Habe Win32:Agent-LTS und Trojan-gen {Other}

RolandMetz · 19.10.2007, 12:49

Hallo,
ich habe seit gestern nachmittag ein problem mit meinem rachner/ laoptop. Mein avast! bringt dauernd die Meldung:
"Ein Virus wurde gefunden":
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\ac8zt2\main_uninstaller.exe
Win32:Trojan-gen {Other}

Das zieht sich dann durch mehrere Dateien:
C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\ac8zt2\msmdev.dll
Win32:Agent-LTS [Trj]

C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\ac8zt2\nsduo.dll
Win32:Trojan-gen {Other}

C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\ac8zt2\rmv.exe
Win32:Trojan-gen {Other}

Klicke ich jeweils auf Löschen, dann scheint alles zu gehen. Bis dann einige Minuten später erneut die Meldung kommt.

Was ist das?
Und vor allem wie kriege ich das Weg?

Vielen Dank

undoreal · 19.10.2007, 12:53

Hallo Roland.

Folge bitte nachstehender Anleitung:

-Deaktiviere die Systemwiederherstellung auf allen Laufwerken.

-Deinstalliere Java über die Systemsteuerung.

-Lasse Silentrunners laufen und poste die logFiles..

-Folge dieser Anleitung.

-Run Combofix. Poste den erscheinenden Text.

-Durchsuche mit Lavasoft und Spybot-S&D sowie deinem AV-Prog (alle drei mit aktuellen Signaturen!) dein System jeweils 2x. Erst im normalen und dann im abgesicherten Modus (F8 beim Hochfahren).

-Räume mit cCleaner auf ( die Registry musst du mehrmals durchsuchen und bereinigen lassen).

-Poste ein frisches HijackThis log sowie einen iClean Bericht (Prog in eigenem Ordner öffnen->"Yes"->File->Report).

-Danach machst du einen eScan nach Anleitung in meiner Signatur und postest das log.

RolandMetz · 19.10.2007, 13:18

Hi

Habe alles mit Java deinstalliert und das ist das Ergebnis von Silent Runners

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ISBMgr.exe" = "C:\Programme\Sony\ISB Utility\ISBMgr.exe" ["Sony Corporation"]
"SonyPowerCfg" = "C:\Programme\Sony\VAIO Power Management\SPMgr.exe" ["Sony Corporation"]
"VirtualCloneDrive" = ""C:\Programme\Tools\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"]
"Outpost Firewall" = "C:\Programme\Agnitum\Outpost Firewall\outpost.exe /waitservice" ["Agnitum Ltd."]
"NotebookHardwareControl" = ""C:\Programme\Tools\Notebook Hardware Control\nhc.exe" -quiet" [null data]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"Apoint" = "C:\Programme\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEToolbarHelper Class"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{ED58A35B-B554-42AF-A26C-6F3D424200D3}" = "Sony Power Management Extensiond"
-> {HKLM...CLSID} = "SPMPanel"
\InProcServer32\(Default) = "C:\Programme\Sony\VAIO Power Management\SPMPanel.dll" ["Sony Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\Tools\WinRAR\rarext.dll" [null data]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\msnlExt.dll" [MS]
"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"
-> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Tools\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar"
-> {HKCU...CLSID} = "Windows-Such-Deskbar"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\deskbar.dll" [MS]
-> {HKLM...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\deskbar.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Multimedia\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Programme\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Programme\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\VISSHE.DLL" [MS]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\VISSHE.DLL" [MS]
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Programme\Tools\MatroskaSplitter\mmfinfo.dll" [null data]
"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page"
-> {HKLM...CLSID} = "Haali Matroska Shell Property Page"
\InProcServer32\(Default) = "C:\Programme\Tools\MatroskaSplitter\mmfinfo.dll" [null data]
"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Exctractor"
-> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor"
\InProcServer32\(Default) = "C:\Programme\Tools\MatroskaSplitter\mmfinfo.dll" [null data]
"{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
-> {HKLM...CLSID} = "Desktop Manager"
\InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"hstsys" = "{584C1CE2-244E-4BD9-9EA0-15C9A7D8CFB7}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\hstsys.dll" [file not found]
"msmhost" = "{20B4DB08-CB91-45C0-BFAF-66F0F0549AF8}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\msmhost.dll" [null data]
"msmdev" = "{77691B07-5C52-4098-A3CF-376012B30A87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\msmdev.dll" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll" ["Agnitum Ltd."]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"oodbs" ["O&O Software GmbH"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<<!>> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [file not found]
<<!>> VESWinlogon\DLLName = "VESWinlogon.dll" ["Sony Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
-> {HKLM...CLSID} = "Haali Column Provider"
\InProcServer32\(Default) = "C:\Programme\Tools\MatroskaSplitter\mmfinfo.dll" [null data]
{30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
-> {HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "C:\Programme\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\Tools\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
-> {HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "C:\Programme\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\Tools\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
-> {HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "C:\Programme\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Programme\Internet\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\Tools\WinRAR\rarext.dll" [null data]

(hat leider nicht alles in einen post reingepasst)

RolandMetz · 19.10.2007, 13:30

(der zweite Teil von Silent Runners)

Default executables:
--------------------

HKCU\Software\Classes\piffile\

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSMHelp" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\Eigene Dateien\Eigene Bilder\0 Grafiken\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Eigene Dateien\Eigene Bilder\0 Grafiken\Wallpaper1.bmp"

Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Windows-Desktopsuche" -> shortcut to: "C:\Programme\Windows Desktop Search\WindowsSearch.exe /startup" [MS]

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "C:\Programme\Multimedia\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{36ECAF82-3300-8F84-092E-AFF36D6C7040}\
"ButtonText" = "Run WinHTTrack"
"MenuText" = "Launch WinHTTrack"
"CLSIDExtension" = "{86529161-034E-4F8A-88D2-3C625E612E04}"
-> {HKLM...CLSID} = "WinHTTrackLauncher Class"
\InProcServer32\(Default) = "C:\Programme\Tools\Seiten downloaden\WinHTTrackIEBar.dll" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Computer, Inc."]
.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Adobe LM Service, Adobe LM Service, ""C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]
avast! Antivirus, avast! Antivirus, ""C:\Programme\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Programme\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\mdm.exe"" [MS]
MySQL, MySQL, ""C:\Programme\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="C:\Programme\MySQL\MySQL Server 5.0\my.ini" MySQL" [null data]
O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]
Outpost Firewall Service, OutpostFirewall, "C:\Programme\Agnitum\Outpost Firewall\outpost.exe /service" ["Agnitum Ltd."]
VAIO Event Service, VAIO Event Service, "C:\Programme\Sony\VAIO Event Service\VESMgr.exe" ["Sony Corporation"]
Windows Search Service, WSearch, "C:\WINDOWS\system32\SearchIndexer.exe /Embedding" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
BJ Language Monitor\Driver = "cnbjmon.dll" [file not found]
HP CLJ2600n LM\Driver = "ZLHP2600.DLL" ["Zenographics, Inc."]
HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]
hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
PJL Language Monitor\Driver = "pjlmon.dll" [file not found]

---------- (launch time: 2007-10-19 14:10:49)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 43 seconds, including 15 seconds for message boxes)

mache nun das mit SmitfraudFix (dauert ein paar Minuten...)

RolandMetz · 19.10.2007, 13:32

Habe das mit SmitfraudFix auch gerade gemacht!

Es kam eine Fehlermeldung, dass der Cleanmgr nicht gefunden werden konnte. Liegt wohl daran, dass das hier eine nLite Version von Windows ist. Und der daher nicht dabei ist.
Auf welche Weise kann ich die Temp Files noch löschen?

Soll ich die Datei rapport.txt auch posten?

undoreal · 19.10.2007, 13:35

Wofür nutzt du "TortoiseSVN" ?

RolandMetz · 19.10.2007, 13:39

Zitat:

Zitat von undoreal

Wofür nutzt du "TortoiseSVN" ?

Uni. Um Dateien auf unser SVN hochzuladen bzw. upzudaten

19.10.2007, 13:35	#6
undoreal /// AVZ-Toolkit Guru	Habe Win32:Agent-LTS und Trojan-gen {Other} Wofür nutzt du "TortoiseSVN" ? __________________ --> Habe Win32:Agent-LTS und Trojan-gen {Other}

Habe Win32:Agent-LTS und Trojan-gen {Other}

Plagegeister aller Art und deren Bekämpfung: Habe Win32:Agent-LTS und Trojan-gen {Other}