| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Worm RebhapWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
21.06.2011, 20:30
| #1 |
 |  Worm Rebhap Guten Abend, seit heute abend fährt mein Rechner mit der Meldung hoch: Svhost.exe verursacht einen Fehler. Also habe ich mal Antimalware drüber gejagt und siehe da: 15 Files mit Befall des Wurm Rebhab. Nun löscht mir Antimalware diese, fährt den Rechner neu hoch und der Fehler ist wieder da, allerdings mit 9 fehler. Wie kann ich das bekämpfen? Vielen Dank vor ab für eure Hilfe. Nachtrag: im Verzeichnis User/Name/appdata/roaming/ ist ein verzeichnis Install mit der Datei svhost.exe. Das scheint der Übertäter zu sein. Wie könnte ich die los bekommen? hier mal meine Logdatei aus OTL.OTL Logfile: Code:
ATTFilter OTL logfile created on: 21.06.2011 21:25:34 - Run 3 OTL by OldTimer - Version 3.2.24.1 Folder = C:\Tools\Virus\OTL 64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation Internet Explorer (Version = 8.0.7601.17514) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 4,00 Gb Total Physical Memory | 2,85 Gb Available Physical Memory | 71,17% Memory free 7,90 Gb Paging File | 6,70 Gb Available in Paging File | 84,80% Paging File free Paging file location(s): f:\pagefile.sys 4000 4000 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86) Drive C: | 34,30 Gb Total Space | 15,96 Gb Free Space | 46,51% Space Free | Partition Type: NTFS Drive D: | 177,22 Gb Total Space | 112,18 Gb Free Space | 63,30% Space Free | Partition Type: NTFS Drive E: | 48,83 Gb Total Space | 7,40 Gb Free Space | 15,16% Space Free | Partition Type: NTFS Drive F: | 58,59 Gb Total Space | 17,79 Gb Free Space | 30,36% Space Free | Partition Type: NTFS Drive G: | 53,67 Gb Total Space | 44,20 Gb Free Space | 82,35% Space Free | Partition Type: NTFS Drive H: | 186,30 Gb Total Space | 14,84 Gb Free Space | 7,96% Space Free | Partition Type: NTFS Drive U: | 931,51 Gb Total Space | 455,49 Gb Free Space | 48,90% Space Free | Partition Type: NTFS Computer Name: VANISCH-PC | User Name: Vanisch | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2011.06.20 10:00:02 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Tools\Virus\OTL\OTL.exe PRC - [2011.05.29 09:11:28 | 000,449,584 | ---- | M] (Malwarebytes Corporation) -- C:\Tools\Virus\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2011.05.29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) -- C:\Tools\Virus\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2011.05.29 09:11:22 | 001,047,656 | ---- | M] (Malwarebytes Corporation) -- C:\Tools\Virus\Malwarebytes' Anti-Malware\mbam.exe PRC - [2011.02.15 12:11:46 | 000,066,560 | ---- | M] (Nalpeiron Ltd.) -- C:\Windows\SysWOW64\nlssrv32.exe PRC - [2011.01.16 00:00:48 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\explorer.exe PRC - [2010.12.17 08:56:10 | 003,707,808 | ---- | M] (Ghisler Software GmbH) -- C:\Windows\totalcmd\TOTALCMD.EXE PRC - [2009.06.17 13:44:11 | 000,085,160 | ---- | M] (Elaborate Bytes AG) -- C:\Tools\Disk\VirtualCloneDrive\VCDDaemon.exe PRC - [2009.01.13 14:54:52 | 003,247,616 | ---- | M] () -- C:\Program Files (x86)\Digitus\MFP Server Control Center\Control Center.exe ========== Modules (SafeList) ========== MOD - [2011.06.20 10:00:02 | 000,579,072 | ---- | M] (OldTimer Tools) -- C:\Tools\Virus\OTL\OTL.exe MOD - [2011.01.16 00:00:04 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll ========== Win32 Services (SafeList) ========== SRV:64bit: - [2009.07.14 03:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt) SRV - [2011.05.29 09:11:28 | 000,366,640 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Tools\Virus\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2011.02.15 12:11:46 | 000,066,560 | ---- | M] (Nalpeiron Ltd.) [Auto | Running] -- C:\Windows\SysWOW64\nlssrv32.exe -- (nlsX86cc) SRV - [2011.01.21 20:18:38 | 000,457,216 | ---- | M] (Uwe Sieber - www.uwe-sieber.de) [Auto | Running] -- C:\Tools\Utilities\USBDLM\USBDLM.exe -- (USBDLM) SRV - [2010.03.18 14:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32) SRV - [2010.02.19 14:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard) SRV - [2009.06.10 23:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32) ========== Driver Services (SafeList) ========== DRV:64bit: - [2011.05.29 09:11:20 | 000,025,912 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector) DRV:64bit: - [2011.02.03 01:18:32 | 000,230,352 | ---- | M] (TrueCrypt Foundation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\truecrypt.sys -- (truecrypt) DRV:64bit: - [2011.01.16 00:01:17 | 000,020,992 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\rdpvideominiport.sys -- (RdpVideoMiniport) DRV:64bit: - [2011.01.16 00:01:03 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt) DRV:64bit: - [2011.01.15 23:59:52 | 000,117,248 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tsusbhub.sys -- (tsusbhub) DRV:64bit: - [2011.01.15 23:59:52 | 000,088,960 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Synth3dVsc.sys -- (Synth3dVsc) DRV:64bit: - [2011.01.15 23:59:52 | 000,071,168 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dmvsc.sys -- (dmvsc) DRV:64bit: - [2011.01.15 23:59:52 | 000,034,816 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\terminpt.sys -- (terminpt) DRV:64bit: - [2011.01.15 23:59:50 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata) DRV:64bit: - [2011.01.15 23:59:50 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD) DRV:64bit: - [2011.01.15 23:59:50 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata) DRV:64bit: - [2011.01.15 23:59:49 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD) DRV:64bit: - [2010.08.16 16:31:36 | 000,019,936 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\pwdrvio.sys -- (pwdrvio) DRV:64bit: - [2010.08.16 16:31:32 | 000,013,280 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\pwdspio.sys -- (pwdspio) DRV:64bit: - [2009.12.18 00:25:17 | 000,034,472 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ElbyCDIO.sys -- (ElbyCDIO) DRV:64bit: - [2009.08.09 23:25:45 | 000,036,352 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\VClone.sys -- (VClone) DRV:64bit: - [2009.07.14 03:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs) DRV:64bit: - [2009.07.14 03:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2) DRV:64bit: - [2009.07.14 03:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor) DRV:64bit: - [2009.06.10 22:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs) DRV:64bit: - [2009.06.10 22:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD) DRV:64bit: - [2009.06.10 22:35:03 | 000,192,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\eFE5b32e.sys -- (E100B) Intel(R) DRV:64bit: - [2009.06.10 22:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv) DRV:64bit: - [2009.06.10 22:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv) DRV:64bit: - [2009.06.10 22:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a) DRV:64bit: - [2009.06.10 22:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = de IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = F7 0D 4D 8A B8 E3 CB 01 [binary data] IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.search.openintab: true FF - prefs.js..browser.search.update: false FF - prefs.js..browser.startup.homepage: "" FF - prefs.js..extensions.enabledItems: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}:6.0.4 FF - prefs.js..extensions.enabledItems: {097d3191-e6fa-4728-9826-b533d755359d}:0.7.13 FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.8 FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.1.2rc4 FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.3.0.1 FF - prefs.js..extensions.enabledItems: noia2_option@kk.noia:3.76 FF - prefs.js..extensions.enabledItems: {3474c305-9dad-11d8-9207-00055d74c2e4}:0.4.11 FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.6pre.110429a FF - prefs.js..extensions.enabledItems: sxipper@sxip.com:2.3.4 FF - prefs.js..extensions.enabledItems: {46868735-c3fa-47ce-8ce7-cce51a66aceb}:1.2 FF - prefs.js..extensions.enabledItems: scrapbookplus@addons.mozilla.org:1.8.18.33 FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.8 FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.9.1 FF - prefs.js..extensions.enabledItems: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}:3.5.9.1 FF - prefs.js..extensions.enabledItems: {C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9}:0.6.0.8 FF - prefs.js..extensions.enabledItems: abhere2@moztw.org:3.6.20101102 FF - prefs.js..extensions.enabledItems: {9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}:3.76 FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011.02.02 23:51:08 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011.02.03 01:44:52 | 000,000,000 | ---D | M] [2011.02.02 23:51:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Extensions [2011.06.19 23:51:46 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions [2011.04.13 14:52:13 | 000,000,000 | ---D | M] (All-in-One Sidebar) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{097d3191-e6fa-4728-9826-b533d755359d} [2011.06.19 23:51:45 | 000,000,000 | ---D | M] (FlashGot) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34} [2011.06.19 23:51:46 | 000,000,000 | ---D | M] (IE Tab 2 (FF 3.6+)) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB} [2011.02.02 23:58:32 | 000,000,000 | ---D | M] (Bookmark Backup) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{3474c305-9dad-11d8-9207-00055d74c2e4} [2011.02.02 23:58:31 | 000,000,000 | ---D | M] (oldbar) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{46868735-c3fa-47ce-8ce7-cce51a66aceb} [2011.06.19 23:51:45 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232} [2011.02.02 23:53:36 | 000,000,000 | ---D | M] (MR Tech Toolkit) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} [2011.02.02 23:54:44 | 000,000,000 | ---D | M] (Noia 2.0 (eXtreme)) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e} [2011.06.19 23:51:46 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2011.04.13 14:52:13 | 000,000,000 | ---D | M] (QuickNote) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{C0CB8BA3-6C1B-47e8-A6AB-1FAB889562D9} [2011.06.19 23:51:45 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2011.04.13 14:52:13 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} [2011.06.19 23:51:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{dc572301-7619-498c-a57d-39143191b318} [2011.02.04 01:57:42 | 000,000,000 | ---D | M] (Add Bookmark Here ²) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\abhere2@moztw.org [2011.02.02 23:54:48 | 000,000,000 | ---D | M] (Noia 2.0 eXtreme OPT) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\noia2_option@kk.noia [2011.06.19 23:51:45 | 000,000,000 | ---D | M] (ScrapBook Plus) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\scrapbookplus@addons.mozilla.org [2011.02.02 23:58:31 | 000,000,000 | ---D | M] (Sxipper) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\sxipper@sxip.com [2011.06.19 23:51:45 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Vanisch\AppData\Roaming\mozilla\Firefox\Profiles\vduku6o7.default\extensions\{dc572301-7619-498c-a57d-39143191b318}\modules\extensions [2011.06.19 23:50:45 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\mozilla firefox\extensions [2010.12.03 20:14:08 | 000,001,392 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\amazondotcom-de.xml [2010.12.03 20:14:08 | 000,002,344 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\eBay-de.xml [2010.12.03 20:14:08 | 000,006,805 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\leo_ende_de.xml [2010.12.03 20:14:08 | 000,001,178 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\wikipedia-de.xml [2010.12.03 20:14:08 | 000,001,105 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\yahoo-de.xml O1 HOSTS File: ([2011.06.20 22:59:51 | 000,001,584 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: 127.0.0.1 activate.adobe.com O1 - Hosts: 127.0.0.1 practivate.adobe.com O1 - Hosts: 127.0.0.1 adobeereg.com O1 - Hosts: 127.0.0.1 www.adobeereg.com O1 - Hosts: 127.0.0.1 activate.adobe.com O1 - Hosts: 127.0.0.1 activate-sea.adobe.com O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com O1 - Hosts: 127.0.0.1 192.150.18.108 O1 - Hosts: 127.0.0.1 activate.adobe.com:443 O1 - Hosts: 127.0.0.1 3dns.adobe.com O1 - Hosts: 127.0.0.1 3dns-1.adobe.com O1 - Hosts: 127.0.0.1 3dns-2.adobe.com O1 - Hosts: 127.0.0.1 3dns-3.adobe.com O1 - Hosts: 127.0.0.1 3dns-4.adobe.com O1 - Hosts: 127.0.0.1 adobeereg.com O1 - Hosts: 127.0.0.1 www.adobeereg.com O1 - Hosts: 127.0.0.1 activate.adobe.com O1 - Hosts: 127.0.0.1 activate-sea.adobe.com O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com O1 - Hosts: 127.0.0.1 192.150.18.108 O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com O1 - Hosts: 127.0.0.1 adobe-dns-1.adobe.com O1 - Hosts: 28 more lines... O2:64bit: - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Programme\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (IeCatch5 Class) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~2\FlashGet\jccatch.dll (FlashGet) O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Buro\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation) O2 - BHO: (gFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~2\FlashGet\getflash.dll () O3 - HKLM\..\Toolbar: (FlashGet Bar) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\fgiebar.dll (Amaze Soft) O4:64bit: - HKLM..\Run: [NVRaidService] C:\Windows\SysNative\nvraidservice.exe (NVIDIA Corporation) O4 - HKLM..\Run: [BCSSync] C:\Buro\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation) O4 - HKLM..\Run: [Control Center] C:\Program Files (x86)\Digitus\MFP Server Control Center\Control Center.exe () O4 - HKLM..\Run: [HKLM] C:\Users\Vanisch\AppData\Roaming\install\svchost.exe () O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Tools\Virus\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware (reboot)] C:\Tools\Virus\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [VirtualCloneDrive] C:\Tools\Disk\VirtualCloneDrive\VCDDaemon.exe (Elaborate Bytes AG) O4 - HKCU..\Run: [HKCU] C:\Users\Vanisch\AppData\Roaming\install\svchost.exe () O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\Users\Vanisch\AppData\Roaming\install\svchost.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\Users\Vanisch\AppData\Roaming\install\svchost.exe () O8:64bit: - Extra context menu item: Alles mit FlashGet laden - C:\Program Files (x86)\FlashGet\jc_all.htm () O8:64bit: - Extra context menu item: Mit FlashGet laden - C:\Program Files (x86)\FlashGet\jc_link.htm () O8:64bit: - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Buro\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Alles mit FlashGet laden - C:\Program Files (x86)\FlashGet\jc_all.htm () O8 - Extra context menu item: Mit FlashGet laden - C:\Program Files (x86)\FlashGet\jc_link.htm () O8 - Extra context menu item: Nach Microsoft E&xcel exportieren - C:\Buro\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe (FlashGet.com) O9 - Extra 'Tools' menuitem : &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~2\FlashGet\flashget.exe (FlashGet.com) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found O18:64bit: - Protocol\Filter\text/xml {807573E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL (Microsoft Corporation) O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation) O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2011.06.21 10:41:39 | 000,000,360 | RHS- | M] () - U:\autorun.inf -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35:64bit: - HKLM\..comfile [open] -- "%1" %* O35:64bit: - HKLM\..exefile [open] -- "%1" %* O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %* O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011.06.21 00:00:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\priPrinter Professional [2011.06.21 00:00:33 | 000,000,000 | ---D | C] -- C:\Programme\priPrinter [2011.06.20 23:59:48 | 000,000,000 | ---D | C] -- C:\Users\Vanisch\AppData\Roaming\install [2011.06.20 22:58:43 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\install [2011.06.20 14:28:46 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Videos [2011.06.20 14:28:46 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Pictures [2011.06.20 14:28:46 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\My Music [2011.06.20 14:28:45 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Videos [2011.06.20 14:28:45 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Musik [2011.06.20 14:28:45 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\Eigene Bilder [2011.06.20 11:33:18 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN [2011.06.20 10:37:58 | 000,000,000 | ---D | C] -- C:\Windows\temp [2011.06.20 10:32:15 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe [2011.06.20 10:32:15 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe [2011.06.20 10:32:15 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe [2011.06.20 01:44:39 | 000,000,000 | ---D | C] -- C:\Users\Vanisch\AppData\Local\Downloaded Installations [2011.06.20 01:20:30 | 000,000,000 | ---D | C] -- C:\Users\Vanisch\AppData\Local\Nik Software [2011.06.20 01:20:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Nik Software [2011.06.20 01:15:43 | 000,000,000 | ---D | C] -- C:\Users\Vanisch\AppData\Roaming\Thinstall [2011.06.20 01:15:43 | 000,000,000 | ---D | C] -- C:\Users\Vanisch\AppData\Local\Thinstall [2011.06.19 23:45:49 | 000,000,000 | ---D | C] -- C:\Users\Vanisch\AppData\Roaming\Malwarebytes [2011.06.19 23:45:43 | 000,039,984 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys [2011.06.19 23:45:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware [2011.06.19 23:45:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2011.06.19 23:45:40 | 000,025,912 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys ========== Files - Modified Within 30 Days ========== [2011.06.21 21:26:22 | 000,020,704 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 [2011.06.21 21:26:22 | 000,020,704 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 [2011.06.21 21:19:11 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2011.06.21 11:06:20 | 000,001,704 | ---- | M] () -- C:\Users\Vanisch\AppData\Local\Adobe Für Web speichern 12.0 Prefs [2011.06.20 22:59:51 | 000,001,584 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts [2011.06.20 22:58:41 | 000,745,276 | ---- | M] () -- C:\Users\Vanisch\AppData\Roaming\Sdat.exe [2011.06.20 15:29:09 | 001,611,160 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI [2011.06.20 15:29:09 | 000,696,132 | ---- | M] () -- C:\Windows\SysNative\perfh007.dat [2011.06.20 15:29:09 | 000,651,450 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat [2011.06.20 15:29:09 | 000,147,428 | ---- | M] () -- C:\Windows\SysNative\perfc007.dat [2011.06.20 15:29:09 | 000,120,382 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat [2011.05.29 09:11:30 | 000,039,984 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys [2011.05.29 09:11:20 | 000,025,912 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys ========== Files Created - No Company Name ========== [2011.06.21 00:00:35 | 000,019,216 | ---- | C] () -- C:\Windows\SysNative\plkmon64.dll [2011.06.20 22:58:41 | 000,745,276 | ---- | C] () -- C:\Users\Vanisch\AppData\Roaming\Sdat.exe [2011.06.20 10:32:15 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe [2011.06.20 10:32:15 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe [2011.06.20 10:32:15 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe [2011.06.20 10:32:15 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe [2011.06.20 10:32:15 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe [2011.02.21 23:17:34 | 000,003,584 | ---- | C] () -- C:\Windows\SysWow64\SilverEfexPro2FC32.dll [2011.02.15 12:11:48 | 000,003,072 | ---- | C] () -- C:\Windows\SysWow64\Viveza2FC32.dll [2011.02.12 23:54:52 | 000,000,022 | -HS- | C] () -- C:\Users\Vanisch\AppData\Roaming\Sys6925.Config Collection.sys [2011.02.12 23:54:52 | 000,000,022 | -HS- | C] () -- C:\Windows\Sys3390 SettingsCollection.bin [2011.02.10 12:36:30 | 000,001,704 | ---- | C] () -- C:\Users\Vanisch\AppData\Local\Adobe Für Web speichern 12.0 Prefs [2011.02.04 01:27:34 | 000,000,197 | ---- | C] () -- C:\Users\Vanisch\AppData\Roaming\I2ePlugin.ini [2011.02.03 22:51:45 | 000,079,360 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll [2011.02.03 14:02:51 | 000,081,920 | -H-- | C] () -- C:\Windows\SysWow64\v3shrtkgn.dll [2011.02.03 01:26:11 | 001,588,294 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI [2011.02.03 00:34:11 | 001,376,256 | ---- | C] () -- C:\Windows\SysWow64\I2E_CINT.dll [2011.02.02 18:57:52 | 000,120,376 | ---- | C] () -- C:\Windows\SysWow64\rrsec.dll [2011.02.02 18:57:52 | 000,097,888 | ---- | C] () -- C:\Windows\SysWow64\rrsec2k.exe [2009.07.14 07:38:36 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat [2009.07.14 04:35:51 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT [2009.07.14 04:34:42 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat [2009.07.14 02:10:29 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin [2009.07.14 01:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll [2009.07.13 23:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll [2009.06.10 23:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat [2002.05.08 13:43:25 | 000,000,188 | -H-- | C] () -- C:\Windows\M1315oxs4s11behw0.dll ========== LOP Check ========== [2011.03.11 00:35:24 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\ChemTable Software [2011.06.20 01:38:36 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\foobar2000 [2011.02.02 18:52:10 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\GHISLER [2011.02.02 19:04:26 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\Imagine [2011.02.19 02:51:52 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\ImgBurn [2011.06.21 21:25:05 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\install [2011.03.03 15:45:42 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\Mp3tag [2011.04.13 15:14:09 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\Notepad++ [2011.04.14 01:38:31 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\Pelikan Software KFT [2011.03.04 22:48:20 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1 [2011.06.21 11:26:27 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\The Bat! [2011.06.20 01:15:43 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\Thinstall [2011.04.14 10:27:53 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\Tracker Software [2011.02.03 01:18:59 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\TrueCrypt [2011.02.02 18:38:55 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\URSoft [2011.02.03 02:28:02 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\WinFAQ [2011.06.21 10:26:09 | 000,000,000 | ---D | M] -- C:\Users\Vanisch\AppData\Roaming\XnView [2011.03.12 13:48:32 | 000,032,632 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 193 bytes -> C:\ProgramData\TEMP:A5B56640 @Alternate Data Stream - 167 bytes -> C:\ProgramData\TEMP:1CE11B51 @Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:D2F2F703 @Alternate Data Stream - 123 bytes -> C:\ProgramData\TEMP:8FCD8443 @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:06A7F9ED < End of report > Geändert von Vanisch1 (21.06.2011 um 20:36 Uhr) |
| Themen zu Worm Rebhap |
| adblock, adobe, alternate, bifrose.trace, bookmark, document, excel.exe, explorer, langs, logfile, malware.trace, malwarebytes, neu, nodrives, plug-in, programme, registry, riskware.tool.ck, searchplugins, server, software, start menu, svchost.exe, syswow64, tracker, windows, winlogon, worm.rebhip, wurm |
Baum-Darstellung