TR/Dldr.ConHook.Gen unsterblich?

Kirsche · 10.10.2007, 13:50

Hallo Leute,
habe mit TR/Dldr.ConHook.Gen Trojaner schon seit 3 Tagen das Vergnügen, diese Forum nach artverwandten Leiden durchforstet und alle Gegenmaßnahmen ausprobiert.Ohne Erfolg.
Die befallene Datei liegt immer im system32 Verzeichnis, ändert allerdings immer den Namen und ist selbst mit deaktivierten Ordneransichtoptionen nicht sichtbar. Habe ein Hijackthis.log (Hijackthis.exe umbenannt) erstellt und schon im Forum negativ bekannte Dienste im abgesicherten Modus gefixt.
CleanUP! findet ständig neue temporäre Dateien, auch dieses App verwende ich seitdem öfters.

Mich wundert das die Beiträge im Forum zu besagtem Thema schon ein paar Monate alt sind und sich die Mods heute mit anderen Sachen herumplagen. Mein Rechner bekommt die neuesten Updates (WIN XP Prof SP2 (WinNT 5.01.2600)) und ich halte auch mein Antivir täglich auf dem neuesten Stand, lade nix herunter und öffne auch keinen SPAM.
Antivir springt bei Befall an, findet beim Systemscan aber nichts.Hinter der Meldung des TR/Dldr.ConHook.Gen steht noch eine zweite Meldung über eine befallene Datei css[4]1 (ohne Dateierweiterung)

Vielen Dank für eure Mühe, LG Kirsche

Hier das log:

Zitat:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:37:21, on 10.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Analog Devices\SoundMAX\Smax4.exe
C:\Programme\Analog Devices\Core\smax4pnp.exe
C:\Programme\ASUS\AASP\1.00.23\aaCenter.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programme\ASUS\AI Suite\AiNap\AiNap.exe
C:\Programme\Java\jre1.5.0_03\bin\jusched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe
C:\Programme\Hawking\HWU8DD\HWU8DD.exe
C:\WINDOWS\system32\zstatus.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Internet Explorer\iexplore.exe
E:\Download\This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Google
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Google
O4 - HKLM\..\Run: [SoundMAX] "C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AsusServiceProvider] C:\Programme\ASUS\AASP\1.00.23\aaCenter.exe
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Programme\ASUS\AASP\1.00.23\AsRunHelp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Programme\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Programme\ASUS\AI Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe" autostart
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Programme\CleanUp!\Cleanup.exe /WindowsRestart
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Hawking Wireless Utility.lnk = C:\Programme\Hawking\HWU8DD\HWU8DD.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ndows-i586.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5367CFFD-DA48-4461-9451-35940F495FB9}: NameServer = 139.30.8.7 139.30.8.8
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe

--
End of file - 6056 bytes

cosinus · 10.10.2007, 16:50

Hallo.

Im HJT-Logfile seh ich keine Schädlinge.
Führ mal bitte folgende Tools bzw. Anleitungen aus und poste die Logfiles:

- eScan
- Silentrunners

Und mach bitte ein Filelist:

1. Lade das filelist.zip auf deinen Desktop herunter.
2. Entpacke die Zip-Datei auf deinen Desktop (z.B. mit WINZIP), öffne die nun auf deinem Destop vorhandene filelist.bat mit einem Doppelklick auf die Datei
3. Dein Editor (Textverarbeitungsprogramm) wird sich öffnen
4. Markiere von diesem Inhalt aus jedem Verzeichnis jeweils die letzten 30 Tage, wähle kopieren, füge diese Dateien in deinem nächsten Beitrag ein.

Dies sind die Verzeichnisse von denen wir jeweils die letzten 30 Tage sehen wollen:
Verzeichnis von C:\
Verzeichnis von C:\WINDOWS\system32
Verzeichnis von C:\WINDOWS
Verzeichnis von C:\WINDOWS\Prefetch (Windows XP)
Verzeichnis von C:\WINDOWS\tasks
Verzeichnis von C:\WINDOWS\Temp
Verzeichnis von C:\DOCUME~1\Name\LOCALS~1\Temp

Kirsche · 11.10.2007, 12:20

Hallo cosinus,
anbei die Ergebnisse des eScans:

eScan:

Zitat:

Wed Oct 10 15:37:15 2007 => **********************************************************
Wed Oct 10 15:37:15 2007 => eScan AntiVirus Toolkit Utility.
Wed Oct 10 15:37:15 2007 => Copyright (c) MicroWorld
Wed Oct 10 15:37:15 2007 => **********************************************************
Wed Oct 10 15:37:15 2007 => Source: C:\DOKUME~1\ASUSP5~1\Desktop\mwav.exe
Wed Oct 10 15:37:15 2007 => Version 9.4.6
Wed Oct 10 15:37:15 2007 => Protokolldatei: C:\DOKUME~1\ASUSP5~1\LOKALE~1\Temp\MWAV.LOG
Wed Oct 10 15:37:15 2007 => MWAV Registered: FALSE.
Wed Oct 10 15:37:15 2007 => User Account: Asus P5B (Administrator Mode)
Wed Oct 10 15:37:15 2007 => OS Type: Windows Workstation
Wed Oct 10 15:37:15 2007 => OS: Windows XP
Wed Oct 10 15:37:15 2007 => Ver: Service Pack 2 (Build 2600)
Wed Oct 10 15:37:15 2007 => Windows Root Folder: C:\WINDOWS
Wed Oct 10 15:37:15 2007 => Windows Sys32 Folder: C:\WINDOWS\system32
Wed Oct 10 15:37:15 2007 => DHCP NameServer: 139.30.8.7 139.30.8.153 139.30.8.8
Wed Oct 10 15:37:15 2007 => Interface0 NameServer: 139.30.8.7 139.30.8.8
Wed Oct 10 15:37:15 2007 => Interface0 DHCPNameServer: 139.30.8.7 139.30.8.153 139.30.8.8
Wed Oct 10 15:37:15 2007 => Local Fixed Drives: c:\,e:\
Wed Oct 10 15:37:15 2007 => MWAV Mode: Only Scan files.

Wed Oct 10 15:37:15 2007 => ********** Files created/modified in last fortnight in Windows Folder **********
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\apptune.exe (90112), 25-Sep-2007, Zenographics, Zenographics apptune
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\apptune.ini (271), 25-Sep-2007
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\Ascd_tmp.ini (15213), 25-Sep-2007
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\IsUn0407.exe (312323), 25-Sep-2007, InstallShield Software Corporation , InstallShield® Deinstaller
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\NeroDigital.ini (49), 26-Sep-2007
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\win.ini (582), 24-Sep-2007
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\WININIT.INI (10), 09-Oct-2007
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\ati2sgag.exe (593920), 09-Oct-2007, ATI Smart
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\BASSMOD.dll (34308), 26-Sep-2007
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\byxyayy.dll (35840), 07-Oct-2007
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\D3DCompiler_33.dll (1123696), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\D3DCompiler_34.dll (1124720), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\D3DCompiler_35.dll (1358192), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx10_33.dll (443752), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx10_34.dll (443752), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx10_35.dll (444776), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_24.dll (2222800), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_25.dll (2337488), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_26.dll (2297552), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_27.dll (2319568), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_28.dll (2323664), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_29.dll (2332368), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_30.dll (2388176), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_31.dll (2414360), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_32.dll (3426072), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_33.dll (3495784), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_34.dll (3497832), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\d3dx9_35.dll (3727720), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\HP3300T.dll (81920), 25-Sep-2007, Hewlett Packard, Hewlett Packard Hp3300t
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\Hp3300u.dll (57344), 25-Sep-2007, Hewlett-Packard Company, Hewlett-Packard Hp3300u
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\hpflash1.exe (900388), 25-Sep-2007, Macromedia, Inc., Flash 5.0
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\hpgt33.dll (89088), 25-Sep-2007, HP3300 Module
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\hpgt33tk.dll (48128), 25-Sep-2007, Microsoft Corporation, Microsoft® Windows® Operating System
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\hpgtmcro.dll (32768), 25-Sep-2007, Microsoft Corporation, Microsoft® Windows® Operating System
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\hpsjrreg.exe (49152), 25-Sep-2007, Hewlett-Packard, HPSJRREG (REG32.DLL ACCESS)
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\hpsjvset.dll (106496), 25-Sep-2007, Hewlett-Packard, Hewlett Packard ScanJet VendorSetup Extension Dynamic Link Library
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\IMF32.DLL (12288), 25-Sep-2007, Zenographics, Inc., Zenographics SuperPrint
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\ipeapi12.dll (77824), 25-Sep-2007, Hewlett-Packard Company, IPEAPI Dynamic Link Library
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\ipebase12.dll (331776), 25-Sep-2007, Hewlett-Packard Company, IPEBASE Dynamic Link Library
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\ipeistor12.dll (659456), 25-Sep-2007, Hewlett-Packard Company, IPEISTOR Dynamic Link Library
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\isutil.dll (233525), 25-Sep-2007
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\java.exe (49248), 26-Sep-2007, Sun Microsystems, Inc., Java(TM) 2 Platform Standard Edition 5.0 Update 3
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\javaw.exe (49250), 26-Sep-2007, Sun Microsystems, Inc., Java(TM) 2 Platform Standard Edition 5.0 Update 3
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\javaws.exe (127078), 26-Sep-2007, Sun Microsystems, Inc., Java(TM) 2 Platform Standard Edition 5.0 Update 3
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\jpicpl32.cpl (49265), 26-Sep-2007, Sun Microsystems, Inc., Java(TM) 2 Platform Standard Edition 5.0 Update 3
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\lfbmp70n.dll (24576), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\LFCMP70n.DLL (224768), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:15 2007 => C:\WINDOWS\system32\lffax70n.dll (55808), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\Lffpx7.dll (306688), 25-Sep-2007, Reference Implementation
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\lffpx70n.dll (35328), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\lfgif70n.dll (32768), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\Lfkodak.dll (95232), 25-Sep-2007
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\lfpcx70n.dll (24576), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\lfpng70n.dll (111104), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\lftif70n.dll (93184), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ltfil70n.DLL (55296), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ltkrn70n.dll (350208), 25-Sep-2007, LEAD Technologies, Inc., LEADTOOLS® DLL for Win32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\MRT.exe (18089592), 28-Sep-2007, Microsoft Corporation, Microsoft Windows-Tool zum Entfernen bösartiger Software
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\pcldll6l.dll (1941504), 25-Sep-2007, Hewlett-Packard Corp., Agilent pcldll6l
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\PerfStringBackup.INI (1030154), 08-Oct-2007
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\reg32.dll (32768), 25-Sep-2007, Hewlett-Packard, GHC, Hewlett-Packard, GHC reg32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\Sd32.dll (71168), 25-Sep-2007, Zenographics, Inc., SuperPrint
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\SDhp1000.DLL (151552), 25-Sep-2007, Hewlett-Packard Company, hp LaserJet 1000 Series
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\spmsg.dll (14640), 24-Sep-2007, Microsoft Corporation, Microsoft® Windows® Operating System
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\spmsg2.dll (14048), 24-Sep-2007, Microsoft Corporation, Microsoft® Windows® Operating System
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ssqpn.dll (32440), 08-Oct-2007
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\vsetup.dll (229376), 25-Sep-2007, Zenographics, Zenographics vsetup
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\wiafbdrv.dll (87040), 25-Sep-2007, Microsoft Corporation, Betriebssystem Microsoft® Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\x3daudio1_0.dll (14032), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\x3daudio1_1.dll (15128), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\x3daudio1_2.dll (18280), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_0.dll (230096), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_1.dll (229584), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_2.dll (230168), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_3.dll (236824), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_4.dll (237848), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_5.dll (251672), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_6.dll (255848), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_7.dll (261480), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_8.dll (266088), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xactengine2_9.dll (267112), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xinput1_1.dll (62672), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xinput1_2.dll (62744), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xinput1_3.dll (81768), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xinput9_1_0.dll (61136), 25-Sep-2007, Microsoft Corporation, Microsoft® DirectX for Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xmllite.dll (121856), 24-Sep-2007, Microsoft Corporation, Microsoft XML Core Services
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\xpsp3res.dll (373760), 24-Sep-2007, Microsoft Corporation, Betriebssystem Microsoft® Windows®
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ZGDI32.DLL (23552), 25-Sep-2007, Zenographics, Inc., SuperPrint
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\Zlang.dll (49152), 25-Sep-2007, Zenographics, Inc., Zenographics, Inc. Zlang
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\zlm.dll (28672), 25-Sep-2007, Zenographics, Inc., Zenographics SuperPrint
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\zlmhp1.dll (77824), 25-Sep-2007, Zenographics, Zenographics HP1
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\zPJL.dll (54784), 25-Sep-2007, Zenographics, Inc., Zenographics, Inc. zPJL
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\zpp.dll (45056), 25-Sep-2007, Zenographics, Inc., Zenographics PPrint
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\zpppcl.dll (36864), 25-Sep-2007, Zenographics, Inc., Zenographics ZPPPCL
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ZSHP1000.dll (73728), 25-Sep-2007, Zenographics, Zenographics zstatus
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ZShp1000.hlp (7349), 25-Sep-2007
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ZSPOOL.DLL (86016), 25-Sep-2007, Zenographics, Inc., SuperPrint
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\zstatus.exe (36864), 25-Sep-2007, Zenographics, Zenographics zstatus
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ZTAG32.DLL (19456), 25-Sep-2007, Zenographics, Inc., Zenographics ZTag32
Wed Oct 10 15:37:16 2007 => C:\WINDOWS\system32\ZUNINST.EXE (147456), 25-Sep-2007, Zenographics, Zenographics UnPrn
Wed Oct 10 15:37:16 2007 => ************************************************************************************

Kirsche · 11.10.2007, 12:21

SilentRunner:

Zitat:

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"TuneUp MemOptimizer" = ""C:\Programme\TuneUp Utilities 2007\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMAX" = ""C:\Programme\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]
"JMB36X IDE Setup" = "C:\WINDOWS\JM\JMInsIDE.exe" [null data]
"JMB36X Configure" = "C:\WINDOWS\system32\JMRaidSetup.exe boot" ["JMicron Technology Corp."]
"SoundMAXPnP" = "C:\Programme\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"AsusServiceProvider" = "C:\Programme\ASUS\AASP\1.00.23\aaCenter.exe" [empty string]
"AsusStartupHelp" = "C:\Programme\ASUS\AASP\1.00.23\AsRunHelp.exe" [null data]
"GrooveMonitor" = ""C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"hp 1000 firmware" = "C:\Programme\hp LaserJet 1000\fwdl.exe" ["Zenographics"]
"Ai Nap" = ""C:\Programme\ASUS\AI Suite\AiNap\AiNap.exe"" [null data]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_03\bin\jusched.exe" ["Sun Microsystems, Inc."]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
<<!>> "{C91D0A87-3744-445B-8A0E-29942831DC9C}" = "*i" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\byxyayy.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
\InProcServer32\(Default) = "C:\Programme\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Startup items in "Asus P5B" & "All Users" startup folders:
----------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Hawking Wireless Utility" -> shortcut to: "C:\Programme\Hawking\HWU8DD\HWU8DD.exe" [empty string]

Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]
AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Diskeeper, Diskeeper, ""C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpZJLanguageMonitor\Driver = "ZLMhp1.DLL" ["Zenographics"]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

---------- (launch time: 2007-10-10 23:58:03)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 17 seconds, including 6 seconds for message boxes)

Kirsche · 11.10.2007, 12:25

Jetzt die filelist der verschiedenen Verzeichnisse der letzten 30 Tage:

Zitat:

----- Root -----------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: C88C-B9F0

Verzeichnis von C:\

11.10.2007 12:22 2.145.386.496 pagefile.sys
11.10.2007 00:27 0 23990098.$$$
17.09.2007 12:59 211 boot.ini
17.09.2007 08:47 0 CONFIG.SYS
17.09.2007 08:47 0 AUTOEXEC.BAT
17.09.2007 08:47 0 MSDOS.SYS
17.09.2007 08:47 0 IO.SYS

----- System32 -------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: C88C-B9F0

Verzeichnis von C:\WINDOWS\system32

10.10.2007 01:03 2.260 tool_de[1].log
08.10.2007 14:23 79.370 perfc007.dat
08.10.2007 14:23 446.280 perfh007.dat
08.10.2007 14:23 67.220 perfc009.dat
08.10.2007 14:23 430.496 perfh009.dat
08.10.2007 14:23 1.030.154 PerfStringBackup.INI
08.10.2007 12:46 32.440 ssqpn.dll
07.10.2007 23:40 2.262 wpa.dbl
07.10.2007 23:34 35.840 byxyayy.dll
28.09.2007 07:19 18.089.592 MRT.exe
27.09.2007 00:36 34.308 BASSMOD.dll
26.09.2007 17:03 3.621 jupdate-1.5.0_03-b07.log
25.09.2007 13:13 16.832 amcompat.tlb
25.09.2007 13:13 23.392 nscompat.tlb
25.09.2007 08:03 269.392 FNTCACHE.DAT
25.09.2007 07:58 590 zhp1000.log
24.09.2007 23:27 128.998 TZLog.log
17.09.2007 15:45 0 h323log.txt
17.09.2007 13:03 288 $winnt$.inf
17.09.2007 13:00 488 logonui.exe.manifest
17.09.2007 13:00 488 WindowsLogon.manifest
17.09.2007 13:00 749 ncpa.cpl.manifest
17.09.2007 13:00 749 nwc.cpl.manifest
17.09.2007 13:00 749 sapi.cpl.manifest
17.09.2007 13:00 749 cdplayer.exe.manifest
17.09.2007 13:00 749 wuaucpl.cpl.manifest
17.09.2007 13:00 22.880 emptyregdb.dat
17.09.2007 08:47 2.951 CONFIG.NT

----- Prefetch -------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: C88C-B9F0

Verzeichnis von C:\WINDOWS\Prefetch

11.10.2007 12:34 11.092 REG.EXE-0D2A95F7.pf
11.10.2007 12:34 7.698 MORE.COM-32DCB7E4.pf
11.10.2007 12:33 16.744 NOTEPAD.EXE-336351A9.pf
11.10.2007 12:33 90.262 CMD.EXE-087B4001.pf
11.10.2007 12:33 11.402 FINDSTR.EXE-0CA6274B.pf
11.10.2007 12:32 93.540 WINRAR.EXE-3588DFE8.pf
11.10.2007 12:32 18.750 VERCLSID.EXE-3667BD89.pf
11.10.2007 12:32 12.428 RUNDLL32.EXE-451FC2C0.pf
11.10.2007 12:24 114.256 WUAUCLT.EXE-399A8E72.pf
11.10.2007 12:24 819.358 NTOSBOOT-B00DFAAD.pf
11.10.2007 00:02 18.000 LOGONUI.EXE-0AF22957.pf
10.10.2007 23:58 29.444 WSCRIPT.EXE-32960AB9.pf
10.10.2007 23:57 74.960 SHREDDER.EXE-250EB8B0.pf
10.10.2007 23:57 30.468 RUNDLL32.EXE-12A47085.pf
10.10.2007 23:57 14.454 RUNDLL32.EXE-298E8438.pf
10.10.2007 23:56 64.836 WMIPRVSE.EXE-28F301A9.pf
10.10.2007 23:52 60.630 SCANNINGPROCESS.EXE-02AFA340.pf
10.10.2007 23:52 39.638 MEXE.COM-04D2ED7C.pf
10.10.2007 23:52 15.240 MWAVL.EXE-351CE258.pf
10.10.2007 23:52 58.576 MWAV[1].EXE-16E6C795.pf
10.10.2007 23:46 90.304 IEXPLORE.EXE-2CA9778D.pf
10.10.2007 23:39 43.722 HELPSVC.EXE-2878DDA2.pf
10.10.2007 23:38 316.294 Layout.ini
10.10.2007 23:23 54.232 AVCENTER.EXE-324B1681.pf
10.10.2007 23:23 63.384 REGISTRYEDITOR.EXE-380BCD21.pf
10.10.2007 23:23 79.354 INTEGRATOR.EXE-3967D297.pf
10.10.2007 23:18 53.964 AVGNT.EXE-18356F59.pf
10.10.2007 23:18 14.064 REGSVR32.EXE-25EEFE2F.pf
10.10.2007 23:18 43.292 UPDATE.EXE-3A80F1D2.pf
10.10.2007 23:18 15.076 PREUPD.EXE-18CBCD87.pf
10.10.2007 18:44 17.860 DRWTSN32.EXE-2B4B52AC.pf
10.10.2007 18:44 15.300 DWWIN.EXE-30875ADC.pf
10.10.2007 18:44 23.238 DUMPREP.EXE-1B46F901.pf
10.10.2007 18:43 16.988 KAV7.0.0.125EN.EXE-1F4F2CBE.pf
10.10.2007 18:42 48.652 AVSCAN.EXE-0D0CD933.pf
10.10.2007 18:42 52.810 KAV7.0.0.125EN.EXE-15B8E045.pf
10.10.2007 18:41 54.700 GUARDGUI.EXE-3AFB6D88.pf
10.10.2007 17:40 42.796 AD-AWARE2007.EXE-1AE91ED3.pf
10.10.2007 17:27 59.854 THIS.EXE-247FA474.pf
10.10.2007 16:46 79.352 POSTAL2.EXE-2AD7E56D.pf
10.10.2007 16:44 66.504 SYSTEMOPTIMIZER.EXE-2D3174F1.pf
10.10.2007 16:44 86.520 REGISTRYCLEANER.EXE-17B6D63B.pf
10.10.2007 16:44 57.754 ONECLICKMAINTENANCE.EXE-05D14B98.pf
10.10.2007 15:26 65.248 AVNOTIFY.EXE-0B59FC42.pf
10.10.2007 15:21 86.364 SHREDDER.EXE-0C43FCDA.pf
10.10.2007 15:03 65.722 MSIMN.EXE-0B61806C.pf
10.10.2007 14:54 62.548 MSIEXEC.EXE-2F8A8CAE.pf
10.10.2007 13:57 98.878 CLEANUP.EXE-21B56F2B.pf
10.10.2007 13:56 26.874 RUNDLL32.EXE-4C49DF4E.pf
10.10.2007 13:54 75.370 DISKCLEANER.EXE-2A90711C.pf
10.10.2007 12:01 68.602 RUNDLL32.EXE-13404D23.pf
10.10.2007 00:38 38.164 SPYBOTSD.EXE-1D495A65.pf
09.10.2007 21:49 19.300 TASKMGR.EXE-20256C55.pf
09.10.2007 20:28 125.412 EXPLORER.EXE-082F38A9.pf
09.10.2007 12:19 66.146 CLI.EXE-02B0DB56.pf
55 Datei(en) 3.796.418 Bytes
0 Verzeichnis(se), 8.484.593.664 Bytes frei

----- Windows --------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: C88C-B9F0

Verzeichnis von C:\WINDOWS

11.10.2007 12:24 263 wiadebug.log
11.10.2007 12:23 1.404.039 WindowsUpdate.log
11.10.2007 12:22 0 0.log
11.10.2007 12:22 50 wiaservc.log
11.10.2007 12:22 2.048 bootstat.dat
11.10.2007 12:22 0 S427DE236.tmp
11.10.2007 00:04 26 Lic.xxx
11.10.2007 00:03 321.638 ntbtlog.txt
11.10.2007 00:02 32.118 SchedLgU.Txt
10.10.2007 16:25 604 win.ini
10.10.2007 11:25 1.393 imsins.BAK
10.10.2007 11:25 0 setupact.log
10.10.2007 11:25 0 setuperr.log
09.10.2007 20:50 1.080 AUTOLNCH.REG
09.10.2007 12:50 10 WININIT.INI
09.10.2007 10:43 3.401 windows.txt
26.09.2007 19:58 49 NeroDigital.ini
25.09.2007 20:59 63 as_tmp.txt
25.09.2007 18:03 583.607 P5B-1102.zip
25.09.2007 09:30 15.213 Ascd_tmp.ini
25.09.2007 00:47 316.640 WMSysPr9.prx
17.09.2007 13:09 15.251 Ascd_log.ini
17.09.2007 13:08 670 setup.iss
17.09.2007 13:01 4.161 ODBCINST.INI
17.09.2007 13:00 749 WindowsShell.Manifest
17.09.2007 12:54 231 system.ini
17.09.2007 12:39 596.054 setupapi.old
17.09.2007 12:36 0 AS_Debug.txt
17.09.2007 09:38 254 UPGRADE.TXT
17.09.2007 08:49 8.192 REGLOCS.OLD
17.09.2007 08:47 0 control.ini
17.09.2007 08:44 37 vbaddin.ini
17.09.2007 08:44 36 vb.ini
16.09.2007 22:45 0 Sti_Trace.log

----- Tasks ----------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: C88C-B9F0

Verzeichnis von C:\WINDOWS\tasks

11.10.2007 12:22 6 SA.DAT
09.10.2007 14:53 402 1-Klick-Wartung.job

----- Wintemp --------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: C88C-B9F0

Verzeichnis von C:\WINDOWS\temp

11.10.2007 12:22 16.384 Perflib_Perfdata_208.dat
10.10.2007 23:16 16.384 Perflib_Perfdata_1b8.dat
10.10.2007 17:38 16.384 Perflib_Perfdata_1c8.dat
10.10.2007 16:42 16.384 Perflib_Perfdata_1d0.dat
10.10.2007 13:19 16.384 Perflib_Perfdata_7cc.dat
5 Datei(en) 81.920 Bytes
0 Verzeichnis(se), 8.484.589.568 Bytes frei

----- Temp -----------------------------
Datentr„ger in Laufwerk C: ist System
Volumeseriennummer: C88C-B9F0

Verzeichnis von C:\DOKUME~1\ASUSP5~1\LOKALE~1\Temp

11.10.2007 12:34 111.510 filelist.txt
11.10.2007 12:22 16.384 Perflib_Perfdata_7a0.dat
11.10.2007 12:22 824 jusched.log
11.10.2007 04:28 12.873.202 MWAV.LOG
11.10.2007 04:28 196.200 sfdb.dat
11.10.2007 00:27 2.020.676 MWAVC.LOG
11.10.2007 00:27 79.649 mwXface.log
10.10.2007 16:25 619 Download.log
10.10.2007 16:25 0 filelist.lst
10.10.2007 16:25 360 EUpdate.ini
10.10.2007 16:25 0 download.lck
10.10.2007 15:37 626.688 msvcr80.dll
10.10.2007 15:37 548.864 msvcp80.dll
10.10.2007 15:37 241.664 MYDB.DLL
10.10.2007 14:54 462 MSI789fa.LOG
09.10.2007 17:57 728.535 Dir.sdb
09.10.2007 17:57 254.378 spydb.old
09.10.2007 17:57 161.770 Spyware.sdb
09.10.2007 17:57 1.271.953 Cid.sdb
09.10.2007 17:57 254.378 spydb.avs
09.10.2007 17:57 2.097.481 File1.sdb
09.10.2007 17:57 1.373.593 File2.sdb
09.10.2007 17:53 50.122 daily.avc
09.10.2007 17:53 27.776 avp.klb
09.10.2007 17:53 6.910 dailyc.avc
09.10.2007 17:53 943 daily-ec.avc
09.10.2007 13:08 2.226 daily-ex.avc
09.10.2007 13:08 2.226 daily-ex.avx
09.10.2007 12:42 430.656 mwavscan.com
09.10.2007 12:42 430.656 mexe.com
09.10.2007 12:22 167.936 esupdate.exe
09.10.2007 12:21 56.320 reload.exe
09.10.2007 12:19 43.520 setpriv.exe
09.10.2007 12:13 122.880 avpmhook.dll
09.10.2007 11:44 38.912 unregx.exe
09.10.2007 11:42 79.039 ca.avc
09.10.2007 11:42 3.864 avp_ext.set
09.10.2007 11:42 3.864 avp.set
09.10.2007 11:42 34.822 fa.avc
09.10.2007 11:42 3.864 avp_x.set
09.10.2007 11:42 21.293 gen005.avc
09.10.2007 11:42 25.854 ext009.avc
09.10.2007 11:42 48.257 unp037.avc
09.10.2007 11:42 40.706 unp031.avc
09.10.2007 11:42 38.328 unp020.avc
09.10.2007 11:42 53.207 unp015.avc
09.10.2007 11:42 64.894 unp016.avc
09.10.2007 11:42 75.991 unp007.avc
09.10.2007 11:42 55.741 unp006.avc
09.10.2007 11:42 50.368 base150.avc
09.10.2007 11:42 35.573 base154.avc
09.10.2007 11:42 23.526 unp000.avc
09.10.2007 11:42 47.952 base139.avc
09.10.2007 11:42 50.363 base142.avc
09.10.2007 11:42 49.821 base082.avc
09.10.2007 11:42 52.973 base095.avc
09.10.2007 11:42 49.237 base088.avc
09.10.2007 11:42 50.527 base081.avc
09.10.2007 11:42 49.254 base073.avc
09.10.2007 11:42 50.134 base056.avc
09.10.2007 11:42 49.605 base058.avc
09.10.2007 11:42 49.114 base055.avc
09.10.2007 11:42 49.350 base046.avc
09.10.2007 11:42 50.729 base051.avc
09.10.2007 11:42 49.495 base029.avc
09.10.2007 11:42 47.119 base028.avc
09.10.2007 11:42 47.736 base038.avc
09.10.2007 11:42 46.280 base027.avc
09.10.2007 11:42 50.160 base023.avc
09.10.2007 11:42 49.095 base018.avc
09.10.2007 11:42 49.086 base021.avc
09.10.2007 11:42 48.519 base017.avc
09.10.2007 11:42 48.622 base010.avc
09.10.2007 11:42 16.697 ext005c.avc
09.10.2007 11:42 28.731 base054c.avc
09.10.2007 11:42 50.044 base045c.avc
09.10.2007 11:42 14.252 fa001.avc
09.10.2007 11:42 36.796 krn004.avc
09.10.2007 11:42 43.401 krnengn.avc
09.10.2007 11:42 119.284 krnunp.avc
09.10.2007 11:40 1.949.696 msvl64.dll
09.10.2007 11:34 143.360 msvlclnt.dll
09.10.2007 11:30 44.608 Getvlist.exe
08.10.2007 21:00 204.935 phupdn.txt
08.10.2007 20:46 18.427 global.daz
08.10.2007 20:46 60.227 phupdn.txz
07.10.2007 21:50 108 D653F3EC.TMP
05.10.2007 10:03 23.168 unp039.avc
05.10.2007 10:03 48.943 unp030.avc
05.10.2007 10:03 49.509 unp027.avc
05.10.2007 10:03 40.004 unp026.avc
05.10.2007 10:03 63.799 unp023.avc
05.10.2007 10:03 42.088 unp022.avc
05.10.2007 10:03 61.564 unp019.avc
05.10.2007 10:03 51.264 unp005.avc
05.10.2007 10:03 53.936 unp003.avc
05.10.2007 10:03 25.758 unp004.avc
05.10.2007 10:03 68.103 unp002.avc
05.10.2007 10:03 49.964 base153.avc
05.10.2007 10:03 54.674 base144.avc
05.10.2007 10:03 50.103 base141.avc
05.10.2007 10:03 48.302 base014.avc
05.10.2007 10:03 50.444 base053c.avc
05.10.2007 10:03 50.000 base020c.avc
05.10.2007 10:03 50.098 base052c.avc
03.10.2007 12:33 90.996 Chinese.Age
03.10.2007 12:33 110.439 Icelandic.Age
03.10.2007 12:33 115.349 Polish.Age
03.10.2007 12:33 112.207 Finnish.Age
03.10.2007 12:33 116.504 French.Age
03.10.2007 12:33 115.397 Spanish.Age
03.10.2007 12:33 116.118 Spanishl.Age
03.10.2007 12:33 111.149 Romanian.Age
03.10.2007 12:33 124.130 Portuguese.Age
03.10.2007 12:33 122.760 Italian.Age
03.10.2007 12:33 125.547 language.ini
03.10.2007 12:33 125.547 German.Age
03.10.2007 10:17 48.583 unp038.avc
03.10.2007 10:17 42.214 unp032.avc
03.10.2007 10:17 48.701 unp033.avc
03.10.2007 10:17 52.451 unp011.avc
03.10.2007 10:17 46.589 unp001.avc
03.10.2007 10:17 50.002 base127.avc
03.10.2007 10:17 49.630 base068.avc
03.10.2007 10:17 49.994 base039c.avc
03.10.2007 10:17 103.182 krn005.avc
01.10.2007 17:55 50.365 base038c.avc
01.10.2007 17:55 50.529 base037c.avc
28.09.2007 10:04 55.805 unp014.avc
28.09.2007 10:04 50.576 base146.avc
28.09.2007 10:04 48.988 base030.avc
28.09.2007 10:04 49.550 base031.avc
28.09.2007 10:04 49.260 base022.avc
28.09.2007 10:04 48.258 base015.avc
25.09.2007 11:50 50.222 base152.avc
25.09.2007 11:50 49.814 ext004c.avc
25.09.2007 11:50 50.271 base051c.avc
25.09.2007 11:50 49.981 base050c.avc
25.09.2007 11:50 50.049 base049c.avc
21.09.2007 17:08 11.209 English.con
21.09.2007 14:17 4.225 Chinese.dow
21.09.2007 14:17 5.326 Icelandic.dow
21.09.2007 14:17 5.595 Finnish.dow
21.09.2007 14:17 6.227 Polish.dow
21.09.2007 14:17 6.105 French.dow
21.09.2007 14:17 5.757 Spanish.dow
21.09.2007 14:17 6.124 Spanishl.dow
21.09.2007 14:17 5.659 Romanian.dow
21.09.2007 14:17 6.048 Portuguese.dow
21.09.2007 14:17 5.681 Italian.dow
21.09.2007 14:17 5.812 German.dow
21.09.2007 14:17 5.812 Download.lan
20.09.2007 15:51 500.736 Download.exe
20.09.2007 15:51 5.316 English.dow
19.09.2007 15:14 49.931 base110.avc
17.09.2007 18:53 48.406 base016.avc
17.09.2007 18:31 15.148 German.con
17.09.2007 18:31 15.148 config.lan
17.09.2007 09:43 50.068 base151.avc
16.09.2007 17:22 50.286 base006c.avc
16.09.2007 12:17 732 esupd.ini
14.09.2007 17:18 51.867 English.Age
13.09.2007 20:29 385.024 MDownload.exe
13.09.2007 10:03 50.325 base012c.avc
11.09.2007 11:49 44.526 base048c.avc

Vielen Dank für die Mühe, vielleicht findest du ja was. Der eScan hatte 2 Viren aufgespürt allerdings waren die mit der Software nicht löschbar.

LG Kirsche

cosinus · 11.10.2007, 22:26

werte diese Dateien mal online bei Virusotal aus:

Code:

ATTFilter

C:\WINDOWS\system32\ssqpn.dll
C:\WINDOWS\system32\byxyayy.dll

Poste alle Ergebnisse inkl. Angaben zu Dateigrößen und Prüfsummen.

Code:

ATTFilter

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{C91D0A87-3744-445B-8A0E-29942831DC9C}

Diesen Schlüssel kannst du über regedit löschen.

Kirsche · 12.10.2007, 00:22

Hallo,
hier die Ergebnisse des Scans bei Virustotal, zuerst die Datei byxyayy.dll:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2007.10.12.0 2007.10.11 -
AntiVir 7.6.0.20 2007.10.11 -
Authentium 4.93.8 2007.10.11 -
Avast 4.7.1051.0 2007.10.11 -
AVG 7.5.0.488 2007.10.11 Generic8.JOX
BitDefender 7.2 2007.10.12 -
CAT-QuickHeal 9.00 2007.10.11 -
ClamAV 0.91.2 2007.10.11 -
DrWeb 4.44.0.09170 2007.10.12 -
eSafe 7.0.15.0 2007.10.10 -
eTrust-Vet 31.2.5203 2007.10.11 -
Ewido 4.0 2007.10.11 -
FileAdvisor 1 2007.10.12 -
Fortinet 3.11.0.0 2007.10.11 -
F-Prot 4.3.2.48 2007.10.11 -
F-Secure 6.70.13030.0 2007.10.11 Vundo.gen42
Ikarus T3.1.1.12 2007.10.11 -
Kaspersky 7.0.0.125 2007.10.12 -
McAfee 5139 2007.10.11 -
Microsoft 1.2908 2007.10.12 -
NOD32v2 2586 2007.10.11 -
Norman 5.80.02 2007.10.11 Vundo.gen42
Panda 9.0.0.4 2007.10.11 -
Prevx1 V2 2007.10.12 SpywareQuake
Rising 19.44.32.00 2007.10.11 -
Sophos 4.22.0 2007.10.11 Virtumundo
Sunbelt 2.2.907.0 2007.10.11 -
Symantec 10 2007.10.12 -
TheHacker 6.2.8.086 2007.10.11 -
VBA32 3.12.2.4 2007.10.11 -
VirusBuster 4.3.26:9 2007.10.11 -
Webwasher-Gateway 6.0.1 2007.10.11 Win32.UPXpacked.gen (suspicious)
weitere Informationen
File size: 35840 bytes
MD5: 694cb931f4295da31a343116764f377e
SHA1: b718895ba550219d3c690ccc5c8003447011c6a0
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=F20184F30094D4678C900063FC8FE400CFB38266

und die Datei ssqpn.dll

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2007.10.12.0 2007.10.11 -
AntiVir 7.6.0.20 2007.10.11 -
Authentium 4.93.8 2007.10.11 -
Avast 4.7.1051.0 2007.10.11 -
AVG 7.5.0.488 2007.10.11 -
BitDefender 7.2 2007.10.12 -
CAT-QuickHeal 9.00 2007.10.11 -
ClamAV 0.91.2 2007.10.11 -
DrWeb 4.44.0.09170 2007.10.12 -
eSafe 7.0.15.0 2007.10.10 -
eTrust-Vet 31.2.5203 2007.10.11 -
Ewido 4.0 2007.10.11 -
FileAdvisor 1 2007.10.12 -
Fortinet 3.11.0.0 2007.10.11 -
F-Prot 4.3.2.48 2007.10.11 -
F-Secure 6.70.13030.0 2007.10.11 Vundo.gen41
Ikarus T3.1.1.12 2007.10.11 -
Kaspersky 7.0.0.125 2007.10.12 -
McAfee 5139 2007.10.11 -
Microsoft 1.2908 2007.10.12 -
NOD32v2 2586 2007.10.11 -
Norman 5.80.02 2007.10.11 Vundo.gen41
Panda 9.0.0.4 2007.10.11 -
Prevx1 V2 2007.10.12 -
Rising 19.44.32.00 2007.10.11 -
Sophos 4.22.0 2007.10.11 -
Sunbelt 2.2.907.0 2007.10.11 -
Symantec 10 2007.10.12 -
TheHacker 6.2.8.086 2007.10.11 -
VBA32 3.12.2.4 2007.10.11 -
VirusBuster 4.3.26:9 2007.10.11 -
Webwasher-Gateway 6.0.1 2007.10.11 Win32.Malware.dam (suspicious)
weitere Informationen
File size: 32440 bytes
MD5: 8c7d28f18b7aa9766491e9447f043d95
SHA1: 46420390e8f10a42684ce6fa01b218bf3ac01f36
packers: PE_Patch

Insgesamt also 10 Funde, das ist heftig...
Den Registrierungsschlüssel hab ich mit regedit gelöscht, kann ich das mit den oben genannten Dateien auch machen oder sind das wichtige Systemdateien?
Dann bleibt nur noch Neuaufsetzen...

Vielen Dank für deine Mühe, ist schon beeindruckend wie du die Schweine am Gang erkennst.

LG Kirsche

cosinus · 12.10.2007, 15:40

Zitat:

Dann bleibt nur noch Neuaufsetzen...

Wenn du wirklich sichergehen willst, ja! Aber den Vundo kann man schon recht zuverlässig entfernen:

Vundofix
* Lade dir vundofix.exe
* Doppelklick VundoFix.exe
* Klicke "Scan" --> Vundo button.
* Nach dem Scannen, klicke den "Remove" Vundo button.
* Man wird nun gefragt, ob man "remove" will --> klicke YES
* Danach werden alle Desktop-Symbole verschwinden
* Dann wird man gefragt, ob der PC neustarten soll --> klicke OK.

Führ danach escan nochmal aus, aber poste diesmal das richtige Logfile (Anleitung beachten mit der find.bat!). Lad die auch dieses script auf dem Desktop herunter und führ es aus - er erscheint die "listing.txt" im Editor (auch aufm Desktop), lad es bei rapidshare oder so hoch und verlink es hier (listing.txt ist zu groß für ein Beitrag).

Kirsche · 15.10.2007, 21:47

Hallo cosinus,
war am Wochenende bei meiner Schwester zum Geburtstag, kein Internet deswegen die Funkstille.Habe das Vundofix ausgeführt ohne Funde, auch bei eScan war alles sauber.
Habe auch die beiden infizierten Dateien im system32 zu Fuß gelöscht, seitdem ist himmlische Ruhe.Das Script habe ich ausgeführt und werde es nach Anmeldung bei rapidshare hier posten.

Ich bedanke mich bei dir und bei dem Forum für die geleistete Arbeit, ohne diese Hilfe wäre ich ganz schön aufgeschmissen gewesen.Außerdem hab ich ordentlich was gelernt und werde auch andere Leute beim Kampf gegen die Plagegeister unterstützen.

MfG Kirsche

TR/Dldr.ConHook.Gen unsterblich?

Plagegeister aller Art und deren Bekämpfung: TR/Dldr.ConHook.Gen unsterblich?