IE öffnet sich automatisch |
||
---|---|---|
#0
| ||
09.02.2010, 17:38
...neu hier
Beiträge: 4 |
||
|
||
09.02.2010, 18:22
Member
Beiträge: 3716 |
||
|
||
09.02.2010, 19:13
...neu hier
Themenstarter Beiträge: 4 |
#3
Hier der Scan mit Malwarebytes:
Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3714 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 09.02.2010 18:42:05 mbam-log-2010-02-09 (18-42-05).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 103427 Laufzeit: 7 minute(s), 50 second(s) Infizierte Speicherprozesse: 1 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 7 Infizierte Registrierungswerte: 3 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 4 Infizierte Speicherprozesse: C:\Windows\msb.exe (Trojan.Agent) -> Unloaded process successfully. Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\F5JMWNZTHI (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Casino King (Adware.Casino) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Casino King (Adware.Casino) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f5jmwnzthi (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\losalamos (Trojan.FakeAlert) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Windows\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Windows\msb.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully. Beim erstellen des Gmer Report hängt sich mein Laptop auf. Und hier nochmal eine aktuelle Hijackthis Logfile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:12:02, on 09.02.2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v7.00 (7.00.6002.18005) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe C:\Windows\BR040286.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Apoint2K\Apoint.exe C:\Acer\Empowering Technology\eAudio\eAudio.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Users\Stefan\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE C:\Program Files\Apoint2K\Apntex.exe C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Stefan\Downloads\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prosieben.de/index.php?icqpath=icq R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.intl.acer.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: OLE (Teil 1 von 5) - - (no file) R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: kikin Plugin - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Program Files\kikin\ie_kikin.dll O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file) O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe O4 - HKLM\..\Run: [BisonInst0402] C:\Windows\BR040286.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [Skytel] Skytel.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [{27D5ED5F-8092-7FE3-A9F2-9B4D0455C49B}] C:\Users\Stefan\AppData\Roaming\explorer.exe O4 - HKCU\..\Run: [system32.exe] C:\Users\Stefan\AppData\Roaming\explorer.exe O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [F5JMWNZTHI] C:\Users\Stefan\AppData\Local\Temp\Qpx.exe O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O4 - Global Startup: Empowering Technology Launcher.lnk = ? O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe O13 - Gopher Prefix: O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 9168 bytes |
|
|
||
09.02.2010, 19:41
Member
Beiträge: 3716 |
#4
dann mach erst mal combofix.
|
|
|
||
09.02.2010, 20:48
...neu hier
Themenstarter Beiträge: 4 |
#5
Hier die Combofix Logdatei:
ComboFix 10-02-09.01 - Stefan 09.02.2010 20:32:06.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.49.1031.18.3069.2251 [GMT 1:00] ausgeführt von:: c:\users\Stefan\Desktop\ComboFix.exe SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\$recycle.bin\S-1-5-21-1200595179-2687198901-1712703265-500 C:\install.exe c:\program files\ICQ6.5\ICQLRun.exe c:\users\Stefan\AppData\Roaming\.# c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job c:\windows\winhelp.ini . ((((((((((((((((((((((( Dateien erstellt von 2010-01-09 bis 2010-02-09 )))))))))))))))))))))))))))))) . 2010-02-09 17:31 . 2010-02-09 17:31 -------- d-----w- c:\users\Stefan\AppData\Roaming\Malwarebytes 2010-02-09 17:31 . 2010-01-07 15:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-09 17:31 . 2010-02-09 17:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-09 17:31 . 2010-02-09 17:31 -------- d-----w- c:\programdata\Malwarebytes 2010-02-09 17:31 . 2010-01-07 15:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-08 20:50 . 2010-02-08 20:50 -------- d-----w- c:\program files\Common Files\BioWare 2010-02-08 20:24 . 2010-02-08 21:40 -------- d-----w- c:\program files\Mass Effect 2010-02-06 13:48 . 2010-02-08 19:36 -------- d-----w- c:\program files\JDownloader 2010-02-06 12:56 . 2010-02-06 13:46 -------- d-----w- C:\Downloads 2010-02-05 21:28 . 2010-02-05 21:28 680 ----a-w- c:\users\Stefan\AppData\Local\d3d9caps.dat 2010-02-05 21:28 . 2010-02-05 21:28 -------- d-----w- c:\windows\Sun 2010-02-02 16:31 . 2010-02-02 16:31 -------- d-----w- c:\users\Stefan\AppData\Local\CyberLink 2010-02-02 16:27 . 2010-02-02 16:27 -------- d-----w- c:\users\Stefan\AppData\Roaming\Media Player Classic 2010-01-21 19:57 . 2009-12-16 11:44 834048 ----a-w- c:\windows\system32\wininet.dll 2010-01-21 19:57 . 2009-12-18 13:01 78336 ----a-w- c:\windows\system32\ieencode.dll 2010-01-18 19:43 . 2010-01-18 19:43 -------- d-----w- c:\program files\ImageShack Uploader 2010-01-13 16:50 . 2009-10-19 13:38 156672 ----a-w- c:\windows\system32\t2embed.dll 2010-01-13 16:50 . 2009-10-19 13:35 72704 ----a-w- c:\windows\system32\fontsub.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-09 19:40 . 2009-07-21 13:52 -------- d-----w- c:\program files\ICQ6.5 2010-02-09 19:37 . 2008-01-21 07:15 618442 ----a-w- c:\windows\system32\perfh007.dat 2010-02-09 19:37 . 2008-01-21 07:15 122842 ----a-w- c:\windows\system32\perfc007.dat 2010-02-09 15:46 . 2008-12-30 21:21 -------- d-----w- c:\programdata\Google Updater 2010-02-08 20:50 . 2009-05-03 18:46 -------- d-----w- c:\programdata\Media Center Programs 2010-02-08 13:01 . 2008-12-30 21:21 -------- d-----w- c:\program files\Google 2010-02-05 21:51 . 2009-04-25 18:17 -------- d-----w- c:\users\Stefan\AppData\Roaming\dvdcss 2010-01-30 18:08 . 2009-03-14 14:11 -------- d-----w- c:\users\Stefan\AppData\Roaming\Azureus 2010-01-30 14:55 . 2009-06-09 15:00 -------- d-----w- c:\program files\Common Files\DVDVideoSoft 2010-01-30 14:55 . 2009-06-09 15:00 -------- d-----w- c:\program files\DVDVideoSoft 2010-01-14 10:12 . 2009-10-04 15:19 181120 ------w- c:\windows\system32\MpSigStub.exe 2010-01-13 21:50 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail 2010-01-10 15:54 . 2010-01-10 15:53 1682 --sha-w- c:\windows\system32\KGyGaAvL.sys 2010-01-10 15:53 . 2010-01-10 15:53 56 --sh--r- c:\windows\system32\4AA48685DA.sys 2010-01-10 11:18 . 2009-08-03 09:59 1 ----a-w- c:\users\Stefan\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2010-01-09 15:49 . 2009-04-01 16:51 4184 --sha-w- c:\programdata\KGyGaAvL.sys 2010-01-09 15:49 . 2009-04-01 16:51 4184 --sha-w- c:\programdata\KGyGaAvL.sys 2010-01-09 15:36 . 2009-04-01 16:51 88 --sh--r- c:\programdata\0DDDCFD97E.sys 2010-01-09 15:36 . 2009-04-01 16:51 88 --sh--r- c:\programdata\0DDDCFD97E.sys 2009-12-24 12:45 . 2008-03-25 10:49 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-12-18 12:45 . 2009-03-14 14:10 -------- d-----w- c:\program files\Vuze 2009-12-18 12:44 . 2009-04-10 19:47 176 ----a-w- c:\users\Stefan\AppData\Roaming\Azureus\restart.bat 2009-12-11 13:30 . 2009-07-02 17:04 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-11-27 13:39 . 2009-11-27 13:39 1152760 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}] 2008-08-26 08:32 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E601996F-E400-41CA-804B-CD6373A7EEE2}] 2009-06-15 10:47 429272 ----a-w- c:\program files\kikin\ie_kikin.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-26 279944] [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}] [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP] @="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}" [HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}] 2008-01-03 01:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184] "RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 4702208] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-03-05 525360] "BisonInst0402"="c:\windows\BR040286.exe" [2007-05-08 53248] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-12 178712] "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-07-21 159744] "WarReg_PopUp"="c:\program files\Acer\WR_PopUp\WarReg_PopUp.exe" [2008-01-29 303104] "eAudio"="c:\acer\Empowering Technology\eAudio\eAudio.exe" [2007-10-10 1286144] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208] "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 49152] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-15 8534560] "Skytel"="Skytel.exe" [2007-08-03 1826816] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280] c:\users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000] c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2008-3-25 535336] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2008-10-15 00:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite] 2008-07-04 15:01 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager] 2008-01-04 10:21 768520 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie] 2008-01-22 09:14 200704 ------w- c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] 2009-06-26 13:56 25604904 ----a-r- c:\program files\Skype\Phone\Skype.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc] "AntiVirusOverride"=dword:00000001 "VistaSp2"=hex(b):d4,7a,a8,d7,e0,53,ca,01 R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [17.05.2008 01:38 41456] R2 acedrv01;acedrv01;c:\windows\System32\drivers\acedrv01.sys [08.12.2008 13:42 93696] R2 acedrv02;acedrv02;c:\windows\System32\drivers\acedrv02.sys [08.12.2008 13:42 97280] R2 acedrv03;acedrv03;c:\windows\System32\drivers\acedrv03.sys [08.12.2008 13:42 97280] R2 acedrv04;acedrv04;c:\windows\System32\drivers\acedrv04.sys [08.12.2008 13:42 97280] R2 acedrv06;acedrv06;c:\windows\System32\drivers\acedrv06.sys [08.12.2008 13:42 99840] R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [02.07.2009 18:04 108289] R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [29.08.2008 17:56 222968] R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [25.03.2008 19:18 180736] R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [25.03.2008 19:19 32256] R3 Tetri5;Tetri5 driver;c:\windows\System32\drivers\Tetri5.sys [10.09.2008 17:29 53088] S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [11.07.2008 15:15 717296] S2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [25.03.2008 12:44 51200] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [22.12.2009 18:09 135664] S3 FontCache;Windows-Dienst für Schriftartencache;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [21.01.2008 03:23 21504] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Inhalt des "geplante Tasks" Ordners 2010-02-09 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-30 15:26] 2010-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 17:09] 2010-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-22 17:09] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.prosieben.de/index.php?icqpath=icq mStart Page = hxxp://de.intl.acer.yahoo.com IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe IE: {{0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} - c:\program files\kikin\ie_kikin.dll FF - ProfilePath - c:\users\Stefan\AppData\Roaming\Mozilla\Firefox\Profiles\5jogkvi2.default\ FF - prefs.js: browser.search.selectedEngine - ICQ Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/ FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q= FF - prefs.js: network.proxy.type - 2 FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMXENG.DLL FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX Richtlinien ---- FF - user.js: yahoo.homepage.dontask - true. - - - - Entfernte verwaiste Registrierungseinträge - - - - HKCU-Run-{27D5ED5F-8092-7FE3-A9F2-9B4D0455C49B} - c:\users\Stefan\AppData\Roaming\explorer.exe HKCU-Run-system32.exe - c:\users\Stefan\AppData\Roaming\explorer.exe HKCU-Run-POEngine5 - (no file) HKLM-Run-ALaunch - c:\acer\ALaunch\AlaunchClient.exe HKLM-Run-eRecoveryService - (no file) HKLM-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe AddRemove-RPG Maker VX RTP_is1 - d:\rpg-maker xp\RPGVX\unins000.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-02-09 20:41 Windows 6.0.6002 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... HKCU\Software\Microsoft\Windows\CurrentVersion\Run {27D5ED5F-8092-7FE3-A9F2-9B4D0455C49B} = c:\users\Stefan\AppData\Roaming\explorer.exe??\?R?o?a?m?i?n?g????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? system32.exe = c:\users\Stefan\AppData\Roaming\explorer.exe??\?R?o?a?m?i?n?g????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}] "ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl" . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_USERS\S-1-5-21-1200595179-2687198901-1712703265-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:ac,1c,ee,e8,d4,e6,aa,62,a8,5a,11,95,e8,32,e7,74,ea,fe,35,2d,95,a5,e1, d5,cd,88,a5,a0,a8,98,59,4e,fa,09,9f,8b,61,6d,1c,27,2a,db,02,65,85,2d,91,aa,\ "??"=hex:8d,da,28,0a,b0,cd,7d,c8,88,50,0e,06,34,59,08,16 [HKEY_USERS\S-1-5-21-1200595179-2687198901-1712703265-1000\Software\SecuROM\License information*] "datasecu"=hex:a1,b4,74,66,c0,7e,01,50,42,c9,ed,f5,c6,9b,ac,a9,8d,56,c7,f7,f1, 72,df,b0,15,80,f7,79,4a,2e,3f,ed,18,f6,53,73,34,f7,a4,12,c9,bb,92,6e,93,a8,\ "rkeysecu"=hex:2a,7b,86,1d,25,d5,dc,30,ea,cb,66,8c,23,74,b1,1d [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Zeit der Fertigstellung: 2010-02-09 20:43:42 ComboFix-quarantined-files.txt 2010-02-09 19:43 Vor Suchlauf: 17 Verzeichnis(se), 59.711.684.608 Bytes frei Nach Suchlauf: 21 Verzeichnis(se), 59.655.925.760 Bytes frei - - End Of File - - 76DF3CFA61167B7562FB728E091EB714 |
|
|
||
09.02.2010, 21:38
Member
Beiträge: 3716 |
#6
starte Gmer, rechtsklick als administrator ausführen, schau obs läuft.
|
|
|
||
09.02.2010, 22:12
...neu hier
Themenstarter Beiträge: 4 |
#7
So hat doch noch geklappt:
GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-02-09 22:11:27 Windows 6.0.6002 Service Pack 2 Running: xf447gd4.exe; Driver: C:\Users\Stefan\AppData\Local\Temp\kglyqpob.sys ---- System - GMER 1.0.15 ---- SSDT 9E898F14 ZwCreateThread SSDT 9E898F00 ZwOpenProcess SSDT 9E898F05 ZwOpenThread SSDT 9E898F0F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 221 824BE964 4 Bytes [14, 8F, 89, 9E] .text ntkrnlpa.exe!KeSetEvent + 3F1 824BEB34 4 Bytes [00, 8F, 89, 9E] .text ntkrnlpa.exe!KeSetEvent + 40D 824BEB50 4 Bytes [05, 8F, 89, 9E] .text ntkrnlpa.exe!KeSetEvent + 621 824BED64 4 Bytes [0F, 8F, 89, 9E] .text C:\Windows\system32\drivers\acedrv01.sys section is writeable [0x8AB26000, 0x2E0F4, 0xE8000020] .pklstb C:\Windows\system32\drivers\acedrv01.sys entry point in ".pklstb" section [0x8AB65000] .relo2 C:\Windows\system32\drivers\acedrv01.sys unknown last section [0x8AB7F000, 0x8E, 0x42000040] .text C:\Windows\system32\drivers\acedrv02.sys section is writeable [0x9CE0F000, 0x303A4, 0xE8000020] .pklstb C:\Windows\system32\drivers\acedrv02.sys entry point in ".pklstb" section [0x9CE51000] .relo2 C:\Windows\system32\drivers\acedrv02.sys unknown last section [0x9CE6C000, 0x8E, 0x42000040] .text C:\Windows\system32\drivers\acedrv03.sys section is writeable [0x9CE6E000, 0x303A4, 0xE8000020] .pklstb C:\Windows\system32\drivers\acedrv03.sys entry point in ".pklstb" section [0x9CEB0000] .relo2 C:\Windows\system32\drivers\acedrv03.sys unknown last section [0x9CECB000, 0x8E, 0x42000040] .text C:\Windows\system32\drivers\acedrv04.sys section is writeable [0x9CECD000, 0x303A4, 0xE8000020] .pklstb C:\Windows\system32\drivers\acedrv04.sys entry point in ".pklstb" section [0x9CF0F000] .relo2 C:\Windows\system32\drivers\acedrv04.sys unknown last section [0x9CF2A000, 0x8E, 0x42000040] .text C:\Windows\system32\drivers\acedrv05.sys section is writeable [0x9CF2C000, 0x30A4A, 0xE8000020] .pklstb C:\Windows\system32\drivers\acedrv05.sys entry point in ".pklstb" section [0x9CF6E000] .relo2 C:\Windows\system32\drivers\acedrv05.sys unknown last section [0x9CF89000, 0x8E, 0x42000040] .text C:\Windows\system32\drivers\acedrv06.sys section is writeable [0x9CF8B000, 0x319AA, 0xE8000020] .pklstb C:\Windows\system32\drivers\acedrv06.sys entry point in ".pklstb" section [0x9CFCE000] .relo2 C:\Windows\system32\drivers\acedrv06.sys unknown last section [0x9CFE9000, 0x8E, 0x42000040] .text C:\Windows\system32\drivers\acedrv07.sys section is writeable [0x9D009000, 0x328BA, 0xE8000020] .pklstb C:\Windows\system32\drivers\acedrv07.sys entry point in ".pklstb" section [0x9D04D000] .relo2 C:\Windows\system32\drivers\acedrv07.sys unknown last section [0x9D069000, 0x8E, 0x42000040] .text C:\Windows\system32\DRIVERS\ithsgt.sys section is writeable [0x9F104300, 0x21770, 0xE8000020] C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl entry point in "" section [0xA0537000] .clc C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl unknown last section [0xA0538000, 0x1000, 0x00000000] ? C:\Users\Stefan\AppData\Local\Temp\catchme.sys Das System kann die angegebene Datei nicht finden. ! ? C:\Windows\system32\Drivers\PROCEXP113.SYS Das System kann die angegebene Datei nicht finden. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\explorer.exe[2900] SHELL32.dll!SHGetFolderPathAndSubDirW + 81C9 767EB364 4 Bytes [F0, 1F, 00, 10] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73D27817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73D7A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73D2BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73D1F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73D275E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73D1E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73D58395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [73D2DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73D1FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73D1FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73D171CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [73DACAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [73D4C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73D1D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73D16853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73D1687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73D22AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [10002300] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [10001B30] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [10002690] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Windows\explorer.exe[2900] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [10001290] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Program Files\Mozilla Firefox\firefox.exe[5056] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [01262690] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Program Files\Mozilla Firefox\firefox.exe[5056] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [01261290] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Program Files\Mozilla Firefox\firefox.exe[5056] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [01262300] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) IAT C:\Program Files\Mozilla Firefox\firefox.exe[5056] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!FreeLibraryAndExitThread] [01261B30] C:\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Acer eDataSecurity Management PSD DragDrop Protection/Egis Incorporated) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x3D 0x7A 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0B 0x73 0x85 0x4B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5B 0x43 0x7A 0x76 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x3D 0x7A 0xFB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0B 0x73 0x85 0x4B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5B 0x43 0x7A 0x76 ... ---- EOF - GMER 1.0.15 ---- |
|
|
||
10.02.2010, 12:08
Member
Beiträge: 3716 |
#8
http://www.paules-pc-forum.de/forum/4-pc-sicherheit/125060-dr-web-cureit.html
im abgesicherten modus ausführen, mich interessieren die funde, + die zusammenfassung. |
|
|
||
mein Problem ist, dass sich seit einiger Zeit mein IE selbstständig öffnet und eine Onlineverbindung herstellen will. Ich denke ich habe mir einen Trojaner eingefangen. Mein Anti-Virus-Programm Aviara AntiVir hat nichts gefunden. Es ist sehr störend, da ich normaterweise mit Firefox browse. Hier meine logfile von hijackthis. Vielleicht kann mir jemand helfen. Danke im voraus.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:28:09, on 09.02.2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
C:\Windows\BR040286.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Stefan\AppData\Local\Temp\Qpx.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Users\Stefan\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Apoint2K\Apntex.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Windows\system32\ctfmon.exe
C:\Users\Stefan\Downloads\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prosieben.de/index.php?icqpath=icq
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: OLE (Teil 1 von 5) - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: kikin Plugin - {E601996F-E400-41CA-804B-CD6373A7EEE2} - C:\Program Files\kikin\ie_kikin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQ6Toolbar\ICQToolBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ALaunch] C:\Acer\ALaunch\AlaunchClient.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe
O4 - HKLM\..\Run: [BisonInst0402] C:\Windows\BR040286.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Program Files\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [{27D5ED5F-8092-7FE3-A9F2-9B4D0455C49B}] C:\Users\Stefan\AppData\Roaming\explorer.exe
O4 - HKCU\..\Run: [system32.exe] C:\Users\Stefan\AppData\Roaming\explorer.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Stefan\AppData\Roaming\sdra64.exe
O4 - HKCU\..\Run: [LosAlamos] rundll32.exe C:\Windows\system32\sshnas21.dll,AttachConsoleA
O4 - HKCU\..\Run: [F5JMWNZTHI] C:\Users\Stefan\AppData\Local\Temp\Qpx.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra 'Tools' menuitem: My kikin - {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - C:\Program Files\kikin\ie_kikin.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: eDataSecurity Service - Egis Incorporated - C:\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: ICQ Service - Unknown owner - C:\Program Files\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 9451 bytes