Trojanisches Pferd TR/Dldr.Small.buy.1

[BennyBang]

Hi all,
ich hab das Problem, dass ich die Trojaner dldr.small.buy.1 und sdbot08e7fg79 nicht weg bekomme. Zwischendurch wurde auch mal noch was anderes gefunden (Name leider nicht notiert). C-Partition wurde formatiert und XP neu instaliert.
Sobald ich online gehe (mit smartsurfer) fängt AntiVir an zu spinnen. Dauernd Meldungen. Die Dateien lassen sich auch alle in Quarantäne verschieben, bzw. Dateien wie drsmartload.exe, newname25.exe, steam.exe (direkt auf C:\ oder im temp Internet-Files Ordner) lassen sich löschen. mit HJT hab ich eigentlich auch alles beseitigt. Ich kann kein Log posten - ist nicht mein Rechner. Auf jeden Fall gehen mir echt die Ideen aus. Weiß den jemand woher diese Trojaber kommen, bzw. in was für Files sie stecken könnten.

Auf dem Rechner ist zur Zeit nur XP, AntiVir Firefox und Smartsurfer.

Please Help

[Nikita]

BennyBang

stelle den CleanUp genauso ein, wie hier angegeben:
http://virus-protect.org/cleanup.html

Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html


Hijackthis -
http://computercops.biz/zx/Merijn/hijackthis.zip
http://virus-protect.org/hjtkurz.html
Lade/entpacke HijackThis in einem Ordner
--> None of the above just start the program --> Save--> Savelog -->es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"

[BennyBang]

Also, ich habe den Rechner jetzt nochmal neu Partitioniert und Formatiert und Installiert. Dann habe ich Firefox und Smartsurfer Installiert. Beide male bekannte Versionen von bekannten CDs, beide schon über 6 Monate alt und mehrfach, problemlos verwendet.
Dann probiert eine neue AntiVir-Version runterzuladen -und schon ging es wieder los, diesmal heißt die Datei Pis. Deshalb doch 'nen älteren Virenscanner genommen - Schlimmer als je zuvor. Ich war nur noch am Meldungen wegclicken. Hab ihn dann ausgeschaltet um die logs zu bekommen. Das erste Log (system32) ist seeeehr lang, da alles neu installiert

Sooo, jetzt die Logs, erstmal system 32 in 'nem eigenen Post, der Rest im nächsten Post:

[BennyBang]

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\WINDOWS\system32

17.06.2006 20:27 0 h323log.txt
17.06.2006 19:56 7.168 rdriv.sys
17.06.2006 19:45 100 ps.a3d
17.06.2006 19:45 70 i
17.06.2006 19:44 311.604 perfh009.dat
17.06.2006 19:44 39.992 perfc009.dat
17.06.2006 19:44 316.594 perfh007.dat
17.06.2006 19:44 723.744 PerfStringBackup.INI
17.06.2006 19:44 48.156 perfc007.dat
17.06.2006 19:36 25.065 wmpscheme.xml
17.06.2006 19:36 2.184 wpa.dbl
17.06.2006 19:34 90.296 FNTCACHE.DAT
17.06.2006 19:33 261 $winnt$.inf
17.06.2006 19:31 2.951 CONFIG.NT
17.06.2006 19:31 23.392 nscompat.tlb
17.06.2006 19:31 16.832 amcompat.tlb

[BennyBang]

temp:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\DOKUME~1\nici\LOKALE~1\Temp

--------------------------------------------------------------------------
windows:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\WINDOWS

17.06.2006 20:26 50 wiaservc.log
17.06.2006 20:26 509 wiadebug.log
17.06.2006 20:26 0 Sti_Trace.log
17.06.2006 20:24 1.348 regopt.log
17.06.2006 20:24 231 system.ini
17.06.2006 19:56 0 0.log
17.06.2006 19:55 2.048 bootstat.dat
17.06.2006 19:54 452 SchedLgU.Txt
17.06.2006 19:48 183.162 setupapi.log
17.06.2006 19:47 10.046 ModemLog_MicroLink 56k Internet c PnP.txt
17.06.2006 19:44 54.512 MSmedia.exe
17.06.2006 19:39 0 nsreg.dat
17.06.2006 19:38 99.970 UninstallFirefox.exe
17.06.2006 19:38 3.083 mozver.dat
17.06.2006 19:36 820 OEWABLog.txt
17.06.2006 19:36 795.297 setuplog.txt
17.06.2006 19:34 8.192 REGLOCS.OLD
17.06.2006 19:33 15.677 comsetup.log
17.06.2006 19:33 47.805 iis6.log


18.08.2001 14:00 707 _default.pif
70 Datei(en) 4.343.631 Bytes
0 Verzeichnis(se), 18.182.500.352 Bytes frei

--------------------------------------------------------------------------
c:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\

17.06.2006 20:07 0 sys.txt
17.06.2006 20:06 3.731 system.txt
17.06.2006 20:06 132 systemtemp.txt
17.06.2006 20:04 84.496 system32.txt
17.06.2006 19:55 1.610.612.736 pagefile.sys
17.06.2006 19:45 58.725 pis.exe
17.06.2006 19:31 0 AUTOEXEC.BAT
17.06.2006 19:31 0 CONFIG.SYS
17.06.2006 19:31 0 MSDOS.SYS
17.06.2006 19:31 0 IO.SYS
17.06.2006 19:27 194 boot.ini
18.08.2001 14:00 4.952 bootfont.bin
18.08.2001 14:00 224.032 ntldr
18.08.2001 14:00 45.124 NTDETECT.COM
14 Datei(en) 1.611.034.122 Bytes
0 Verzeichnis(se), 18.182.492.160 Bytes frei

[BennyBang]

hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 20:08:56, on 17.06.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\MSmedia.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\SmartSurfer\SmartSurfer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\nici\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Startup: SmartSurfer.lnk = C:\Programme\SmartSurfer\SmartSurfer.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: seppgs - C:\WINDOWS\SYSTEM32\seppgs.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe

[Nikita]

das ist ein Haxdoor..mit Rootkits..kein Wunder, ein Rechner ohne WindowsUpdates..........

---------------------------------------------------------------------------------

1.
Start -> Ausführen --> schreib rein: notepad -- klicke OK.
oder , falls das Kommando nicht stimmt, öffne den Editor....
Dann kopiere folgenden Text rein:

Code: Alles auswählen

sc stop MicroSoft Media Tools
sc delete MicroSoft Media Tools
del delete.bat


Auf dem Desktop abspeichern [Gebe bei Dateityp 'Alle Dateien' an.] als delete.bat --> Doppeltklicken

2.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Files to delete:
C:\WINDOWS\system32\rdriv.sys
C:\WINDOWS\system32\ps.a3d
C:\WINDOWS\system32\i
C:\WINDOWS\SYSTEM32\seppgs.dll
C:\WINDOWS\MSmedia.exe
C:\pis.exe

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
kopiere hier den scanreport vom Avenger, der erscheint.

**
3.

http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei -> hier posten,

4.
F-Secure Online Scanner Next Generation Beta
http://support.f-secure.com/enu/home/ols3.shtml

1. Klicke den Link: "F-Secure Online Scanner Next Generation Beta".
2. Du wirst aufgefordert werden, ein ActiveX-Control zu installieren
3. Installiere diese ActiveX-Komponente
4. Lies die Anleitung und klicke: "Accept"
5. Klicke "Full System Scan"
6. klicke "Show report" - kopiere den Scanreport

[BennyBang]

Hallo, da bin ich wieder.
Und los gehts.

Avenger:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ufhxlodc

*******************

Script file located at: tjtyvsfg

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

--------------------------------------------------------------------

FSBL:
06/18/06 16:10:21 [Info]: BlackLight Engine 1.0.37 initialized
06/18/06 16:10:21 [Info]: OS: 5.1 build 2600 ()
06/18/06 16:10:21 [Note]: 7019 4
06/18/06 16:10:21 [Note]: 7005 0
06/18/06 16:10:28 [Note]: 7006 0
06/18/06 16:10:28 [Error]: 6009 1
06/18/06 16:10:28 [Error]: 6009 0
06/18/06 16:10:28 [Note]: 7026 0
06/18/06 16:10:29 [Note]: 7026 0
06/18/06 16:10:29 [Note]: 7024 3
06/18/06 16:10:29 [Info]: Hidden process: \??\C:\WINDOWS\system32\winlogon.exe
06/18/06 16:10:29 [Note]: 7024 3
06/18/06 16:10:29 [Info]: Hidden process: C:\WINDOWS\Explorer.EXE
06/18/06 16:10:29 [Note]: 7024 3
06/18/06 16:10:29 [Info]: Hidden process: C:\WINDOWS\MSmedia.exe
06/18/06 16:10:29 [Note]: FSRAW library version 1.7.1015
06/18/06 16:10:33 [Info]: Hidden file: c:\WINDOWS\system32\83ghh.ini
06/18/06 16:10:33 [Note]: 10002 1
06/18/06 16:10:33 [Info]: Hidden file: c:\WINDOWS\system32\aaaxcfdwq.dat
06/18/06 16:10:33 [Note]: 10002 1
06/18/06 16:10:39 [Info]: Hidden file: c:\WINDOWS\system32\qz.dll
06/18/06 16:10:43 [Note]: 7002 0
06/18/06 16:10:43 [Note]: 7003 1
06/18/06 16:10:43 [Note]: 10002 1
06/18/06 16:10:44 [Info]: Hidden file: c:\WINDOWS\system32\qz.sys
06/18/06 16:10:44 [Note]: 10002 1
06/18/06 16:10:44 [Info]: Hidden file: c:\WINDOWS\system32\seppgm.sys
06/18/06 16:10:44 [Note]: 10002 1
06/18/06 16:10:44 [Info]: Hidden file: c:\WINDOWS\system32\seppgs.dll
06/18/06 16:10:44 [Note]: 10002 1
06/18/06 16:10:49 [Note]: 2000 1006
06/18/06 16:10:49 [Note]: 2000 1006
06/18/06 16:10:50 [Note]: 7002 0
06/18/06 16:10:50 [Note]: 7003 1
06/18/06 16:10:50 [Note]: 7002 0
06/18/06 16:10:50 [Note]: 7003 1
06/18/06 16:10:50 [Error]: 6023 5
06/18/06 16:11:05 [Note]: 7007 0

------------------------------------------------------------------------------------
f-secure:
Scanning Report
Sunday, June 18, 2006 17:16:13 - 17:30:55

Computer name: NICI-M5M8M3ZATQ
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\
Result: 13 malware found
Alexa (spyware)

* System (Disinfected)

Backdoor.Win32.Agobot.afk (virus)

* C:\WINDOWS\MSMEDIA.EXE (Renamed & Submitted)
* C:\WINDOWS\MSMEDIA.EXE

Backdoor.Win32.Rbot.aeu (virus)

* C:\WINDOWS\SYSTEM32\WINSYSTEMS.EXE (Renamed & Submitted)

Rootkit.Win32.Agent.p (virus)

* C:\WINDOWS\SYSTEM32\RDRIV.SYS

Stealth_file (hidden item)

* C:\WINDOWS\SYSTEM32\83GHH.INI (Submitted)
* C:\WINDOWS\SYSTEM32\QZ.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\QZ.SYS (Submitted)
* C:\WINDOWS\SYSTEM32\SEPPGM.SYS
* C:\WINDOWS\SYSTEM32\SEPPGS.DLL

Stealth_process (hidden item)

* C:\WINDOWS\EXPLORER.EXE (Submitted)
* \??\C:\WINDOWS\SYSTEM32\WINLOGON.EXE

Trojan-Downloader.BAT.Ftp.ab (virus)

* C:\WINDOWS\SYSTEM32\I (Renamed & Submitted)

Statistics
Scanned:

* Files: 8886
* System: 3208
* Not scanned: 5

Actions:

* Disinfected: 1
* Renamed: 3
* Deleted: 0
* None: 9
* Submitted: 7

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
*
*

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-06-16
* F-Secure Libra: 2.4.1, 2006-06-14
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Orion: 1.2.37, 2006-06-16
* F-Secure Pegasus: 1.19.0, 2006-05-14
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

--------------------------------------------------------------------------------

Und noch mal zur Sicherheit Hijackthis und c:\

Logfile of HijackThis v1.99.1
Scan saved at 17:37:33, on 18.06.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Dokumente und Einstellungen\nici\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [uuwwkjge] C:\nmgpdusc.bat
O4 - HKLM\..\Run: [winsystems25] winsystems.exe
O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - Startup: SmartSurfer.lnk = C:\Programme\SmartSurfer\SmartSurfer.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O20 - Winlogon Notify: seppgs - C:\WINDOWS\SYSTEM32\seppgs.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: MicroSoft Media Tools - Unknown owner - C:\WINDOWS\MSmedia.exe (file missing)

--------------------------------------------------------------------------------

Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\

18.06.2006 17:38 0 sys.txt
18.06.2006 17:38 3.731 system.txt
18.06.2006 17:38 8.264 systemtemp.txt
18.06.2006 17:38 84.600 system32.txt
18.06.2006 16:06 0 zia01636
18.06.2006 16:06 1.610.612.736 pagefile.sys
18.06.2006 16:06 588 avenger.txt
18.06.2006 16:05 1.080 nmgpdusc.bat
18.06.2006 16:05 126.976 zip.exe
17.06.2006 19:45 58.725 pis.exe
17.06.2006 19:31 0 IO.SYS
17.06.2006 19:31 0 CONFIG.SYS
17.06.2006 19:31 0 AUTOEXEC.BAT
17.06.2006 19:31 0 MSDOS.SYS
17.06.2006 19:27 194 boot.ini
18.08.2001 14:00 4.952 bootfont.bin
18.08.2001 14:00 224.032 ntldr
18.08.2001 14:00 45.124 NTDETECT.COM
18 Datei(en) 1.611.171.002 Bytes
0 Verzeichnis(se), 18.139.062.272 Bytes frei

[Nikita]

kopiere in den Avenger (versuche es mehrmals, bis es klappt)

Files to delete:
C:\WINDOWS\system32\i
C:\WINDOWS\MSmedia.exe
C:\WINDOWS\SYSTEM32\WINSYSTEMS.EXE
c:\WINDOWS\system32\83ghh.ini
c:\WINDOWS\system32\aaaxcfdwq.dat
c:\WINDOWS\system32\qz.dll
c:\WINDOWS\system32\qz.sys
c:\WINDOWS\system32\seppgm.sys
c:\WINDOWS\system32\seppgs.dll
C:\WINDOWS\SYSTEM32\RDRIV.SYS
C:\nmgpdusc.bat
C:\zip.exe
C:\pis.exe

dann poste den report vom Avenger und die 4 logs von datfindbat, nicht nur das letzte, wie du es weiter oben gemacht hast

-----------------

Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.

in: "Enter search strings" (reinschreiben oder reinkopieren)

seppgm

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

MicroSoft Media Tools

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

RDRIV

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

[BennyBang]

Sooo, hab Avenger 3 mal laufen lassen und am Schluss noch selbst was gelöscht. Sihst du ja in dem Script:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fucbdegi

*******************

Script file located at: \??\C:\grrfovcx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\rdriv.sys not found!
Deletion of file C:\WINDOWS\system32\rdriv.sys failed!

Could not process line:
C:\WINDOWS\system32\rdriv.sys
Status: 0xc0000034



File C:\WINDOWS\system32\ps.a3d not found!
Deletion of file C:\WINDOWS\system32\ps.a3d failed!

Could not process line:
C:\WINDOWS\system32\ps.a3d
Status: 0xc0000034



File C:\WINDOWS\system32\i not found!
Deletion of file C:\WINDOWS\system32\i failed!

Could not process line:
C:\WINDOWS\system32\i
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\seppgs.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\seppgs.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\seppgs.dll
Status: 0xc0000034



File C:\WINDOWS\MSmedia.exe not found!
Deletion of file C:\WINDOWS\MSmedia.exe failed!

Could not process line:
C:\WINDOWS\MSmedia.exe
Status: 0xc0000034



File C:\pis.exe not found!
Deletion of file C:\pis.exe failed!

Could not process line:
C:\pis.exe
Status: 0xc0000034

File C:\zia01636 deleted successfully.

Completed script processing.

**************************************

Finished! Terminate.
Dann die Datfinder-Sachen

**************************************
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\

18.06.2006 19:20 0 sys.txt
18.06.2006 19:20 3.731 system.txt
18.06.2006 19:19 8.264 systemtemp.txt
18.06.2006 19:19 84.509 system32.txt
18.06.2006 19:16 1.610.612.736 pagefile.sys
18.06.2006 19:16 3.048 avenger.txt
17.06.2006 19:31 0 AUTOEXEC.BAT
17.06.2006 19:31 0 MSDOS.SYS
17.06.2006 19:31 0 IO.SYS
17.06.2006 19:31 0 CONFIG.SYS
17.06.2006 19:27 194 boot.ini
18.08.2001 14:00 4.952 bootfont.bin
18.08.2001 14:00 45.124 NTDETECT.COM
18.08.2001 14:00 224.032 ntldr
14 Datei(en) 1.610.986.590 Bytes
0 Verzeichnis(se), 18.179.543.040 Bytes frei
**************************************
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\WINDOWS

18.06.2006 19:16 0 0.log
18.06.2006 19:16 2.048 bootstat.dat
18.06.2006 19:16 1.858 SchedLgU.Txt
18.06.2006 17:35 18.990 ModemLog_MicroLink 56k Internet c PnP.txt
18.06.2006 16:20 185.769 setupapi.log
17.06.2006 20:26 50 wiaservc.log
17.06.2006 20:26 509 wiadebug.log
17.06.2006 20:26 0 Sti_Trace.log
17.06.2006 20:24 1.348 regopt.log
17.06.2006 20:24 231 system.ini
17.06.2006 19:44 54.512 MSMEDIA.0XE
17.06.2006 19:39 0 nsreg.dat
17.06.2006 19:38 99.970 UninstallFirefox.exe
17.06.2006 19:38 3.083 mozver.dat
17.06.2006 19:36 820 OEWABLog.txt
17.06.2006 19:36 795.297 setuplog.txt

70 Datei(en) 4.356.588 Bytes
0 Verzeichnis(se), 18.179.551.232 Bytes frei

**************************************
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\WINDOWS\system32

18.06.2006 16:05 336 npgjfbxr.txt
17.06.2006 20:27 0 h323log.txt
17.06.2006 19:45 70 I.0
17.06.2006 19:44 48.156 perfc007.dat
17.06.2006 19:44 39.992 perfc009.dat
17.06.2006 19:44 723.744 PerfStringBackup.INI
17.06.2006 19:44 311.604 perfh009.dat
17.06.2006 19:44 316.594 perfh007.dat
17.06.2006 19:36 25.065 wmpscheme.xml
17.06.2006 19:36 2.184 wpa.dbl
17.06.2006 19:34 90.296 FNTCACHE.DAT
17.06.2006 19:33 261 $winnt$.inf
17.06.2006 19:31 2.951 CONFIG.NT
17.06.2006 19:31 23.392 nscompat.tlb
17.06.2006 19:31 16.832 amcompat.tlb
17.06.2006 19:30 488 WindowsLogon.manifest
17.06.2006 19:30 488 logonui.exe.manifest
17.06.2006 19:30 749 sapi.cpl.manifest
17.06.2006 19:30 749 nwc.cpl.manifest
17.06.2006 19:30 749 cdplayer.exe.manifest
17.06.2006 19:30 749 ncpa.cpl.manifest
17.06.2006 19:30 749 wuaucpl.cpl.manifest
17.06.2006 19:29 21.740 emptyregdb.dat
02.06.2006 11:04 57.384 avsda.dll
18.08.2001 14:00 93.696 advpack.dll

[BennyBang]

Und jetzt noch die Registry-Sachen:
REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.06.2006 19:21:58 for strings:
; 'seppgm'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\seppgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\seppgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM\0000]
"Service"="seppgm"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgm]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgm]
; Contents of value:
; \??\c:\windows\system32\seppgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,\
6d,33,32,5c,73,65,70,70,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgm\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgm\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgm\Enum]
"0"="Root\\LEGACY_SEPPGM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgs]
; Contents of value:
; \??\c:\windows\system32\seppgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,\
6d,33,32,5c,73,65,70,70,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\seppgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\seppgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM\0000]
"Service"="seppgm"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seppgm]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seppgm]
; Contents of value:
; \??\c:\windows\system32\seppgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,\
6d,33,32,5c,73,65,70,70,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seppgm\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seppgs]
; Contents of value:
; \??\c:\windows\system32\seppgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,\
6d,33,32,5c,73,65,70,70,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\seppgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\seppgm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM\0000]
"Service"="seppgm"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm]
; Contents of value:
; \??\c:\windows\system32\seppgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,\
6d,33,32,5c,73,65,70,70,67,6d,2e,73,79,73,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm\Enum]
"0"="Root\\LEGACY_SEPPGM\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgs]
; Contents of value:
; \??\c:\windows\system32\seppgm.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,53,79,73,74,65,\
6d,33,32,5c,73,65,70,70,67,6d,2e,73,79,73,00

; End Of The Log...
------------------------------------------------------------------------------------------------------------------------------------------------------------
REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.06.2006 19:22:42 for strings:
; 'microsoft media tools'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000]
"Service"="MicroSoft Media Tools"
"DeviceDesc"="MicroSoft Media Tools"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MicroSoft Media Tools]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MicroSoft Media Tools]
"DisplayName"="MicroSoft Media Tools"
"Description"="MicroSoft Media Tools"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MicroSoft Media Tools\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MicroSoft Media Tools\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000]
"Service"="MicroSoft Media Tools"
"DeviceDesc"="MicroSoft Media Tools"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MicroSoft Media Tools]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MicroSoft Media Tools]
"DisplayName"="MicroSoft Media Tools"
"Description"="MicroSoft Media Tools"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MicroSoft Media Tools\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000]
"Service"="MicroSoft Media Tools"
"DeviceDesc"="MicroSoft Media Tools"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools]
"DisplayName"="MicroSoft Media Tools"
"Description"="MicroSoft Media Tools"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools\Enum]

; End Of The Log...

------------------------------------------------------------------------------------------------------------------------------------------------------------

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 18.06.2006 19:23:51 for strings:
; 'rdriv'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/System/CurrentControlSet/Control/Print/Providers/LanMan Print Services/Servers/AddPrinterDrivers]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Providers\LanMan Print Services\servers]
"addprinterdrivers"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{8B6D7859-A639-4A15-8790-7161976D057A}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Video\{DEB039CC-B704-4F53-B43E-9DD4432FA2E9}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV\0000]
"Service"="rdriv"
"DeviceDesc"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\i8042prt\Parameters]
"LayerDriver JPN"="kbd101.dll"
"LayerDriver KOR"="kbd101a.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IpFilterDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IpFilterDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnmdd\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDPCDD\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv]
; Contents of value:
; \??\c:\windows\system32\rdriv.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,72,64,72,69,76,2e,73,79,73,00
"DisplayName"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv\Enum]
"0"="Root\\LEGACY_RDRIV\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Providers\LanMan Print Services\servers]
"addprinterdrivers"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{8B6D7859-A639-4A15-8790-7161976D057A}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Video\{DEB039CC-B704-4F53-B43E-9DD4432FA2E9}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV\0000]
"Service"="rdriv"
"DeviceDesc"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\i8042prt\Parameters]
"LayerDriver JPN"="kbd101.dll"
"LayerDriver KOR"="kbd101a.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IpFilterDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IpFilterDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mnmdd\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\RDPCDD\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv]
; Contents of value:
; \??\c:\windows\system32\rdriv.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,72,64,72,69,76,2e,73,79,73,00
"DisplayName"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\servers]
"addprinterdrivers"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{8B6D7859-A639-4A15-8790-7161976D057A}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Video\{DEB039CC-B704-4F53-B43E-9DD4432FA2E9}\0000]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV\0000]
"Service"="rdriv"
"DeviceDesc"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters]
"LayerDriver JPN"="kbd101.dll"
"LayerDriver KOR"="kbd101a.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IpFilterDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmdd\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPCDD\Device0]
"MirrorDriver"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv]
; Contents of value:
; \??\c:\windows\system32\rdriv.sys
"ImagePath"=hex(2):5c,3f,3f,5c,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,\
6d,33,32,5c,72,64,72,69,76,2e,73,79,73,00
"DisplayName"="rdriv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv\Enum]
"0"="Root\\LEGACY_RDRIV\\0000"

; End Of The Log...

[Nikita]

kopiere in den avenger:

registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MicroSoft Media Tools
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MicroSoft Media Tools
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\seppgm.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\seppgm.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgm
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\seppgm.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\seppgm.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seppgm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\seppgm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\seppgm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv

Files to delete:
C:\WINDOWS\MSMEDIA.0XE

gruene Ampel- neustarten - Log posten

**
noch einmal:

http://www.f-secure.com/blacklight/
starte die Datei, nimm die Lizenzbestimmung an und waehle scan, wenn es mit dem Scan fertig ist, druecke next und danach close. Nun befindet sich im selben Ordner von Blacklight eine FSB*.TXT Datei -> hier posten,

[BennyBang]

Und hier isses schon:
1. Avenger
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\llffbheu

*******************

Script file located at: \??\C:\WINDOWS\System32\xbxdoexx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MicroSoft Media Tools deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MicroSoft Media Tools deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICROSOFT_MEDIA_TOOLS\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MicroSoft Media Tools
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\seppgm.sys deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\seppgm.sys deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SEPPGM\0000
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgm deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seppgs deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\seppgm.sys deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\seppgm.sys deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SEPPGM\0000
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seppgm deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\seppgm.sys not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\seppgm.sys failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\seppgm.sys
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\seppgm.sys not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\seppgm.sys failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\seppgm.sys
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM\0000 not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM\0000 failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SEPPGM\0000
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgm
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgs not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgs failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seppgs
Status: 0xc0000034

Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RDRIV deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rdriv deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_RDRIV deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\rdriv deleted successfully.


Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RDRIV
Status: 0xc0000034



Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv not found!
Deletion of registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv failed!

Could not process line:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdriv
Status: 0xc0000034

File C:\WINDOWS\MSMEDIA.0XE deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

2. Black Light

06/19/06 00:04:38 [Info]: BlackLight Engine 1.0.37 initialized
06/19/06 00:04:38 [Info]: OS: 5.1 build 2600 ()
06/19/06 00:04:38 [Note]: 7019 4
06/19/06 00:04:38 [Note]: 7005 0
06/19/06 00:04:43 [Note]: 7006 0
06/19/06 00:04:43 [Note]: 7011 1024
06/19/06 00:04:43 [Note]: 7026 0
06/19/06 00:04:43 [Note]: 7026 0
06/19/06 00:04:46 [Note]: FSRAW library version 1.7.1015
06/19/06 00:05:20 [Note]: 7007 0

[Nikita]

1.
poste noch mal die vier logs von datfindbat (2 Monate vom Datum her genuegen)

2.
öffne das HijackThis -- Button "scan" -- vor die Malware-Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

O4 - HKLM\..\Run: [uuwwkjge] C:\nmgpdusc.bat
O4 - HKLM\..\Run: [winsystems25] winsystems.exe
O4 - HKLM\..\RunServices: [winsystems25] winsystems.exe
O20 - Winlogon Notify: seppgs - C:\WINDOWS\SYSTEM32\seppgs.dll

PC neustarten

3.
Arbeitsplatz-->Rechtsklick, dann auf Eigenschaften--->Reiter Systemwiederherstellung--->Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren.

4.
scanne mit kaspersky und poste den scanreport
http://virus-protect.org/onlinescan.html

[BennyBang]

Hello, erstmal die Datfinder-Logs:
c:
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\

19.06.2006 11:48 0 sys.txt
19.06.2006 11:48 3.682 system.txt
19.06.2006 11:48 8.264 systemtemp.txt
19.06.2006 11:48 84.509 system32.txt
19.06.2006 11:45 1.610.612.736 pagefile.sys
19.06.2006 00:02 20.524 avenger.txt
17.06.2006 19:31 0 AUTOEXEC.BAT
17.06.2006 19:31 0 MSDOS.SYS
17.06.2006 19:31 0 IO.SYS
17.06.2006 19:31 0 CONFIG.SYS
17.06.2006 19:27 194 boot.ini
18.08.2001 14:00 4.952 bootfont.bin
18.08.2001 14:00 45.124 NTDETECT.COM
18.08.2001 14:00 224.032 ntldr
14 Datei(en) 1.611.004.017 Bytes
0 Verzeichnis(se), 18.176.946.176 Bytes frei
------------------------------------------------------------------------------------
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: FCF8-BDEB

Verzeichnis von C:\WINDOWS

19.06.2006 11:45 0 0.log
19.06.2006 11:45 2.048 bootstat.dat
19.06.2006 00:10 2.722 SchedLgU.Txt
18.06.2006 17:35 18.990 ModemLog_MicroLink 56k Internet c PnP.txt
18.06.2006 16:20 185.769 setupapi.log
17.06.2006 20:26 50 wiaservc.log
17.06.2006 20:26 509 wiadebug.log
17.06.2006 20:26 0 Sti_Trace.log
17.06.2006 20:24 1.348 regopt.log
17.06.2006 20:24 231 system.ini
17.06.2006 19:39 0 nsreg.dat
17.06.2006 19:38 99.970 UninstallFirefox.exe
17.06.2006 19:38 3.083 mozver.dat
17.06.2006 19:36 820 OEWABLog.txt
17.06.2006 19:36 795.297 setuplog.txt
17.06.2006 19:34 8.192 REGLOCS.OLD
17.06.2006 19:33 47.805 iis6.log
17.06.2006 19:33 7.723 ntdtcsetup.log
17.06.2006 19:33 15.677 comsetup.log
17.06.2006 19:33 10.175 tsoc.log
17.06.2006 19:33 4.382 imsins.log
17.06.2006 19:33 187.176 setupact.log
17.06.2006 19:33 622 setuperr.log
17.06.2006 19:31 0 control.ini
17.06.2006 19:31 504 win.ini
17.06.2006 19:31 299.552 WMSysPrx.prx
17.06.2006 19:31 4.161 ODBCINST.INI
17.06.2006 19:31 240 Windows Update.log
17.06.2006 19:30 749 WindowsShell.Manifest
17.06.2006 19:29 1.065 ocmsn.log
17.06.2006 19:29 12.817 ocgen.log
17.06.2006 19:29 821 msgsocm.log
17.06.2006 19:29 11.536 FaxSetup.log
17.06.2006 19:29 1.060 sessmgr.setup.log
17.06.2006 19:29 37 vbaddin.ini
17.06.2006 19:29 36 vb.ini
17.06.2006 19:29 128 DtcInstall.log
17.06.2006 19:28 10.028 msmqinst.log


Verzeichnis von C:\DOKUME~1\nici\LOKALE~1\Temp

18.06.2006 16:12 0 WERAA.tmp
18.06.2006 16:12 0 WERA9.tmp
18.06.2006 16:12 0 WERAB.tmp
18.06.2006 16:12 0 WERA7.tmp
18.06.2006 16:12 0 WERA6.tmp
18.06.2006 16:12 0 WERA8.tmp
18.06.2006 16:12 0 WERA5.tmp
18.06.2006 16:12 0 WERA4.tmp
18.06.2006 16:12 0 WERA3.tmp



Verzeichnis von C:\WINDOWS\system32

18.06.2006 16:05 336 npgjfbxr.txt
17.06.2006 20:27 0 h323log.txt
17.06.2006 19:45 70 I.0
17.06.2006 19:44 48.156 perfc007.dat
17.06.2006 19:44 39.992 perfc009.dat
17.06.2006 19:44 723.744 PerfStringBackup.INI
17.06.2006 19:44 311.604 perfh009.dat
17.06.2006 19:44 316.594 perfh007.dat
17.06.2006 19:36 25.065 wmpscheme.xml
17.06.2006 19:36 2.184 wpa.dbl
17.06.2006 19:34 90.296 FNTCACHE.DAT
17.06.2006 19:33 261 $winnt$.inf
17.06.2006 19:31 2.951 CONFIG.NT
17.06.2006 19:31 23.392 nscompat.tlb
17.06.2006 19:31 16.832 amcompat.tlb
17.06.2006 19:30 488 WindowsLogon.manifest
17.06.2006 19:30 488 logonui.exe.manifest