HiJackThis Log-File : Keylogger/Trojan

Skywal · 28.09.2007, 21:28

Ich werde die ganze Sache kurz und detaliert erklären.

Vor einigen Stunden habe ich wie immer mit Anderen auf Msn gechattet
und auf Einmal schickt mir ein Freund eine Datei,(kein richtiger Freund, aber ich vertraue ihn).
Ich drücke auf accept und lade die Datei runter, dann öffne ich sie. Ich sehe dann blixtschnell ein MSN Fenster öffnen, dann ist es wieder weg. Gleichzeitig habe ich ein Spiel gezockt, und ich konnte das Spiel auch nicht mehr öffnen. Immer passierte das gleiche und wenn ich MSN schließen wollte, tauchte 5 Fenster auf und müsste alle löschen bis ich MSN richtig schließen konnte. Und das schlimmste war,
das ich diese komische Datei genau ALLEN Kontakten automatisce schicke.

Ich habe dann die Dateir mit diesem internetprogramm: http://virusscan.jotti.org (ein sehr sehr gutes programm)untersucht und habe Trojaner und Keyloggers gefunden.

Ich sagte ihn das er mir ein verdammtes keylogger geschickt hatte, und er fühlte sich sofort schuldig und erkannte es.(er wollte nur ein bisschen experimentieren, sagte er -.- )

Was habe ich gemacht?
Fast alles probiert, mit Ad-aware, McAfee,Search&Destroy untersucht.
Dann unter Taskmanager geschaut ob da was Mißtrauiges war.
Aber immernoch habe ich dieses Problem.
Ich habe jetzt ein bisschen genauer untersucht. Die Datei, die immer
gescickt werden ist N039_jpg. Dann habe ich irgendwo gelesen, dass die
Datei usnsvc.exe eine Zusammenhang damit haben könnte.

Ich frage mich ob ihr mir sagen könnt ob in diesem HijackThis irgendwas
komisches ist.

Ich entschuldige mich auch für mein Deutsch,bin hier in Deutschland nur 2 Jahren.

Filip

Skywal · 28.09.2007, 21:33

Deckard's System Scanner v20070905.67
Run by User on 2007-09-28 22:26:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
[edit]
bitte editiere zukünftig deine links, wie es dir u.a. hier angezeigt wird:
http://www.trojaner-board.de/22771-a...tml#post171958

danke
GUA
[/edit]

-- Files created between 2007-08-28 and 2007-09-28 -----------------------------

2007-09-28 22:16:31 0 d-------- C:\Program Files\MSN Messenger
2007-09-28 21:48:40 0 d-------- C:\KAV
2007-09-28 21:41:19 0 d-------- C:\Program Files\Trend Micro
2007-09-28 21:11:35 0 d-------- C:\WINDOWS\D22DC59F69E54212880C42FDE80693C1.TMP
2007-09-28 21:09:06 0 d-------- C:\Documents and Settings\User\Application Data\Prevx
2007-09-28 21:08:48 0 d-------- C:\WINDOWS\LastGood
2007-09-28 21:08:15 0 d-------- C:\Program Files\Prevx2
2007-09-28 21:02:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-09-28 18:45:35 0 d--hs---- C:\Documents and Settings\User\Recent
2007-09-28 17:23:39 43976 --a------ C:\k3d3t4t8n7l8.exe
2007-09-28 11:44:30 0 d--h----- C:\Program Files\Common Files\Carlson
2007-09-28 11:44:24 43976 --a------ C:\qwere.exe
2007-09-28 11:43:01 403456 -r-hs---- C:\WINDOWS\usnsvc.exe
2007-09-27 23:26:15 0 d-------- C:\WINDOWS\048298C9A4D3490B9FF9AB023A9238F3.TMP
2007-09-26 22:18:36 80187 --a------ C:\WINDOWS\BricoPackUninst.cmd
2007-09-26 22:15:30 7372 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-09-26 22:14:31 0 d-------- C:\WINDOWS\BricoPacks
2007-09-26 11:49:16 712704 -ra------ C:\WINDOWS\system32\Audio3D3.dll <Not Verified; Sensaura Ltd; Sensaura>
2007-09-26 11:49:15 65536 -ra------ C:\WINDOWS\system\VMix.dll
2007-09-26 11:49:12 917504 -ra------ C:\WINDOWS\system\cmids3d3.dll <Not Verified; C-Media Electronics Inc.; C-Media Cmids3d>
2007-09-26 11:49:11 36864 -ra------ C:\WINDOWS\system32\cmudax3.DLL <Not Verified; C-Media Electronics Ins.; C-Media PCI Audio>
2007-09-26 11:49:11 241664 -ra------ C:\WINDOWS\system32\cmrmdrv3.exe <Not Verified; ; CmiRemoveDriver Application>
2007-09-26 11:49:10 32768 -ra------ C:\WINDOWS\system32\udaprop3.dll <Not Verified; C-Media Corporation; CMI8738/CMI9738/CMI9739 Audio Device>
2007-09-26 11:49:10 28672 -ra------ C:\WINDOWS\system32\cmrmdrv3.dll
2007-09-26 11:49:09 1399680 -ra------ C:\WINDOWS\system32\drivers\cmudax3.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
2007-09-22 18:59:24 9015 --a------ C:\WINDOWS\scunin.dat
2007-09-22 18:59:22 967 --a------ C:\WINDOWS\ScUnin.pif
2007-09-22 18:59:22 67584 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-09-22 15:23:47 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-09-22 12:14:45 0 d-------- C:\Program Files\CCleaner
2007-09-14 14:36:48 0 d-------- C:\Program Files\Real
2007-09-08 17:56:46 0 d-------- C:\WINDOWS\pss
2007-09-08 17:55:30 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-09-08 17:55:24 0 d-------- C:\Program Files\Security Task Manager
2007-09-02 16:03:32 0 d-------- C:\Program Files\Skype
2007-09-02 16:03:17 0 d-------- C:\Program Files\Common Files\Skype
2007-09-02 16:02:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype

-- Find3M Report ---------------------------------------------------------------

2007-09-28 17:19:27 16896 --a------ C:\WINDOWS\system32\tftp.exe
2007-09-28 17:19:27 42496 --a------ C:\WINDOWS\system32\ftp.exe
2007-09-28 11:44:30 0 d-------- C:\Program Files\Common Files
2007-09-26 22:41:11 0 d-------- C:\Program Files\Movie Maker
2007-09-26 22:18:35 218624 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-09-26 22:04:34 0 d-------- C:\Program Files\SwiftSwitch
2007-09-26 12:09:45 0 d-------- C:\Documents and Settings\User\Application Data\OpenOffice.org2
2007-09-26 11:06:29 0 d-------- C:\Program Files\Workspace Macro Pro 6.5
2007-09-26 11:03:53 0 d-------- C:\Program Files\Recorder
2007-09-22 13:14:02 0 d-------- C:\Program Files\Common Files\Adobe
2007-09-22 13:06:11 0 d-------- C:\Program Files\Java
2007-09-16 16:29:33 0 d-------- C:\Program Files\DivX
2007-09-08 23:50:06 0 d-------- C:\Program Files\Covey Inc
2007-09-02 16:05:14 0 d-------- C:\Documents and Settings\User\Application Data\Skype
2007-08-19 20:57:45 0 d-------- C:\Program Files\QuickTime
2007-08-18 12:42:49 0 d-------- C:\Program Files\IconTweaker
2007-08-18 12:42:49 0 d-------- C:\Documents and Settings\User\Application Data\IconTweaker
2007-08-18 12:08:31 0 d-------- C:\Program Files\Stardock
2007-08-10 15:17:39 0 d-------- C:\Program Files\EliteSwitch
2007-08-03 03:47:05 0 d-------- C:\Documents and Settings\User\Application Data\dvdcss
2007-07-30 19:52:52 0 d---s---- C:\Program Files\Xfire
2007-07-30 19:52:52 0 d-------- C:\Documents and Settings\User\Application Data\Xfire
2007-07-30 19:19:16 68440 --a------ C:\WINDOWS\system32\wuauclt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [07/28/2004 02:01 AM C:\WINDOWS\SOUNDMAN.EXE]
"ALi5289"="C:\Program Files\ULI5289\ALi5289.exe" [03/10/2005 11:56 PM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05/13/2005 06:05 AM]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [07/08/2005 05:18 PM]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [08/10/2005 11:49 AM]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [09/22/2005 05:29 PM]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [01/11/2006 11:05 AM]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [08/11/2005 09:02 PM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [07/19/2005 06:32 PM]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [06/08/2005 03:24 PM]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [06/08/2005 03:14 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 04:00 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"CmPCIaudio"="cmicnfg3.cpl" []
"usnsvc.exe"="C:\WINDOWS\usnsvc.exe" [09/28/2007 08:50 AM]
"PrevxOne"="C:\Program Files\Prevx2\PXConsole.exe" [09/27/2007 07:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [06/08/2005 02:44 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 09:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/24/2007 08:51 PM]
"Steam"="f:\valve\steam\steam.exe" [06/28/2007 09:26 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [02/04/2004 12:16 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cda80aa-977a-11db-8b91-000b6aa435cf}]
AutoRun\command- G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{92189e5d-39a8-11db-b87a-806d6172696f}]
AutoRun\command- D:\SETUP.EXE

*Newly Created Service* - PREVXAGENT
*Newly Created Service* - USNJSVC

-- End of Deckard's System Scanner: finished at 2007-09-28 22:26:46 ------------

HIER FIND ALLES AN:
2007-09-28 11:44:30 0 d--h----- C:\Program Files\Common Files\Carlson
2007-09-28 11:44:24 43976 --a------ C:\qwere.exe
2007-09-28 11:43:01 403456 -r-hs---- C:\WINDOWS\usnsvc.exe

habe C:\qwere.exe mit ( Online malware scan ) untersucht und trojane gefunden und gelöscht. Mal gucken ob ich immernoch dieses Problem habe. ^^

nochdigger · 28.09.2007, 21:53

Hallo

mach bitte zuerst mal alle versteckten Dateien und Ordner sichtbar.

F-Secure Blacklight – Rootkitscanner:

* Scanne dein System mit F-Secure Blacklight
* Poste im Anschluss das Ergebnis des Reportes in dem du alles abkopierst und hier in einen Beitrag einfügst. (die Datei sollte auf C: angelegt werden.)

Silentrunners Logfile

-Lade dir das Tool -> Silentrunners
-Entpacke das Script in einen Ordner deiner Wahl
-Doppelklick auf -> Silent Runners -> Option Supplementary Searches auswählen
-System wird nun überprüft, nach Beendigung wird eine Log-Datei erstellt
(Dein Antiviren-Scanner könnte eine Meldung wegen „bösartigem Script“
erstellen, ignoriere dieses und arbeite weiter!)
-Dann öffne die Silent Runners xxx.txt mit einem Editor und kopiere den gesamten Inhalt ab und füge ihn in einen Beitrag ein.
(Strg+A markieren -> Strg+C kopieren -> Strg+V einfügen)

Dann lasse diese Datei(en) :
C:\k3d3t4t8n7l8.exe
C:\qwere.exe
C:\WINDOWS\usnsvc.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\ftp.exe
hier Virustotal
hier VirSCAN.org - The Multi-Engine Virus Scanner v1.00 Beta,Support 33 AntiVirus Engine, Last Update(070917)
oder hier Jotti
überprüfen (kann einige Minuten dauern),
poste die Ergebnisse mit der Angabe der größe der hochgeladenen Datei sowie die MD5 und SHA1 Angaben,
bitte auch wenn nichts gefunden wurde.

MFG

Skywal · 28.09.2007, 22:12

Service load: 0% 100%

File: k3d3t4t8n7l8.exe / qwere.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: c9bd774208f266293c9cd2083b5e83fa
Packers detected: -
Bit9 reports:

Scanner results
Scan taken on 28 Sep 2007 21:06:15 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found MemScan:Trojan.Dialer.VUY
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

habe die jetzt aber gelöscht.

Ich kann auch die folgenden Dateien nicht finden!?
C:\WINDOWS\usnsvc.exe
C:\WINDOWS\system32\tftp.exe
C:\WINDOWS\system32\ftp.exe

nochdigger · 28.09.2007, 22:25

Hallo

Hm

, ok dann fahre fort mit Blacklight und Silentrunners.

MFG

Skywal · 29.09.2007, 16:40

BLACKLIGHt:
09/29/07 17:21:02 [Info]: BlackLight Engine 1.0.64 initialized
09/29/07 17:21:02 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/29/07 17:21:04 [Note]: 7019 4
09/29/07 17:21:04 [Note]: 7005 0
09/29/07 17:21:12 [Note]: 7006 0
09/29/07 17:21:12 [Note]: 7011 1748
09/29/07 17:21:12 [Note]: 7026 0
09/29/07 17:21:13 [Note]: 7026 0
09/29/07 17:21:17 [Note]: FSRAW library version 1.7.1022
09/29/07 17:27:35 [Info]: Hidden file: c:\WINDOWS\system32\dfrcache.dll
09/29/07 17:27:35 [Note]: 7002 0
09/29/07 17:27:35 [Note]: 7003 1
09/29/07 17:27:35 [Note]: 10002 1
09/29/07 17:27:37 [Info]: Hidden file: c:\WINDOWS\system32\MFPLAT32.dll
09/29/07 17:27:37 [Note]: 7002 0
09/29/07 17:27:37 [Note]: 7003 1
09/29/07 17:27:37 [Note]: 10002 1
09/29/07 17:27:49 [Info]: Hidden file: c:\WINDOWS\system32\spressvr.exe
09/29/07 17:27:49 [Note]: 7002 0
09/29/07 17:27:49 [Note]: 7003 1
09/29/07 17:27:49 [Note]: 10002 1
09/29/07 17:28:11 [Info]: Hidden file: c:\WINDOWS\system32\drivers\imapint.sys
09/29/07 17:28:11 [Note]: 7002 0
09/29/07 17:28:11 [Note]: 7003 1
09/29/07 17:28:11 [Note]: 10002 1
09/29/07 17:28:12 [Info]: Hidden file: c:\WINDOWS\system32\drivers\LVUSBSex.sys
09/29/07 17:28:12 [Note]: 7002 0
09/29/07 17:28:12 [Note]: 7003 1
09/29/07 17:28:12 [Note]: 10002 1
09/29/07 17:28:12 [Info]: Hidden file: c:\WINDOWS\system32\drivers\bth2k.sys
09/29/07 17:28:12 [Note]: 7002 0
09/29/07 17:28:12 [Note]: 7003 1
09/29/07 17:28:12 [Note]: 10002 1
09/29/07 17:32:36 [Note]: 7007 0

SILTENRUNNERS:

"Silent Runners.vbs", revision 52, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe" boot" ["Logitech Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
"Steam" = ""f:\valve\steam\steam.exe" -silent" ["Valve Corporation"]
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"ALi5289" = "C:\Program Files\ULI5289\ALi5289.exe" ["ALi Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe " ["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"CmPCIaudio" = "RunDll32 cmicnfg3.cpl,CMICtrlWnd" [MS]

"usnsvc.exe" = "C:\WINDOWS\usnsvc.exe" [null data]
Dieser File macht mich sehr Verdächtig, [null data] ? kann die Datei nicht finden wenn ich sie mit
Jotti untersuchen will, weiss jemand wie?

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
"{ABC70703-32AF-11d4-90C4-D483A70F4825}" = "CMenuExtender"
-> {HKLM...CLSID} = "CMenuExtender"
\InProcServer32\(Default) = "C:\Documents and Settings\User\Desktop\New Folder (2)\Vista Inspirat 2\iColorFolder\CMExt.dll" [file not found]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Meine freigegebenen Ordner"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CMenuExtender\(Default) = "{ABC70703-32AF-11d4-90C4-D483A70F4825}"
-> {HKLM...CLSID} = "CMenuExtender"
\InProcServer32\(Default) = "C:\Documents and Settings\User\Desktop\New Folder (2)\Vista Inspirat 2\iColorFolder\CMExt.dll" [file not found]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "User" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Workspace Macro Pro Hotkeys" -> shortcut to: "C:\Program Files\Workspace Macro Pro 6.5\WMPHotkeys.exe" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Mobilen Favoriten erstellen"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\INetRepl.dll" [MS]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

---------- (launch time: 2007-09-29 17:37:18)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 63 seconds.
---------- (total run time: 116 seconds)

Skywal · 29.09.2007, 16:57

Hier habe ich was gefunden, sieht aus als wäre die Datei infiziert.
Ich kann sie nicht löschen, und komischer weise sehe ich sie auch nicht
im Task Manager, was soll ich machen?

File: ftp.exe
Status: INFECTED/MALWARE
MD5: 22efd0214705ad441cc32755d02b69b0
Packers detected: -
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 29 Sep 2007 15:49:19 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Generic_c.KR
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

don_night · 02.10.2007, 20:14

so habe dass selbe problem was nu???

[edit]
bitte eröffne, wie jeder andere hier auch, für dein problem einen eigenen beitrag
nur so wird sichergestellt, das jedem user übersichtlich und individuell geholfen werden kann

danke
GUA
[/edit]

nochdigger · 03.10.2007, 09:00

Hallo

@Skywal lass Blacklight nochmal laufen und nutze nun die - Rename - Funktion, wenn die Dateien umbenannt sind wirst du diese finden können und kannst sie hier Virustotal
hier VirSCAN.org - The Multi-Engine Virus Scanner v1.00 Beta,Support 33 AntiVirus Engine, Last Update(070917)
oder hier Jotti
überprüfen lassen (kann einige Minuten dauern), poste die Ergebnisse mit der Angabe der größe der hochgeladenen Datei sowie die MD5 und SHA1 Angaben,
bitte auch wenn nichts gefunden wurde.

MFG

Skywal · 03.10.2007, 11:18

ehmm. srry aber mein Blacklight ist jetzt expired!?
gibt es vielleicht ein ähnliches Programm wie Blacklight?

nochdigger · 03.10.2007, 15:38

Hallo

Zitat:

ehmm. srry aber mein Blacklight ist jetzt expired!?

Ist mir beim lesen eines anderen Beitrages auch eingefallen

Du bekommst es aber zum laufen, wenn du im Bios den Monat von Oktober auf September zurücksetzt, gerade ausprobiert

Zitat:

gibt es vielleicht ein ähnliches Programm wie Blacklight?

'ne ganze Menge
GMER - Files
Download: Sophos Anti-Rootkit - PC-WELT
Download: McAfee Rootkit Detective - PC-WELT
http://download.bitdefender.com/wind...tkit-BETA2.exe
wobei ich diese Tools, mit Ausnahme von Sophos, noch nicht laufen hatte, es wäre allerdings interessant zu sehen was diese Programme entdecken.

MFG

HiJackThis Log-File : Keylogger/Trojan

Log-Analyse und Auswertung: HiJackThis Log-File : Keylogger/Trojan