Problem oder Fehlalarm?

woodle · 11.09.2007, 18:24

Hallo und guten Abend,
gestern und heute bekam ich eine Kaspersky-Meldung über einen

Backdoor.Win32.GrayBird.awu

im Modul explorer\IZArcCM.dll. Desinfizieren nicht möglich. Also habe ich gestern gelöscht. Heute kam die Meldung wieder. Scanne ich die Explorer.exe oder die IZArcCM.dll (dll eines Packprogramms) findet der Virenscanner nichts. Auch ein Onlinescan bringt nichts. Auf der Internetseite von Kaspersky gibt es nirgends Informationen über dieses angebliche trojanische Programm.
In HijackThis finde ich nichts ebenso die Onlineauswertung.
Hatte hier auch schon jemand so eine Meldung?

cosinus · 12.09.2007, 04:45

Hallo.

Poste bitte mal ein Hijackthis-Logfile.

woodle · 12.09.2007, 07:25

Ok, hier das Logfile

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 08:09:31, on 12.09.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\a-squared Free\a2service.exe
C:\WINDOWS\system32\LiveComSVC.exe
C:\WINDOWS\system32\LiveComMoSVC.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Cpic622\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\USBDLM\USBDLM.exe
C:\Programme\Iomega\AutoDisk\ADService.exe
C:\Programme\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Iomega\AutoDisk\ADUserMon.exe
C:\Programme\Iomega\DriveIcons\ImgIcon.exe
C:\Programme\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\StartupMonitor.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\anvshell.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spamihilator\spamihilator.exe
C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programme\FRITZ!\IWatch.exe
C:\Programme\OpenOffice.org 2.0\program\soffice.exe
C:\Programme\OpenOffice.org 2.0\program\soffice.BIN
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programs\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.t-online.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Programme\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Programme\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [kav] "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [LiveNote] livenote.exe
O4 - HKLM\..\Run: [DMS-Kalenderchen] C:\Programme\Kalenderchen\Kalenderchen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Programme\Spamihilator\spamihilator.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Programme\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: Zusatzprogramm CheckTermine.lnk = C:\Kalender\CheckTermine.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: ISDNWatch.lnk = C:\Programme\FRITZ!\IWatch.exe
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131605704968
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3305AF4-F06C-410D-95B8-1FDBFFACB639}: NameServer = 192.168.120.252,192.168.120.253
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe
O23 - Service: ArchiCrypt Encryption Engine Service (ACLDSymbols) - Unknown owner - C:\WINDOWS\system32\LiveComSVC.exe
O23 - Service: ArchiCrypt Mobile Encryption Engine Service (ACLMoSymbols) - Unknown owner - C:\WINDOWS\system32\LiveComMoSVC.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Cpic622\ScsiAccess.exe
O23 - Service: USBDLM - Uwe Sieber - www.uwe-sieber.de - C:\Program\USBDLM\USBDLM.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Programme\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Programme\Iomega\AutoDisk\ADService.exe

--
End of file - 8854 bytes

cosinus · 12.09.2007, 07:51

C:\WINDOWS\system32\LiveComSVC.exe
C:\WINDOWS\system32\LiveComMoSVC.exe
C:\Cpic622\ScsiAccess.exe

Sind dir diese Prozesse bekannt? Ersten Google-Ergebnissen deuten die auf ein Verschlüsselungsprogramm (Livecom...) sowie einer Kodaksoftware (scsiaccess) hin. Wäre aber besser wenn du die drei Kandidaten dennoch mal bei Virustotal auswerten könntest.

Hat KAV denn tatsächlich die echte explorer.exe angemeckert oder lag die in einem dubiosen Ordner?

woodle · 12.09.2007, 18:30

Hallo Cosinus,
die drei Prozesse sind bekannt (Verschlüsselungsprogramm und Grafikprogramm). Bei der Schädlingsmeldung wurde kein Pfad angegeben, nur "explorer.exe\IZArcCM.dll". Bei der Suche nach explorer.exe wird nur eine Datei gefunden und zwar in C:\windows.
Wenn mir einer sagt wie ich ein Bild hochladen kann, könnte ich die Originalmeldung hier posten.
Ich habe übrigens jetzt mal die Sicherheitseinstellungen bei KAV auf HOCH eingestellt und alles nochmal im abesicherten Moduns gescannt. Das Ergebnis war: Kein Schädling gefunden. Danach, im normalen Modus, versuchte ich den von KAV angezeigten Trojaner zu löschen. Da kam die Meldung:

nicht gefunden: trojanisches Programm Backdoor.Win32.GrayBird.awu
Modul: explorer.exe\IZArcCM.dll

Alles recht seltsam. Ich beobachte mein System eigentlich immer sehr aufmerksam und behaupte mal, daß ich plötzlich auftretende Aktivitäten eines Trojaners bemerken würde. Aber heutzutage kann man ja nie wissen!
Was mich halt auch verwundert hat, daß der gefundene Schädling bei Kaspersky offensichtlich nicht bekannt ist.

cosinus · 12.09.2007, 18:46

Zitat:

nicht gefunden: trojanisches Programm Backdoor.Win32.GrayBird.awu
Modul: explorer.exe\IZArcCM.dll

Hm..sone Meldung ist nat. blöde, kein konreter Dateipfad und fehlender LW-Buchstabe. Mach doch mal um "offensichtlich" versteckte Module zu finden, einen Check mit Blacklight.
Wenn sich da was als explorer.exe tarnen möchte, wird es sich mit Sicherheit irgendwo in den Autostart einnisten, die bekommt man eigentlich alle ganz gut mit Silentrunners raus, poste daher mal so ein Logfile.

woodle · 13.09.2007, 12:54

Hier das Logfile des Silent Runner (mir ist nichts ungewöhnliches aufgefallen):

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Spamihilator" = ""C:\Programme\Spamihilator\spamihilator.exe"" ["Michel Krämer"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"PRONoMgr.exe" = "C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe" ["Intel(R) Corporation"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"ADUserMon" = "C:\Programme\Iomega\AutoDisk\ADUserMon.exe" ["Iomega Corporation"]
"Iomega Drive Icons" = "C:\Programme\Iomega\DriveIcons\ImgIcon.exe" ["Iomega"]
"Deskup" = "C:\Programme\Iomega\DriveIcons\deskup.exe /IMGSTART" ["Iomega"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"POINTER" = "point32.exe" [MS]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"Run StartupMonitor" = "StartupMonitor.exe" [null data]
"FreePDF Assistant" = "C:\Programme\FreePDF_XP\fpassist.exe" [null data]
"kav" = ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"anvshell" = "anvshell.exe" ["AsusTeK Computer Inc."]
"LiveNote" = "livenote.exe" [null data]
"DMS-Kalenderchen" = "C:\Programme\Kalenderchen\Kalenderchen.exe /autorun" ["Daniel Manger Software"]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{c7745760-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {HKLM...CLSID} = "IomegaWare Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Iomega\Shell\ImgMenu.dll" ["Iomega Corp."]
"{c7745761-8ead-11ce-b750-02608ca5202c}" = "IomegaWare Shell Extension"
-> {HKLM...CLSID} = "IomegaWare Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Iomega\Shell\ImgProp.dll" ["Iomega Corp."]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office\soa800.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Sammelmappen-Teiler"
-> {HKLM...CLSID} = "Microsoft Office Sammelmappen-Teiler"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office\olkfstub.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{59B12D92-FC2B-4063-B3D5-6BC628A0D4EB}" = "ArchiCrypt Shredder2 ShellExtension"
-> {HKLM...CLSID} = "ArchiCrypt Shredder2 ShellExtension"
\InProcServer32\(Default) = "C:\Programme\ArchiCryptShredder2\ACSEExt.dll" [null data]
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
-> {HKLM...CLSID} = "IZArc DragDrop Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a² Context Menu Shell Extension"
-> {HKLM...CLSID} = "a² Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Programm\A2FREE~1\A2CONT~1.DLL" [file not found]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"
-> {HKLM...CLSID} = "Siemens Device"
\InProcServer32\(Default) = "C:\Programme\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"
-> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"
\InProcServer32\(Default) = "C:\Programme\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"
-> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"
\InProcServer32\(Default) = "C:\Programme\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{D84156D2-4255-4A6D-828F-07D4568A3B4E}" = "AxCrypt Privacy Wrapper File"
-> {HKLM...CLSID} = "axcrypt.File"
\InProcServer32\(Default) = "C:\Programme\Axon Data\AxCrypt\1.6.1\AxCrypt.dll" ["Axantum Software AB"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web-Anti-Virus"
-> {HKLM...CLSID} = "Web-Anti-Virus"
\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NVCPL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{93994DE8-8239-4655-B1D1-5F4E91300429}" = (no title provided)
-> {HKLM...CLSID} = "DVDIdleShell Class"
\InProcServer32\(Default) = "C:\Programs\DVD Region-Free\DVDShell.dll" ["Fengtao Software"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ArchiCryptShredder2\(Default) = "{59B12D92-FC2B-4063-B3D5-6BC628A0D4EB}"
-> {HKLM...CLSID} = "ArchiCrypt Shredder2 ShellExtension"
\InProcServer32\(Default) = "C:\Programme\ArchiCryptShredder2\ACSEExt.dll" [null data]
axcrypt.File\(Default) = "{D84156D2-4255-4A6D-828F-07D4568A3B4E}"
-> {HKLM...CLSID} = "axcrypt.File"
\InProcServer32\(Default) = "C:\Programme\Axon Data\AxCrypt\1.6.1\AxCrypt.dll" ["Axantum Software AB"]
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]
Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}"
-> {HKLM...CLSID} = "Notepad++"
\InProcServer32\(Default) = "C:\Programme\Notepad++\nppcm.dll" ["Burgaud.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a² Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\Programm\A2FREE~1\A2CONT~1.DLL" [file not found]
a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]
ArchiCryptShredder2\(Default) = "{59B12D92-FC2B-4063-B3D5-6BC628A0D4EB}"
-> {HKLM...CLSID} = "ArchiCrypt Shredder2 ShellExtension"
\InProcServer32\(Default) = "C:\Programme\ArchiCryptShredder2\ACSEExt.dll" [null data]
axcrypt.File\(Default) = "{D84156D2-4255-4A6D-828F-07D4568A3B4E}"
-> {HKLM...CLSID} = "axcrypt.File"
\InProcServer32\(Default) = "C:\Programme\Axon Data\AxCrypt\1.6.1\AxCrypt.dll" ["Axantum Software AB"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Context Menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoControlPanel" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoInstrumentation" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoActiveDesktop" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Disable Active Desktop}

"NoViewContextMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoWinKeys" = (REG_DWORD) hex:0x00000000
{Disable Windows+X hotkeys}

"NoShellSearchButton" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileAssociate" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFileMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFolderOptions" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Removes the Folder Options menu item from the Tools menu}

"NoFind" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoCommonGroups" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSimpleStartMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"HideClock" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoToolbarsOnTaskbar" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoTrayItemsDisplay" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Hide the notification area}

"StartMenuLogoff" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSMHelp" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"NoTrayContextMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

"NoDispCPL" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Remove Display in Control Panel}

"NoDispAppearancePage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Hide Desktop tab}

"NoDispSettingsPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDispScrSavPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "hg" & "All Users" startup folders:
----------------------------------------------------

C:\Dokumente und Einstellungen\hg\Startmenü\Programme\Autostart
"OpenOffice.org 2.0" -> shortcut to: "C:\Programme\OpenOffice.org 2.0\program\quickstart.exe" [null data]
"Zusatzprogramm CheckTermine" -> shortcut to: "C:\Kalender\CheckTermine.exe" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"HPAiODevice(hp officejet d series) - 1" -> shortcut to: "C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe -DeviceID 1073410002" ["Hewlett-Packard Co."]
"ISDNWatch" -> shortcut to: "C:\Programme\FRITZ!\IWatch.exe" ["AVM Berlin"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Companion"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web-Anti-Virus"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{43CF38F3-5AEC-45A3-AD31-04EB06E9C6CA}\
"ButtonText" = "Flash"
"CLSIDExtension" = "{F81D52BF-F2F1-4F49-BF5F-05664E803039}"
-> {HKLM...CLSID} = "IEButton Class"
\InProcServer32\(Default) = "C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll" ["UnH Solutions"]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web-Anti-Virus"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

%NVSVC.name%, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
a-squared Free Service, a2free, ""C:\Programme\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
ArchiCrypt Encryption Engine Service, ACLDSymbols, "C:\WINDOWS\system32\LiveComSVC.exe" [null data]
ArchiCrypt Mobile Encryption Engine Service, ACLMoSymbols, "C:\WINDOWS\system32\LiveComMoSVC.exe" [null data]
BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]
Iomega Active Disk, _IOMEGA_ACTIVE_DISK_SERVICE_, ""C:\Programme\Iomega\AutoDisk\ADService.exe"" ["Iomega Corporation"]
Iomega App Services, Iomega App Services, ""C:\PROGRA~1\Iomega\System32\AppServices.exe"" ["Iomega Corporation"]
Kaspersky Anti-Virus 6.0, AVP, ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r" ["Kaspersky Lab"]
ScsiAccess, ScsiAccess, "C:\Cpic622\ScsiAccess.exe" [null data]
USBDLM, USBDLM, "C:\Program\USBDLM\USBDLM.exe" ["Uwe Sieber - www.uwe-sieber.de"]
V2i Protector, V2i Protector, "C:\Programme\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe" ["PowerQuest Corporation"]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
5D PDF Creator Port\Driver = "Niknak.DLL" ["5D Solutions Ltd."]
FRITZ!fax Color Port Monitor\Driver = "FritzColorPort.dll" ["AVM Berlin GmbH"]
FRITZ!fax Port Monitor\Driver = "FritzPort.dll" ["AVM Berlin GmbH"]
Redirected Port\Driver = "redmonnt.dll" [null data]
Win2PDF Port\Driver = "win2pdfm.dll" [null data]

---------- (launch time: 2007-09-13 08:15:56)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 56 seconds, including 18 seconds for message boxes)

Blacklight meldet: No hidden Items found.
hier auch das Logfile:
09/13/07 12:13:19 [Info]: BlackLight Engine 1.0.64 initialized
09/13/07 12:13:19 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/13/07 12:13:19 [Note]: 7019 4
09/13/07 12:13:19 [Note]: 7005 0
09/13/07 12:13:46 [Note]: 7006 0
09/13/07 12:13:46 [Note]: 7011 132
09/13/07 12:13:47 [Note]: 7026 0
09/13/07 12:13:47 [Note]: 7026 0
09/13/07 12:13:51 [Note]: FSRAW library version 1.7.1022

vielen Dank erstmal für die Mühe.

cosinus · 13.09.2007, 17:39

Hm...was Auffälliges hab ich da auch nicht gesehen. Scheint eher ein Fehlalaarm zu sein, aber mit der Meldung kann man ja nicht viel anfangen.

Vllt. fragst du nochmal im Kasperskyforum nach, ich schätze mal die können die Meldung besser deuten.

woodle · 15.09.2007, 21:50

Ok,
auf jeden Fall mal vielen Dank für die Hilfe.
Im Kaspersky Forum bin ich erst Mal versehentlich im Fan-Forum gelandet. Die konnten mir aber auch nicht wirklich helfen. Ich versuchs jetzt im Original-Forum. Mittlerweile ist eine Meldung mit einem anderen Trojaner aufgetaucht, der in einer Datei sein soll die auf dem Rechner nicht existiert. Und das in einem Verzeichnis das nicht vorhanden ist.
Bin gespannt was die KAV-Experten dazu wissen.
Ich werde auf jeden Fall hier posten, wenn es sich aufgelöst hat.

12.09.2007, 04:45	#2
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Problem oder Fehlalarm? Hallo. Poste bitte mal ein Hijackthis-Logfile. __________________ __________________

13.09.2007, 17:39	#8
cosinus /// Winkelfunktion /// TB-Süch-Tiger™	Problem oder Fehlalarm? Hm...was Auffälliges hab ich da auch nicht gesehen. Scheint eher ein Fehlalaarm zu sein, aber mit der Meldung kann man ja nicht viel anfangen. Vllt. fragst du nochmal im Kasperskyforum nach, ich schätze mal die können die Meldung besser deuten. __________________ Logfiles bitte immer in CODE-Tags posten

Problem oder Fehlalarm?

Plagegeister aller Art und deren Bekämpfung: Problem oder Fehlalarm?