Ich hab da mal nen Wurm

Bonbonauswurst · 09.10.2007, 12:32

Hallo ,

kann sich mal jemand von euch das log file anschauen ? Sowohl Symantec als auch Avira Anti Vir melden mir ständig einen W32 Befall , können das Problem aber wohl nicht lösen.
Schon mal vielen Dank im Voraus

Tom

Logfile of HijackThis v1.99.1
Scan saved at 13:05:55, on 09.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Altiris\AClient\AClient.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\system32\ccsrvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\WINNT\system32\DWRCS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\altiris\CARBON~1\client.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\system32\DWRCST.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Altiris\AClient\AClntUsr.EXE
C:\WINNT\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
D:\Documents and Settings\a\Local Settings\Application Data\Meinungsstudie\PanelApp\PanelApp.exe
C:\Program Files\Winzip\WZQKPICK.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Notes\NLNOTES.EXE
C:\Program Files\Notes\ntaskldr.EXE
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
d:\Documents and Settings\aziwest\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://w3.ag.eu.jci.com/portal
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://w3.ag.eu.jci.com/portal
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Johnson Controls
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = h**p://autoproxy.eu.jci.com:8080
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Bho Class - {AB37CD3D-DC1D-46b2-ADCA-3CDC80FD2AD6} - D:\Documents and Settings\az\Local Settings\Application Data\Meinungsstudie\PanelApp\PanelApp_0600.2007.0517.1434.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [Hostname Manager Server] C:\WINNT\system32\inetsrv\host32srv.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Hostname Manager Server] C:\WINNT\system32\inetsrv\host32srv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PanelApp] D:\Documents and Settings\at\Local Settings\Application Data\Meinungsstudie\PanelApp\PanelApp.exe
O4 - HKCU\..\Run: [Hostname Manager Server] C:\WINNT\system32\inetsrv\host32srv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\Winzip\WZQKPICK.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=h**p://w3.ag.eu.jci.com/portal
O16 - DPF: Sametime Meeting Room Client ST31 - h**p://jdebuss1.eu.jci.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - h**p://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - h**p://www.cult3d.com/download/cult.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - h**ps://adebuns11.eu.jci.com/iNotes6W.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - h**p://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123666061665
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - h**p://jdebuss1.eu.jci.com/sametime/STMeetingRoomClient/STJNILoader.cab
O16 - DPF: {8B123450-3855-4BA9-9CCE-488400DA054E} (SceneGraphControl Class) - h**p://www.yourgeo.de/plugin/AthensX.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - h**p://download.progress.com/open/products/91e/isetup.cab
O16 - DPF: {9B935470-AD4A-11D5-B63E-00C04FAEDB18} - h**p://a700s098.ag.eu.jci.com:8000/jinitiator/oajinit.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ag.eu.jci.com
O17 - HKLM\Software\..\Telephony: DomainName = ag.eu.jci.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ag.eu.jci.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ag.eu.jci.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\Altiris\AClient\AClient.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINNT\system32\ccsrvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\system32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PanelSvc - Unknown owner - C:\Program Files\Meinungsstudie\PanelApp\PanelSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe[/SIZE][/SIZE]

Cleriker · 09.10.2007, 15:39

Hi Bonbon und

Herzlich Willkommen im Trojaner-Board

in deinem Logfile kann ich keinen Wurm entdecken. Poste bitte,
wenn möglich, den Namen und Pfad des Schädlings.

Desweiteren . . .
* MWAV (eScan) - Free Antivirus
1. Lies dir folgende Anleitung genau durch und arbeite sie ab
-> Anleitung eScan
2. Poste im Anschluss das Ergebnis mit Hilfe der *find.bat'.
(rechte Maustaste auf den LINK 'find.bat' , dann "Ziel Speichern unter" -> Desktop)

mfg Cleriker

Bonbonauswurst · 09.10.2007, 15:57

Hallo Cleriker ,

zuallererstmal danke für die Hilfe und für die freundliche Begrüssung.
Ich hab hier erstmal einen Fund von Avira.

In der Datei 'D:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\APQ180.tmp'
wurde ein Virus oder unerwünschtes Programm 'Worm/Rbot.168448.6' [WORM/Rbot.168448.6] gefunden.
Ausgeführte Aktion: Datei löschen

und hier eine Datei von Symantec
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Risk: W32.Spybot.Worm
File: D:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVGUARD_470de663\AV00000100$000001b2.AV$
Location: Unknown Storage
Computer: A-700WV73
User: JCASGBUR\SYSTEM
Action taken: Cleaned by Deletion
Date found: Dienstag, 9. Oktober 2007 16:58:16

Heisst das eventuell dass die beiden Programme die Reste des Wurms in den jeweils anderen logfiles finden und sich daher ständig melden ?

Wäre ja die schönste Lösung :-)

Tom

cosinus · 09.10.2007, 16:24

Zitat:

Heisst das eventuell dass die beiden Programme die Reste des Wurms in den jeweils anderen logfiles finden und sich daher ständig melden ?

Hattest du bereits einen Rbot-Befall und diesen Schädling versucht zu entfernen? Wird oder wurde der dir noch woanders gemeldet?

Du solltest nur einen aktiven Virenscanner mit Wächter verwenden um solche Konflikte mit den Meldungen, wie du sie grade bekommen hast, zu vermeiden.
Acker mal escan wie von Cleriker empfohlen ab.

nochdigger · 09.10.2007, 17:07

Moin allerseits,

evtl. mal diese Datei :
C:\WINNT\system32\inetsrv\host32srv.exe
hier Virustotal
hier VirSCAN.org - The Multi-Engine Virus Scanner v1.00 Beta,Support 34 AntiVirus Engine, Last Update(071008)
oder hier Jotti
überprüfen (kann einige Minuten dauern),
poste die Ergebnisse mit der Angabe der größe der hochgeladenen Datei sowie die MD5 und SHA1 Angaben,
bitte auch wenn nichts gefunden wurde.

Und bei den Funden von Avira sollte man eigentlich nicht lang fackeln.

MFG

Bonbonauswurst · 09.10.2007, 17:32

Hallo Nochdigger ,

die Datei kann ich unter diesem Pfad nicht finden....

Tom

nochdigger · 09.10.2007, 18:01

Hallo

Hast du vorher alle versteckten Dateien und Ordner sichtbar gemacht?

MFG

Bonbonauswurst · 09.10.2007, 18:30

Yep , ist aber trotzdem nicht da

nochdigger · 09.10.2007, 18:57

Hallo

Zitat:

Zitat von cosinus

Hattest du bereits einen Rbot-Befall und diesen Schädling versucht zu entfernen? Wird oder wurde der dir noch woanders gemeldet?

Wäre intressant zu wissen...

Zitat:

Zitat von cosinus

Acker mal escan wie von Cleriker empfohlen ab.

Mach das mal und eine Überprüfung mit

Silentrunners Logfile

-Lade dir das Tool -> Silentrunners
-Entpacke das Script in einen Ordner deiner Wahl
-Doppelklick auf -> Silent Runners -> Option Supplementary Searches auswählen
-System wird nun überprüft, nach Beendigung wird eine Log-Datei erstellt
(Dein Antiviren-Scanner könnte eine Meldung wegen „bösartigem Script“
erstellen, ignoriere dieses und arbeite weiter!)
-Dann öffne die Silent Runners xxx.txt mit einem Editor und kopiere den gesamten Inhalt ab und füge ihn in einen Beitrag ein.
(Strg+A markieren -> Strg+C kopieren -> Strg+V einfügen)

MFG

Bonbonauswurst · 10.10.2007, 08:47

Guten Morgen Nochdigger ,

hier ist das Ergebnis von silentrun:

"Silent Runners.vbs", revision 52, http://***.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"1" = "MsiExec /fusm {F51B4BC2-FD89-453A-814D-17ADF4E59314} /qn" [MS]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINNT\system32\ctfmon.exe" [MS]
"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]
"PanelApp" = "D:\Documents and Settings\a***t\Local Settings\Application Data\Meinungsstudie\PanelApp\PanelApp.exe" [null data]
"Hostname Manager Server" = "C:\WINNT\system32\inetsrv\host32srv.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]
"AClntUsr" = "C:\Program Files\Altiris\AClient\AClntUsr.EXE" [empty string]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"AeXAgentLogon" = "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon" ["Altiris, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Synchronization Manager" = "C:\WINNT\system32\mobsync.exe /logon"
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~2\VPTray.exe" ["Symantec Corporation"]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" ["Nokia"]
"Hostname Manager Server" = "C:\WINNT\system32\inetsrv\host32srv.exe" [file not found]
"avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINNT\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{AB37CD3D-DC1D-46b2-ADCA-3CDC80FD2AD6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Bho Class"
\InProcServer32\(Default) = "D:\Documents and Settings\a***t\Local Settings\Application Data\Meinungsstudie\PanelApp\PanelApp_0600.2007.0517.1434.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{B8A03725-03B9-485F-BB22-E848799D4C2A}" = "DummyIconOverlay"
-> {HKLM...CLSID} = "DummyIconOverlay Class"
\InProcServer32\(Default) = "D:\Documents and Settings\a***t\Local Settings\Application Data\Meinungsstudie\PanelApp\PanelApp_0600.2007.0517.1434.dll" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINNT\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> NavLogon\DLLName = "C:\WINNT\system32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup\0\
DisplayName = "A-700-SAVComputerStartupScript"
0\ -> launches: "\\ag.eu.jci.com\netlogon\SAVRollout\ConnectSAVClient.vbs" [** WMI GetObject error **]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"DisallowRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSMBalloonTip" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoSimpleStartMenu" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoAutoTrayNotify" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoTaskGrouping" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoInstrumentation" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"Intellimenus" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ForceStartMenuLogOff" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoUserNameInStartMenu" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoWelcomeScreen" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoThumbnailCache" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoCDBurning" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoAutoUpdate" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|System|
Windows Automatic Updates}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoWelcomeScreen" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"SetVisualStyle" = (REG_SZ) (empty string)
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"RunStartupScriptSync" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\

"DisableSR" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Administrative Templates|System|System Restore|
Turn off System Restore}

"DisableConfig" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Administrative Templates|System|System Restore|
Turn off Configuration}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINNT\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "d:\Documents and Settings\a***t\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\System32\THESIM~1.SCR" (The Simpsons Movie.scr) ["ScreenTime Media"]

Vielen dank

Tom

Cleriker · 10.10.2007, 09:08

Morgen,

oooouuuch

Volltreffer:

Zitat:

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINNT\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

Ich weiß nicht, ob es überhaupt der Schädling war, den du meintest, aber

shmgrate.exe > Trojan.W32.GASTER

Zitat:

Shmgrate.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. It is a registered security risk and should be removed immediately.

Damit ist jedwillige Bereinigung sinnfrei und du solltest dein
Rechner nach Anleitung neu Aufsetzen und alle Logindaten,
(Ebay, Online-Banking, usw.) ändern.

* System neu aufsetzen mit anschließender Absicherung

mfg Cleriker