32\pdfcmnnt.dll
2010-01-07 14:06 . 2010-01-07 14:07 -------- d-----w- c:\program files\PDFCreator
2010-01-07 14:06 . 1998-07-06 16:56 125712 ----a-w- c:\windows\system32\VB6DE.DLL
2010-01-07 14:06 . 1998-07-06 16:55 158208 ----a-w- c:\windows\system32\MSCMCDE.DLL
2010-01-07 14:06 . 1998-07-06 16:55 64512 ----a-w- c:\windows\system32\MSCC2DE.DLL
2010-01-07 14:06 . 1998-07-05 23:00 23552 ----a-w- c:\windows\system32\MSMPIDE.DLL
2010-01-06 20:32 . 2009-07-14 01:15 90624 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\HPZPPWN7.DLL
2009-12-30 16:25 . 2009-12-30 16:26 -------- d-----w- c:\program files\jv16 PowerTools 2009
2009-12-30 16:18 . 2010-01-19 02:51 5115824 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-30 00:33 . 2009-12-30 00:34 -------- d-----w- c:\program files\Google
2009-12-30 00:33 . 2009-12-30 00:33 -------- d-----w- c:\users\Benutzername\AppData\Local\Google
2009-12-29 22:45 . 2010-01-12 21:02 -------- d-----w- c:\users\Benutzername\TV-Browser
2009-12-29 22:45 . 2009-12-29 22:45 -------- d-----w- c:\program files\TV-Browser
2009-12-27 21:24 . 2009-12-27 21:24 -------- d-----w- c:\program files\DIFX
2009-12-27 21:24 . 2009-10-19 13:45 31288 ----a-w- c:\windows\system32\drivers\usbfilter.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-19 17:56 . 2009-10-19 14:51 -------- d-----w- c:\users\Benutzername\AppData\Roaming\NetSpeedMonitor
2010-01-19 17:55 . 2009-10-19 14:16 -------- d-----w- c:\programdata\NVIDIA
2010-01-19 17:33 . 2009-10-25 22:20 228 ----a-w- c:\windows\system32\edacded0.dat
2010-01-19 14:11 . 2009-10-19 16:01 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-01-19 02:51 . 2009-10-19 15:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-19 00:24 . 2009-10-19 14:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-18 22:40 . 2009-10-19 17:47 -------- d-----w- c:\program files\Steam
2010-01-18 14:11 . 2009-10-19 15:06 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-18 13:46 . 2009-10-19 16:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-18 11:43 . 2009-07-14 08:47 724852 ----a-w- c:\windows\system32\perfh007.dat
2010-01-18 11:43 . 2009-07-14 08:47 152580 ----a-w- c:\windows\system32\perfc007.dat
2010-01-16 18:03 . 2009-10-19 15:46 -------- d-----w- c:\program files\Windows Live
2010-01-13 15:22 . 2009-10-19 16:15 -------- d-----w- c:\program files\Winamp
2010-01-13 11:14 . 2009-10-19 17:10 -------- d-----w- c:\programdata\Microsoft Help
2010-01-08 14:59 . 2009-10-19 15:06 -------- d-----w- c:\program files\Allway Sync
2010-01-08 12:35 . 2009-10-19 15:56 -------- d-----w- c:\programdata\RFA_Backups
2010-01-08 12:20 . 2009-10-19 19:31 -------- d-----w- c:\program files\Codemasters
2010-01-08 12:16 . 2009-10-19 14:31 110296 ----a-w- c:\users\Benutzername\AppData\Local\GDIPFONTCACHEV1.DAT
2010-01-07 15:07 . 2009-10-19 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 15:07 . 2009-10-19 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-29 13:08 . 2009-10-19 16:34 -------- d-----w- c:\program files\WinSCP
2009-12-28 00:20 . 2009-12-14 00:23 142120 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-27 21:24 . 2009-10-22 10:38 -------- d-----w- c:\program files\AMD
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-27 21:23 . 2009-10-19 14:16 -------- d-----w- c:\program files\NVIDIA Corporation
2009-12-17 15:11 . 2009-12-17 14:59 -------- d-----w- c:\program files\NewBlue
2009-12-17 14:59 . 2009-12-17 14:59 279172 ----a-w- c:\programdata\eSellerate\eWebClient.dll
2009-12-17 14:59 . 2009-12-17 14:59 -------- d-----w- c:\programdata\eSellerate
2009-12-17 14:55 . 2009-12-17 14:43 -------- d-----w- c:\users\Benutzername\AppData\Roaming\Sony
2009-12-17 14:42 . 2009-12-17 14:42 -------- d-----w- c:\programdata\Sony
2009-12-17 14:42 . 2009-12-17 14:42 -------- d-----w- c:\program files\Sony
2009-12-17 14:18 . 2009-10-19 15:24 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-12-17 13:34 . 2009-10-19 21:05 -------- d-----w- c:\programdata\FLEXnet
2009-12-17 13:24 . 2009-12-17 13:24 -------- d-----w- c:\users\Benutzername\AppData\Roaming\No Company Name
2009-12-17 13:23 . 2009-10-19 14:21 -------- d-----w- c:\program files\Common Files\InstallShield
2009-12-03 22:35 . 2009-12-03 22:35 -------- d-----w- c:\programdata\CyberLink
2009-12-03 22:34 . 2009-12-03 22:34 -------- d-----w- c:\program files\CyberLink
2009-12-01 20:25 . 2009-11-19 14:31 -------- d-----w- c:\program files\DOSBox-0.73
2009-12-01 12:44 . 2009-10-19 15:32 -------- d-----w- c:\program files\Easy CD-DA Extractor 12
2009-12-01 12:05 . 2009-12-01 12:05 -------- d-----w- c:\programdata\Adobe Systems
2009-12-01 12:05 . 2009-12-01 12:05 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-11-30 21:59 . 2009-11-30 21:59 -------- d-----w- c:\program files\BreakPoint Software
2009-11-30 20:52 . 2009-10-19 15:48 -------- d-----w- c:\program files\Messenger Plus! Live
2009-11-30 19:48 . 2009-11-30 19:48 -------- d-----w- c:\programdata\InstallShield
2009-11-30 17:02 . 2009-11-30 17:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 17:02 . 2009-11-30 17:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-30 16:09 . 2009-11-30 16:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-11-30 16:04 . 2009-11-19 15:15 -------- d-----w- c:\program files\REAPER
2009-11-30 00:11 . 2009-10-19 15:48 -------- d-----w- c:\program files\Mp3tag
2009-11-26 17:56 . 2009-10-19 21:35 -------- d-----w- c:\program files\Realtek
2009-11-25 22:43 . 2009-11-25 22:43 -------- d-----w- c:\program files\SpeedFan
2009-11-25 01:10 . 2009-11-25 01:10 -------- d-----w- c:\program files\Shutdown4U
2009-11-24 12:34 . 2009-10-19 16:10 -------- d-----w- c:\programdata\WinZip
2009-11-24 12:22 . 2009-11-02 12:56 -------- d-----w- c:\users\Benutzername\AppData\Roaming\vlc
2009-11-23 15:39 . 2009-10-19 15:24 -------- d-----w- c:\program files\DivX
2009-11-20 19:33 . 2009-11-20 19:33 812648 ----a-w- c:\windows\system32\nvsvc.dll
2009-11-20 19:33 . 2009-11-20 19:33 1323624 ----a-w- c:\windows\system32\nvsvcr.dll
2009-11-20 19:33 . 2009-11-20 19:33 12685928 ----a-w- c:\windows\system32\nvcpl.dll
2009-11-20 19:33 . 2009-11-20 19:33 122984 ----a-w- c:\windows\system32\nvvsvc.exe
2009-11-20 19:33 . 2009-11-20 19:33 110184 ----a-w- c:\windows\system32\nvmctray.dll
2009-11-19 20:42 . 2009-10-19 14:15 592488 ----a-w- c:\windows\system32\nvuninst.exe
2009-11-06 09:59 . 2009-11-06 09:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 09:59 . 2009-11-06 09:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-05 21:14 . 2009-11-26 17:56 230912 ----a-w- c:\windows\system32\drivers\Rt86win7.sys
2009-10-30 09:09 . 2009-10-30 09:09 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:22 . 2009-11-25 12:30 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-27 19:18 . 2009-10-27 19:18 368640 ----a-w- c:\windows\system32\ReWire.dll
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-01-19_15.42.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-19 14:52 . 2010-01-19 16:21 30660 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-01-19 16:59 29744 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-10-19 14:03 . 2010-01-19 15:41 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-19 14:03 . 2010-01-19 17:55 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-10-19 14:03 . 2010-01-19 17:55 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-10-19 14:03 . 2010-01-19 15:41 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:41 . 2010-01-19 15:41 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:41 . 2010-01-19 17:55 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-19 14:20 . 2010-01-19 17:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-19 14:20 . 2010-01-19 15:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-10-19 14:20 . 2010-01-19 15:08 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-19 14:20 . 2010-01-19 17:13 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-19 14:20 . 2010-01-19 17:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-10-19 14:20 . 2010-01-19 15:08 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-10-19 14:26 . 2010-01-19 16:30 8242 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1815439149-2110315595-3368890873-1000_UserData.bin
- 2010-01-19 15:32 . 2010-01-19 15:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-01-19 16:20 . 2010-01-19 17:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-10-19 14:06 . 2010-01-19 15:41 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-10-19 14:06 . 2010-01-19 17:55 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"CTHelper"="CTHELPER.EXE" [2009-06-23 19456]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-16 153608]
"OODefragTray"="c:\program files\OO Software\Defrag\oodtray.exe" [2009-09-11 2524416]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-11-11 1505144]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="c:\windows\system32\READREG" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SetPointII.lnk - c:\program files\Logitech\SetPoint II\SetpointII.exe [2009-7-21 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [19.01.2010 13:10 28552]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [19.10.2009 17:01 1153368]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [20.11.2009 19:17 240232]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\System32\drivers\COMMONFX.sys [19.10.2009 15:10 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\System32\drivers\CTAUDFX.sys [19.10.2009 15:10 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\System32\drivers\CTSBLFX.sys [19.10.2009 15:10 566296]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\System32\drivers\Rt86win7.sys [26.11.2009 18:56 230912]
R3 usbfilter;AMD USB Filter Driver;c:\windows\System32\drivers\usbfilter.sys [27.12.2009 22:24 31288]
S2 gupdate;Google Update Service (gupdate); [x]
S3 clr_optimization_v4.0.20506_32;.NET Runtime Optimization Service v4.0.20506_X86;c:\windows\Microsoft.NET\Framework\v4.0.20506\mscorsvw.exe [06.05.2009 08:08 104272]
S3 COMMONFX;COMMONFX;c:\windows\System32\drivers\COMMONFX.sys [19.10.2009 15:10 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [19.10.2009 15:22 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\System32\drivers\CTAUDFX.sys [19.10.2009 15:10 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\System32\drivers\CTERFXFX.sys [19.10.2009 15:10 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\System32\drivers\CTERFXFX.sys [19.10.2009 15:10 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\System32\drivers\CTSBLFX.sys [19.10.2009 15:10 566296]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\System32\drivers\LGBusEnum.sys [14.07.2009 14:35 19720]
.
Inhalt des "geplante Tasks" Ordners

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 00:33]

2010-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 00:33]
.
.
------- Zusätzlicher Suchlauf -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Alles mit FlashGet laden - c:\program files\FlashGet\jc_all.htm
IE: &Mit FlashGet laden - c:\program files\FlashGet\jc_link.htm
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Benutzername\AppData\Roaming\Mozilla\Firefox\Profiles\if6r9rrd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\NPWPF.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v4.0.20506\WPF\DotNetAssistantExtension\
.

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x859EE856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
SecurityProcedure -> 0x850b8aa0
QueryNameProcedure -> 0x850b8c30
user & kernel MBR OK

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30po\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30po"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30pp\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30pp"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v30ppf\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.v30ppf"

[HKEY_USERS\S-1-5-21-1815439149-2110315595-3368890873-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (S-1-5-21-1815439149-2110315595-3368890873-1000)
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Pro 3.xmp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="BED8F194AACB576400B5CF12A1178B1F04E766816DA82CA5F79F85E742A313A2C75CD53DC9D7675D51D7A919A1CDF1D2ABBD4FAB612A7696EFB0F411B7E0A60AA3A625E9962D9CDEA813C548686BEAEE4058B66ADDB43D591C99734BCDCD050202C9477A906D35CA7D9B1D4D0E4896B125B54A583770A1ABE8BC7CBCAB8AED6476ABAE425D4C3438ADFDAFC9D0CA588E9FA23904611C07FDA34D9280A2CA6A3EF706CB8AC392E2707718835290F1D7AD57C5B9EEF60B9774FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A6A0AC4980AC7933FEBC9E127BECC74CD655575125D05F32F1BA6A0DD84A66A9A5799BC808A7558284A25DA4E712C3335F921D6CF2FD3B7612260D19EE8A902FCAC3979D0434D31CF2B54D00725350DE224EEFC7BF6D9BCD1CE484BB8C552F1AE71E7F6B669B9D4270FE770FB8D04AD9B55E6BB143143F1911131C2DA473844908076FF9F99D146F2E06E9C680605459166D306B597C2B6BD5A0A51D4E44154C99D48A032C8B5E51C423378EB1E756C825FA62A705C3260CB5D1F4ABC13B2B676FAE7436914E65C7AF05F6C2D6657AC5A65928926A1A3D775B3CE3EFDC5CD114BE93D8B76062D8EACDACC33222E8B02443AF2EC6D0C5415BD94F4DF3A3425BFDA252E49C73D42A81E2F03B22E4172CE986F8A357279FC41D274793363A1DDD061A90C9F0C8480F0C95FA814A19266352E183BC48FD15A1D39AB91B286A2DB04185473D33857781B872C7BB57D965114AA87131910A27F249F30ECB2FA2CA72F62E437857EE2AC1EF672A95E7E633367594BABBA124EA987F527F13A675DD04A4BC243AC371C2CFC949C7BC1123041529C0291C59C88AB7293D9F60DB976588FABE60C2541AB1F193CE1A65DA195FB3F12EDC968D9A4338AC1D50299063F4EC5D29BF59D61C003350136F45BF72E35F0D41C6F287DBE5C5273FC966FAD6325B6550DEC50FCEC7E034976817B2003F256D43AF7C0376D751E6D49814C51456465F6FAFD7332DB90E2A3CFC9915B5B7D9B8DEB003B2F7918DF0F39C330EDFB0E1CAA4F5606FD69790CCCBF40F402CA4144A26B9D9BB91A1F37B95874867A5A3A8DEF1C9B3628CB982F0EE6EBE7F1DF22EB10C0DD8B596A841F117E3DC5672255680BE19AD1E380BC11A37DA7293E922C72E6AC15C2E025C73F33A8B7CD4F8BE6D4FD4A42AABE18B70039681F930174645B97CC143266F06CF56242FB8D08D8FB11A62818B843ACC759865FAA67DCA89CBFC624C71921F02DE9FDD51A42EACCAAE657B97379714F779FB5E355017D1A548D72275CD5D77C2EC8B554C5AC0F0352E6B14A3974965476C04A172510E1D6CE8DB232144E301CC8988DC49F5D31FA8439687B7996EC80A80B8"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(3572)
c:\program files\WinSCP\DragExt.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\OO Software\Defrag\oodag.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2010-01-19 18:58:44 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2010-01-19 17:58
ComboFix2.txt 2010-01-19 17:01
ComboFix3.txt 2010-01-19 15:45

Vor Suchlauf: 11 Verzeichnis(se), 74.262.622.208 Bytes frei
Nach Suchlauf: 13 Verzeichnis(se), 74.062.241.792 Bytes frei

- - End Of File - - 5BCEF268950CF943448D2C052274E306

__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

19.01.2010, 19:30

virenfinder

Member

Beiträge: 3716

#12 http://www.paules-pc-forum.de/forum/4-pc-sicherheit/124825-rootkit-tdss-entfernen-kaspersky-tdss-killer.html#post760397
führe den tdss killer aus, poste das log.

19.01.2010, 19:39

K4MF5T4RN

Member

Themenstarter

Beiträge: 38

#13 habe es 2mal gemacht:

Zitat

19:33:55:173 0356 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
19:33:55:173 0356 ================================================================================
19:33:55:173 0356 SystemInfo:

19:33:55:173 0356 OS Version: 6.1.7600 ServicePack: 0.0
19:33:55:173 0356 Product type: Workstation
19:33:55:173 0356 ComputerName: BENUTZERNAME-PC
19:33:55:189 0356 UserName: Benutzername
19:33:55:189 0356 Windows directory: C:\Windows
19:33:55:189 0356 Processor architecture: Intel x86
19:33:55:189 0356 Number of processors: 3
19:33:55:189 0356 Page size: 0x1000
19:33:55:189 0356 Boot type: Normal boot
19:33:55:189 0356 ================================================================================
19:33:55:189 0356 UnloadDriverW: NtUnloadDriver error 2
19:33:55:189 0356 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:33:55:189 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
19:33:55:189 0356 UtilityInit: KLMD drop and load success
19:33:55:189 0356 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
19:33:55:189 0356 UtilityInit: KLMD open success
19:33:55:189 0356 UtilityInit: Initialize success
19:33:55:189 0356
19:33:55:189 0356 Scanning Services ...
19:33:55:205 0356 CreateRegParser: Registry parser init started
19:33:55:205 0356 CreateRegParser: DisableWow64Redirection error
19:33:55:205 0356 wfopen_ex: Trying to open file C:\Windows\system32\config\system
19:33:55:205 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
19:33:55:205 0356 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:33:55:205 0356 wfopen_ex: Trying to KLMD file open
19:33:55:205 0356 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
19:33:55:205 0356 wfopen_ex: File opened ok (Flags 2)
19:33:55:236 0356 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 18A1320
19:33:55:236 0356 wfopen_ex: Trying to open file C:\Windows\system32\config\software
19:33:55:236 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
19:33:55:236 0356 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:33:55:236 0356 wfopen_ex: Trying to KLMD file open
19:33:55:236 0356 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
19:33:55:236 0356 wfopen_ex: File opened ok (Flags 2)
19:33:55:236 0356 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 18A1348
19:33:55:236 0356 CreateRegParser: EnableWow64Redirection error
19:33:55:236 0356 CreateRegParser: RegParser init completed
19:33:56:033 0356 GetAdvancedServicesInfo: Raw services enum returned 513 services
19:33:56:048 0356 fclose_ex: Trying to close file C:\Windows\system32\config\system
19:33:56:048 0356 fclose_ex: Trying to close file C:\Windows\system32\config\software
19:33:56:048 0356
19:33:56:048 0356 Scanning Kernel memory ...
19:33:56:048 0356 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:33:56:048 0356 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85E8C5F8
19:33:56:048 0356 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
19:33:56:048 0356
19:33:56:048 0356 DetectCureTDL3: DEVICE_OBJECT: 85E93030
19:33:56:048 0356 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85E93030
19:33:56:048 0356 DetectCureTDL3: DEVICE_OBJECT: 85EA3338
19:33:56:048 0356 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85EA3338
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x85EA3338[0x38]
19:33:56:048 0356 DetectCureTDL3: DRIVER_OBJECT: 861A78F8
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x861A78F8[0xA8]
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x85EB7028[0x38]
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x8596FC50[0xA8]
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x8506FE08[0x1A]
19:33:56:048 0356 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:33:56:048 0356 DetectCureTDL3: IrpHandler (0) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (1) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (2) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (3) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (4) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (5) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (6) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (7) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (8) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (9) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (10) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (11) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (12) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (13) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (14) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (15) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (16) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (17) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (18) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (19) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (20) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (21) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (22) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (23) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (24) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (25) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (26) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: All IRP handlers pointed to one addr: 859EE856
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x859EE856[0x400]
19:33:56:048 0356 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
19:33:56:048 0356 Driver "atapi" Irp handler infected by TDSS rootkit ... 19:33:56:048 0356 KLMD_WriteMem: Trying to WriteMemory 0x859EE8CF[0xD]
19:33:56:048 0356 cured
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x859EE701[0x400]
19:33:56:048 0356 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
19:33:56:048 0356 Driver "atapi" StartIo handler infected by TDSS rootkit ... 19:33:56:048 0356 TDL3_StartIoHookCure: Number of patches 1
19:33:56:048 0356 KLMD_WriteMem: Trying to WriteMemory 0x859EE80A[0x6]
19:33:56:048 0356 cured
19:33:56:048 0356 TDL3_FileDetect: Processing driver: atapi
19:33:56:048 0356 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
19:33:56:048 0356 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
19:33:56:064 0356 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Infected
19:33:56:064 0356 File C:\Windows\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 19:33:56:064 0356 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
19:33:56:111 0356 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys:21584, checking..
19:33:56:126 0356 ValidateDriverFile: Stage 1 passed
19:33:56:126 0356 ValidateDriverFile: Stage 2 passed
19:33:56:142 0356 DigitalSignVerifyByHandle: Embedded DS result: 00000000
19:33:56:142 0356 ValidateDriverFile: Stage 3 passed
19:33:56:142 0356 FileCallback: File validated successfully, restore information prepared
19:33:56:173 0356 FindDriverFileBackup: Backup copy found in DriverStore
19:33:56:173 0356 TDL3_FileCure: Backup copy found, using it..
19:33:56:173 0356 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskE18C.tmp
19:33:56:220 0356 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskE18C.tmp, system32\drivers\atapi.sys)
19:33:56:220 0356 TDL3_FileCure: KLMD jobs schedule success
19:33:56:220 0356 will be cured on next reboot
19:33:56:220 0356 UtilityBootReinit: Reboot required for cure complete..
19:33:56:220 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
19:33:56:220 0356 UtilityBootReinit: KLMD drop success
19:33:56:220 0356 KLMD_ApplyPendList: Pending buffer(3036_2CDE, 616) dropped successfully
19:33:56:220 0356 UtilityBootReinit: Cure on reboot scheduled successfully
19:33:56:220 0356
19:33:56:220 0356 Completed
19:33:56:220 0356
19:33:56:220 0356 Results:
19:33:56:220 0356 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
19:33:56:220 0356 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:33:56:220 0356 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:33:56:220 0356
19:33:56:220 0356 UnloadDriverW: NtUnloadDriver error 1
19:33:56:220 0356 KLMD_Unload: UnloadDriverW(klmd21) error 1
19:33:56:220 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
19:33:56:220 0356 UtilityDeinit: KLMD(ARK) unloaded successfully

und dann nocheinmal:

Zitat

19:33:55:173 0356 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
19:33:55:173 0356 ================================================================================
19:33:55:173 0356 SystemInfo:

19:33:55:173 0356 OS Version: 6.1.7600 ServicePack: 0.0
19:33:55:173 0356 Product type: Workstation
19:33:55:173 0356 ComputerName: BENUTZERNAME-PC
19:33:55:189 0356 UserName: Benutzername
19:33:55:189 0356 Windows directory: C:\Windows
19:33:55:189 0356 Processor architecture: Intel x86
19:33:55:189 0356 Number of processors: 3
19:33:55:189 0356 Page size: 0x1000
19:33:55:189 0356 Boot type: Normal boot
19:33:55:189 0356 ================================================================================
19:33:55:189 0356 UnloadDriverW: NtUnloadDriver error 2
19:33:55:189 0356 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:33:55:189 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
19:33:55:189 0356 UtilityInit: KLMD drop and load success
19:33:55:189 0356 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
19:33:55:189 0356 UtilityInit: KLMD open success
19:33:55:189 0356 UtilityInit: Initialize success
19:33:55:189 0356
19:33:55:189 0356 Scanning Services ...
19:33:55:205 0356 CreateRegParser: Registry parser init started
19:33:55:205 0356 CreateRegParser: DisableWow64Redirection error
19:33:55:205 0356 wfopen_ex: Trying to open file C:\Windows\system32\config\system
19:33:55:205 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
19:33:55:205 0356 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:33:55:205 0356 wfopen_ex: Trying to KLMD file open
19:33:55:205 0356 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
19:33:55:205 0356 wfopen_ex: File opened ok (Flags 2)
19:33:55:236 0356 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 18A1320
19:33:55:236 0356 wfopen_ex: Trying to open file C:\Windows\system32\config\software
19:33:55:236 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
19:33:55:236 0356 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:33:55:236 0356 wfopen_ex: Trying to KLMD file open
19:33:55:236 0356 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
19:33:55:236 0356 wfopen_ex: File opened ok (Flags 2)
19:33:55:236 0356 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 18A1348
19:33:55:236 0356 CreateRegParser: EnableWow64Redirection error
19:33:55:236 0356 CreateRegParser: RegParser init completed
19:33:56:033 0356 GetAdvancedServicesInfo: Raw services enum returned 513 services
19:33:56:048 0356 fclose_ex: Trying to close file C:\Windows\system32\config\system
19:33:56:048 0356 fclose_ex: Trying to close file C:\Windows\system32\config\software
19:33:56:048 0356
19:33:56:048 0356 Scanning Kernel memory ...
19:33:56:048 0356 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
19:33:56:048 0356 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 85E8C5F8
19:33:56:048 0356 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
19:33:56:048 0356
19:33:56:048 0356 DetectCureTDL3: DEVICE_OBJECT: 85E93030
19:33:56:048 0356 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85E93030
19:33:56:048 0356 DetectCureTDL3: DEVICE_OBJECT: 85EA3338
19:33:56:048 0356 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85EA3338
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x85EA3338[0x38]
19:33:56:048 0356 DetectCureTDL3: DRIVER_OBJECT: 861A78F8
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x861A78F8[0xA8]
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x85EB7028[0x38]
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x8596FC50[0xA8]
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x8506FE08[0x1A]
19:33:56:048 0356 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
19:33:56:048 0356 DetectCureTDL3: IrpHandler (0) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (1) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (2) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (3) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (4) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (5) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (6) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (7) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (8) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (9) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (10) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (11) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (12) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (13) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (14) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (15) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (16) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (17) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (18) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (19) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (20) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (21) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (22) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (23) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (24) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (25) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: IrpHandler (26) addr: 859EE856
19:33:56:048 0356 DetectCureTDL3: All IRP handlers pointed to one addr: 859EE856
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x859EE856[0x400]
19:33:56:048 0356 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
19:33:56:048 0356 Driver "atapi" Irp handler infected by TDSS rootkit ... 19:33:56:048 0356 KLMD_WriteMem: Trying to WriteMemory 0x859EE8CF[0xD]
19:33:56:048 0356 cured
19:33:56:048 0356 KLMD_ReadMem: Trying to ReadMemory 0x859EE701[0x400]
19:33:56:048 0356 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
19:33:56:048 0356 Driver "atapi" StartIo handler infected by TDSS rootkit ... 19:33:56:048 0356 TDL3_StartIoHookCure: Number of patches 1
19:33:56:048 0356 KLMD_WriteMem: Trying to WriteMemory 0x859EE80A[0x6]
19:33:56:048 0356 cured
19:33:56:048 0356 TDL3_FileDetect: Processing driver: atapi
19:33:56:048 0356 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
19:33:56:048 0356 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
19:33:56:064 0356 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Infected
19:33:56:064 0356 File C:\Windows\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 19:33:56:064 0356 TDL3_FileCure: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
19:33:56:111 0356 FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys:21584, checking..
19:33:56:126 0356 ValidateDriverFile: Stage 1 passed
19:33:56:126 0356 ValidateDriverFile: Stage 2 passed
19:33:56:142 0356 DigitalSignVerifyByHandle: Embedded DS result: 00000000
19:33:56:142 0356 ValidateDriverFile: Stage 3 passed
19:33:56:142 0356 FileCallback: File validated successfully, restore information prepared
19:33:56:173 0356 FindDriverFileBackup: Backup copy found in DriverStore
19:33:56:173 0356 TDL3_FileCure: Backup copy found, using it..
19:33:56:173 0356 TDL3_FileCure: Dumping cured buffer to file C:\Windows\system32\drivers\tskE18C.tmp
19:33:56:220 0356 TDL3_FileCure: New / Old Image paths: (system32\drivers\tskE18C.tmp, system32\drivers\atapi.sys)
19:33:56:220 0356 TDL3_FileCure: KLMD jobs schedule success
19:33:56:220 0356 will be cured on next reboot
19:33:56:220 0356 UtilityBootReinit: Reboot required for cure complete..
19:33:56:220 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
19:33:56:220 0356 UtilityBootReinit: KLMD drop success
19:33:56:220 0356 KLMD_ApplyPendList: Pending buffer(3036_2CDE, 616) dropped successfully
19:33:56:220 0356 UtilityBootReinit: Cure on reboot scheduled successfully
19:33:56:220 0356
19:33:56:220 0356 Completed
19:33:56:220 0356
19:33:56:220 0356 Results:
19:33:56:220 0356 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
19:33:56:220 0356 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:33:56:220 0356 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:33:56:220 0356
19:33:56:220 0356 UnloadDriverW: NtUnloadDriver error 1
19:33:56:220 0356 KLMD_Unload: UnloadDriverW(klmd21) error 1
19:33:56:220 0356 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
19:33:56:220 0356 UtilityDeinit: KLMD(ARK) unloaded successfully

__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

19.01.2010, 19:42

K4MF5T4RN

Member

Themenstarter

Beiträge: 38

#14 ps.:

ich habe noch immer traffic.
vor dem combofix-script im down- und upload beides ca. 22 kB/s.
nun "nur" noch exact 0,21 kB/s im sekundentakt beim download.
upload steht schonmal bei 0 kB/s.
da scheint immernoch etwas nicht richtig zu wollen :-(
__________
AMD Phenom II X3 720 BE (Noctua NH-U12P) - GigaByte GA-MA790FXT-UD5P - 2GB Corsair DDR3 1333Mhz - 250GB SATAII 16MB - EVGA 9800GTX+ SSC - Audigy2 ZS - Enermax MODU82+ 625W

19.01.2010, 19:51

virenfinder

Member

Beiträge: 3716

#15 starte neu, führe gmer aus, poste log.

Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:

Seite(n): 1 2