|
Plagegeister aller Art und deren Bekämpfung: Merkwürdige "hidden value" bei Sophos AntirootkitWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
18.11.2007, 09:10 | #1 |
| Merkwürdige "hidden value" bei Sophos Antirootkit Hallo, ich bekommen seit einiger Zeit mit der neuesten Versin von Sophos Antirootkit Free folgende Meldung: --------------------------- Area: Windows registry Description: Hidden registry value Location: \HKEY_USERS\S-1-5-21-2052111302-813497703-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9B8323EA-ED9C-4A4F-DFFF-3C746465B3EE}\hahlhaehbbjabldn Removable: No Notes: (type 3, length 24) "kajbfkhplilfpjhomchecm " --------------------------- Hat jemand auch schon einmal so etwas gesehen? Sowohl FSecures Anti-Rootkit also auch AVG erkennen diese Value nicht. Was soll ich tun? Vielen Dank für Eure Hilfe. Stefan. |
19.11.2007, 18:54 | #2 | |
/// Winkelfunktion /// TB-Süch-Tiger™ | Merkwürdige "hidden value" bei Sophos AntirootkitZitat:
__________________ |
24.11.2007, 18:25 | #3 |
| Merkwürdige "hidden value" bei Sophos Antirootkit hi Arne,
__________________besten Dank für die Hilfe. Hier schon mal der Hijack-Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:20:17, on 23.11.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\a-squared Free\a2service.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\F-Secure\Anti-Virus\fsgk32st.exe C:\Programme\F-Secure\Common\FSMA32.EXE C:\Programme\F-Secure\Anti-Virus\FSGK32.EXE C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\Programme\F-Secure\Common\FSMB32.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\Programme\F-Secure\Common\FCH32.EXE C:\Programme\F-Secure\Common\FAMEH32.EXE C:\Programme\F-Secure\Anti-Virus\fsqh.exe C:\WINDOWS\system32\SLEE81.exe C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\svchost.exe C:\Programme\F-Secure\Anti-Virus\fssm32.exe C:\Programme\F-Secure\Common\FNRB32.EXE C:\Programme\F-Secure\Common\FIH32.EXE C:\Programme\F-Secure\FSAUA\program\fsaua.exe C:\Programme\F-Secure\FWES\Program\fsdfwd.exe C:\Programme\F-Secure\FSAUA\program\fsus.exe C:\Programme\F-Secure\Anti-Virus\fsav32.exe C:\WINDOWS\Explorer.EXE C:\Programme\F-Secure\Common\FSM32.EXE C:\Programme\FreePDF_XP\fpassist.exe C:\Programme\Logitech\MouseWare\system\em_exec.exe C:\Programme\DAEMON Tools\daemon.exe C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe C:\Programme\F-Secure\FSGUI\fsguidll.exe C:\Programme\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\System32\DeltTray.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Windows Defender\MSASCui.exe C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe C:\WINDOWS\system32\oodtray.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe C:\Programme\PeerGuardian2\pg2.exe C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe C:\Programme\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\Mozilla Firefox\firefox.exe D:\software\virus\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com O1 - Hosts: 127.255.255.255 www.alcohol-soft.com O1 - Hosts: 127.255.255.255 images.alcohol-soft.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000001} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file) O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: (no name) - {CE57DA55-F491-45C6-B3DB-6C98E4B17CDC} - (no file) O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [F-Secure Manager] "C:\Programme\F-Secure\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [eTrustPPAP] "C:\Programme\CA\eTrust PestPatrol\PPActiveDetection.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1031 O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [OpwareSE4] "C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [M-Audio Delta Taskbar Icon] C:\WINDOWS\System32\DeltTray.exe O4 - HKLM\..\Run: [DeltTray] DeltTray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Programme\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [F-Secure TNB] "C:\Programme\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKCU\..\Run: [PeerGuardian] C:\Programme\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SSS7] "C:\Programme\Steganos Security Suite 7\SSS7.exe" -boot O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [updateMgr] "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [SSS7] "C:\Programme\Steganos Security Suite 7\SSS7.exe" -firstboot (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [SSS7] "C:\Programme\Steganos Security Suite 7\SSS7.exe" -firstboot (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-21-2052111302-813497703-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'internet') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [SSS7] "C:\Programme\Steganos Security Suite 7\SSS7.exe" -firstboot (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [SSS7] "C:\Programme\Steganos Security Suite 7\SSS7.exe" -firstboot (User 'Default user') O4 - S-1-5-21-2052111302-813497703-682003330-1005 Startup: Verknüpfung mit TeaTimer.lnk = C:\Programme\Spybot - Search & Destroy\TeaTimer.exe (User 'internet') O4 - Global Startup: Adobe Acrobat - Schnellstart.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Verknüpfung mit TeaTimer.exe.lnk = C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: In vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134155938609 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139652525203 O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Programme\a-squared Free\a2service.exe O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Programme\F-Secure\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Programme\F-Secure\Common\FNRB32.EXE O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Programme\F-Secure\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Programme\F-Secure\FWES\Program\fsdfwd.exe O23 - Service: FSMA - F-Secure Corporation - C:\Programme\F-Secure\Common\FSMA32.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: Steganos Live Encryption Engine 8.1 [Service] (SLEE_81_SERVICE) - Unknown owner - C:\WINDOWS\system32\SLEE81.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe -- End of file - 12447 bytes |
24.11.2007, 18:31 | #4 |
| Merkwürdige "hidden value" bei Sophos Antirootkit und hier die Auswertung mit eScan: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Header ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ find.bat Version 2007.06.16.01 Microsoft Windows XP [Version 5.1.2600] Bootmodus: NORMAL eScan Version: 9.2.5 Sprache: German Virus-Datenbank Datum: 11/23/2007 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Infektionsmeldungen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~ Dateien ~~~~~~~~~~~ ~~~~ Infected files ~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~ Tagged files ~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~ Offending files ~~~~~~~~~~~ ~~~~~~~~~~~ Ordner ~~~~~~~~~~~ ~~~~~~~~~~~ Registry ~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Diverses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~ Prozesse und Module ~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~ Scanfehler ~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~ Hosts-Datei ~~~~~~~~~~~~~~~~~~~~~~ DataBasePath: %SystemRoot%\System32\drivers\etc Zeilen die nicht dem Standard entsprechen: C:\WINDOWS\System32\drivers\etc\hosts :127.255.255.255 serial.alcohol-soft.com C:\WINDOWS\System32\drivers\etc\hosts :127.255.255.255 www.alcohol-soft.com C:\WINDOWS\System32\drivers\etc\hosts :127.255.255.255 images.alcohol-soft.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Gescannte Dateien: 70780 Gefundene Viren: 0 Anzahl der desinfizierten Dateien: 0 Umbenannte Dateien: 0 Anzahl der gelöschten Dateien: 0 Anzahl Fehler: 50 Dauer des Scans bisher: 00:29:39 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan-Optionen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Specherüberprüfung: Aktiviert Registry Überprüfung: Aktiviert System-Ordner Überprüfung: Aktiviert Überprüfung der Systembereiche: Deaktiviert Überprüfung der Dienste: Aktiviert Überprüfung der Festplatten: Deaktiviert Überprüfung aller Festplatten :Aktiviert Batchstart: 18:30:09,96 Batchende: 18:30:18,00 |
24.11.2007, 18:34 | #5 |
| Merkwürdige "hidden value" bei Sophos Antirootkit Silentrunner: "Silent Runners.vbs", revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "PeerGuardian" = "C:\Programme\PeerGuardian2\pg2.exe" ["Methlabs"] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "SSS7" = ""C:\Programme\Steganos Security Suite 7\SSS7.exe" -boot" ["Steganos GmbH"] "SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] "updateMgr" = ""C:\Programme\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "F-Secure Manager" = ""C:\Programme\F-Secure\Common\FSM32.EXE" /splash" ["F-Secure Corporation"] "Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."] "NVMixerTray" = ""C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"] "FreePDF Assistant" = "C:\Programme\FreePDF_XP\fpassist.exe" [null data] "eTrustPPAP" = ""C:\Programme\CA\eTrust PestPatrol\PPActiveDetection.exe"" [file not found] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "DAEMON Tools" = ""C:\Programme\DAEMON Tools\daemon.exe" -lang 1031" ["DT Soft Ltd."] "SSBkgdUpdate" = ""C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."] "OpwareSE4" = ""C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"" ["ScanSoft, Inc."] "SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "NeroFilterCheck" = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" ["Nero AG"] "M-Audio Delta Taskbar Icon" = "C:\WINDOWS\System32\DeltTray.exe" ["Doug Fetter Software Wizardry"] "DeltTray" = "DeltTray.exe" ["Doug Fetter Software Wizardry"] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "Windows Defender" = ""C:\Programme\Windows Defender\MSASCui.exe" -hide" [MS] "F-Secure TNB" = ""C:\Programme\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"] "TrueImageMonitor.exe" = "C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe" ["Acronis"] "AcronisTimounterMonitor" = "C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe" ["Acronis"] "Acronis Scheduler2 Service" = ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"" ["Acronis"] "OODefragTray" = "C:\WINDOWS\system32\oodtray.exe" ["O&O Software GmbH"] "Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."] "(Default)" = "(empty string)" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] {AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension" -> {HKLM...CLSID} = "a-squared Free Context Menu" \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"] "{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx" -> {HKLM...CLSID} = "AlcoholShellEx" \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] "{00000000-5736-4205-0100-a63632132b02}" = "Steganos Security Suite 7" -> {HKLM...CLSID} = "Steganos Security Suite 7" \InProcServer32\(Default) = "c:\programme\steganos security suite 7\sss7se.dll" [null data] "{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension" -> {HKCU...CLSID} = "Acronis True Image Shell Context Menu Extension" \InProcServer32\(Default) = "C:\Programme\Acronis\TrueImageHome\tishell.dll" ["Acronis"] "{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension" -> {HKCU...CLSID} = "Acronis True Image Shell Extension" \InProcServer32\(Default) = "C:\Programme\Acronis\TrueImageHome\tishell.dll" ["Acronis"] "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" = "OODefrag" -> {HKLM...CLSID} = "OODShellExtObj Class" \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"] "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{93f261fc-7dce-4268-9edb-4c94f8afb899}" = "RadioRipper.ShellExecuteHook" -> {HKLM...CLSID} = "RadioRipper.ShellExecuteHook" \InProcServer32\(Default) = "mscoree.dll" [MS] <<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = ""ShellExecuteHook" von Microsoft AntiMalware" -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook" \InProcServer32\(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" -> {HKLM...CLSID} = "OODShellExtObj Class" \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"] Steganos Security Suite 7\(Default) = "{00000000-5736-4205-0100-a63632132b02}" -> {HKLM...CLSID} = "Steganos Security Suite 7" \InProcServer32\(Default) = "c:\programme\steganos security suite 7\sss7se.dll" [null data] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ Steganos Security Suite 7\(Default) = "{00000000-5736-4205-0100-a63632132b02}" -> {HKLM...CLSID} = "Steganos Security Suite 7" \InProcServer32\(Default) = "c:\programme\steganos security suite 7\sss7se.dll" [null data] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Context Menu" \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"] OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" -> {HKLM...CLSID} = "OODShellExtObj Class" \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Context Menu" \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoCDBurning" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "FoFileAssociate" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "StartMenuLogoff" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoShellSearchButton" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "HideClock" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoRecentDocsMenu" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoFolderOptions" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Removes the Folder Options menu item from the Tools menu} "NoUserNameInStartMenu" = (REG_DWORD) hex:0x00000000 {unrecognized setting} "NoRecentDocsNetHood" = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoSharedDocuments" = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableTaskMgr" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in "stefan" & "All Users" startup folders: -------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data] "Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "Verknüpfung mit TeaTimer.exe" -> shortcut to: "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."] "MP Scheduled Scan" -> launches: "C:\Programme\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Programme\F-Secure\FSPS\program\FSLSP.DLL ["F-Secure Corporation"], 01 - 09, 21 %SystemRoot%\system32\mswsock.dll [MS], 10 - 12, 15 - 20 %SystemRoot%\system32\rsvpsp.dll [MS], 13 - 14 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided) -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 4 domain names to IP addresses, 3 of the IP addresses are *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ a-squared Free Service, a2free, ""C:\Programme\a-squared Free\a2service.exe"" ["Emsi Software GmbH"] Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"] F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Programme\F-Secure\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"] F-Secure Automatic Update Agent, FSAUA, ""C:\Programme\F-Secure\FSAUA\program\fsaua.exe"" ["F-Secure Corporation"] F-Secure Network Request Broker, F-Secure Network Request Broker, ""C:\Programme\F-Secure\Common\FNRB32.EXE"" ["F-Secure Corporation"] FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Programme\F-Secure\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"] FSMA, FSMA, ""C:\Programme\F-Secure\Common\FSMA32.EXE"" ["F-Secure Corporation"] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"] StarWind iSCSI Service, StarWindService, "C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"] Steganos Live Encryption Engine 8.1 [Service], SLEE_81_SERVICE, "C:\WINDOWS\system32\SLEE81.exe" [null data] Windows Defender, WinDefend, ""C:\Programme\Windows Defender\MsMpEng.exe"" [MS] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."] Redirected Port\Driver = "redmonnt.dll" [null data] ---------- (launch time: 2007-11-24 18:32:25) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 49 seconds, including 19 seconds for message boxes) |
24.11.2007, 18:45 | #6 |
| Merkwürdige "hidden value" bei Sophos Antirootkit und noch combofix: ComboFix 07-11-19.3 - stefan 2007-11-24 18:36:30.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.624 [GMT 1:00] ausgeführt von:: D:\software\virus\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt . (((((((((((((((((((((((((((((((((((( Weitere L”schungen )))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\regedit.com C:\WINDOWS\system32\1.tmp C:\WINDOWS\system32\taskmgr.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NPF ((((((((((((((((((((((( Dateien erstellt von 2007-10-24 bis 2007-11-24 )))))))))))))))))))))))))))))) . 2007-11-17 10:45 <DIR> d-------- C:\Programme\AVG Anti-Rootkit Free 2007-11-17 10:45 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys 2007-11-17 10:44 <DIR> d-------- C:\Programme\Sophos Anti-Rootkit 2007-11-14 18:08 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\AdobeUM 2007-11-12 19:03 <DIR> d-------- C:\Programme\CrypTool 2007-11-03 14:38 <DIR> d-------- C:\WINDOWS\LINA 2007-11-03 14:37 <DIR> d-------- C:\WINDOWS\ASYM 2007-11-03 14:37 <DIR> d-------- C:\LINA . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-24 17:38 --------- d-----w C:\Programme\PeerGuardian2 2007-11-24 10:42 --------- d-----w C:\Dokumente und Einstellungen\internet\Anwendungsdaten\UseNeXT 2007-10-21 15:56 --------- d-----w C:\Programme\a-squared Free 2007-10-12 12:28 --------- d-----w C:\Programme\Java 2007-10-05 15:59 --------- d-----w C:\Dokumente und Einstellungen\internet\Anwendungsdaten\X-Chat 2 2007-10-05 15:51 --------- d-----w C:\Programme\xchat 2007-10-05 15:51 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\X-Chat 2 2007-10-05 12:59 --------- d-----w C:\Programme\RootKit Hook Analyzer 2007-10-03 16:49 --------- d-----w C:\Programme\Gemeinsame Dateien\Scanner 2007-10-02 17:46 --------- d-----w C:\Dokumente und Einstellungen\stefan\Anwendungsdaten\X-Chat 2 2007-09-29 15:58 --------- d-----w C:\Dokumente und Einstellungen\stefan\Anwendungsdaten\AdobeUM 2007-09-29 15:07 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe Systems Shared 2007-09-29 15:07 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Adobe Systems 2007-09-29 15:05 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe 2007-09-29 14:51 --------- d-----w C:\Programme\PDF Annotator 2007-09-24 16:45 --------- d-----w C:\Dokumente und Einstellungen\internet\Anwendungsdaten\.mseide 2007-05-05 16:08 24,168 ----a-w C:\Dokumente und Einstellungen\internet\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2006-11-05 07:41 152 ----a-w C:\Programme\2E02VFOA.bat 2006-10-08 16:01 152 ----a-w C:\Programme\2DE6617S.bat 2006-01-30 13:22 774,144 ----a-w C:\Programme\RngInterstitial.dll . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PeerGuardian"="C:\Programme\PeerGuardian2\pg2.exe" [2005-09-18 18:40] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:57] "SSS7"="C:\Programme\Steganos Security Suite 7\SSS7.exe" [2005-08-02 15:50] "SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 00:04] "updateMgr"="C:\Programme\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 15:45] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "F-Secure Manager"="C:\Programme\F-Secure\Common\FSM32.exe" [2007-05-25 14:12] "Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE] "NVMixerTray"="C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12] "FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2005-05-27 10:24] "eTrustPPAP"="C:\Programme\CA\eTrust PestPatrol\PPActiveDetection.exe" [] "NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:58 C:\WINDOWS\system32\rundll32.exe] "nwiz"="nwiz.exe" [2006-08-11 20:43 C:\WINDOWS\system32\nwiz.exe] "DAEMON Tools"="C:\Programme\DAEMON Tools\daemon.exe" [2005-12-10 15:57] "SSBkgdUpdate"="C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 23:14] "OpwareSE4"="C:\Programme\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 12:19] "SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] "NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:58 C:\WINDOWS\system32\rundll32.exe] "NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40] "M-Audio Delta Taskbar Icon"="C:\WINDOWS\System32\DeltTray.exe" [2004-08-26 23:43] "DeltTray"="DeltTray.exe" [2004-08-26 23:43 C:\WINDOWS\system32\DeltTray.exe] "SoundMan"="SOUNDMAN.EXE" [2005-04-15 04:01 C:\WINDOWS\SOUNDMAN.EXE] "Windows Defender"="C:\Programme\Windows Defender\MSASCui.exe" [2006-11-03 17:20] "F-Secure TNB"="C:\Programme\F-Secure\FSGUI\TNBUtil.exe" [2007-05-25 14:11] "TrueImageMonitor.exe"="C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-17 12:31] "AcronisTimounterMonitor"="C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-17 12:35] "Acronis Scheduler2 Service"="C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2007-02-16 17:49] "OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 01:08] "Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06] "Acrobat Assistant 7.0"="C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:57] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SSS7"="C:\Programme\Steganos Security Suite 7\SSS7.exe" [2005-08-02 15:50] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDesktopCleanupWizard"= 1 (0x1) "FoFileAssociate"= 0 (0x0) "NoShellSearchButton"= 0 (0x0) "NoRecentDocsMenu"= 0 (0x0) "NoUserNameInStartMenu"= 0 (0x0) "NoRecentDocsNetHood"= 0 (0x0) [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{93f261fc-7dce-4268-9edb-4c94f8afb899}"= mscoree.dll [ ] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 relog_ap R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys R0 timounter;Acronis True Image Backup Archive Explorer;C:\WINDOWS\system32\DRIVERS\timntr.sys R1 F-Secure HIPS;F-Secure HIPS;\??\C:\Programme\F-Secure\HIPS\fshs.sys R2 SLEE_81_DRIVER;Steganos Live Encryption Engine 8.1 [Driver];\??\C:\WINDOWS\system32\drivers\SLEE81.sys R2 tifsfilter;Acronis True Image FS Filter;C:\WINDOWS\system32\DRIVERS\tifsfilt.sys R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Programme\F-Secure\Anti-Virus\minifilter\fsgk.sys R3 pgfilter;pgfilter;\??\C:\Programme\PeerGuardian2\pgfilter.sys S3 DarkSpy;DarkSpy;\??\C:\WINDOWS\system32\DarkSpyKernel.sys S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\110.tmp S3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys S3 VICESYS;VICESYS;\??\D:\software\virus\rootkits\vice\EXE\VICESYS.sys S4 F-Secure Filter;F-Secure File System Filter;\??\C:\Programme\F-Secure\Anti-Virus\Win2K\FSfilter.sys S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Programme\F-Secure\Anti-Virus\Win2K\FSrec.sys *Newly Created Service* - PGFILTER . Inhalt des "geplante Tasks" Ordners "2007-07-20 06:55:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Programme\Apple Software Update\SoftwareUpdate.exe "2007-11-24 17:24:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Programme\Windows Defender\MpCmdRun.exe . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-24 18:41:02 Windows 5.1.2600 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Eintr„ge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\system\ControlSet003\Services\fsbl] "ImagePath"="\??\C:\Programme\F-Secure\Anti-Virus\fsbldrv.sys" . Zeit der Fertigstellung: 2007-11-24 18:42:49 - machine was rebooted . --- E O F --- |
25.11.2007, 15:17 | #7 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Merkwürdige "hidden value" bei Sophos Antirootkit Diesen Eintrag hab ich gesehen: Code:
ATTFilter S3 MEMSWEEP2;MEMSWEEP2;\??\C:\WINDOWS\system32\110.tmp Falls sich noch weitere "krumme" Dateien im System befinden, können wir die evtl. so aufspüren: Über ein filelisting mit diesem script:Diese listing.txt z.B. bei rapidshare hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.
__________________ Logfiles bitte immer in CODE-Tags posten |
25.11.2007, 18:29 | #8 |
| Merkwürdige "hidden value" bei Sophos Antirootkit hallo, das listing habe ich hier abgelegt: http://www.file-upload.net/download-524370/listing.txt.html hoffe, das klappt. die Datei 110.tmp finde ich nirgendwo auf meinem System.... Gruß, Stefan. |
25.11.2007, 19:25 | #9 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Merkwürdige "hidden value" bei Sophos Antirootkit Kennst du diese Ordner: Code:
ATTFilter C:\LINA C:\FPC C:\TP C:\windows\LINA c:\windows\asym Werte ebenso folgende Datei bei VT aus und poste die Ergebnisse. Code:
ATTFilter c:\windows\system32\oodbs.lor
__________________ Logfiles bitte immer in CODE-Tags posten Geändert von cosinus (25.11.2007 um 19:32 Uhr) |
01.12.2007, 11:25 | #10 |
| Merkwürdige "hidden value" bei Sophos Antirootkit hi arne, C:\LINA: Lineare Algebra, fürs Studium C:\FPC: Free Pascal, fürs Studium C:\TP: TurboPascal, fürs Studium C:\windows\LINA, s.o. c:\windows\asym: hängt irgendwie mit den LINA-Dateien zusammen, soweit ich das sehen kann. c:\windows\system32\oodbs.lor von VT: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2007.12.1.0 2007.11.30 - AntiVir 7.6.0.34 2007.11.30 - Authentium 4.93.8 2007.12.01 - Avast 4.7.1074.0 2007.11.30 - AVG 7.5.0.503 2007.11.30 - BitDefender 7.2 2007.12.01 - CAT-QuickHeal 9.00 2007.12.01 - ClamAV 0.91.2 2007.12.01 - DrWeb 4.44.0.09170 2007.11.30 - eSafe 7.0.15.0 2007.11.29 - eTrust-Vet 31.3.5340 2007.11.30 - Ewido 4.0 2007.11.30 - FileAdvisor 1 2007.12.01 - Fortinet 3.14.0.0 2007.12.01 - F-Prot 4.4.2.54 2007.11.30 - F-Secure 6.70.13030.0 2007.11.30 - Ikarus T3.1.1.12 2007.12.01 - Kaspersky 7.0.0.125 2007.12.01 - McAfee 5175 2007.11.30 - Microsoft 1.3007 2007.12.01 - NOD32v2 2696 2007.11.30 - Norman 5.80.02 2007.11.30 - Panda 9.0.0.4 2007.12.01 - Prevx1 V2 2007.12.01 - Rising 20.20.51.00 2007.12.01 - Sophos 4.23.0 2007.12.01 - Sunbelt 2.2.907.0 2007.12.01 - Symantec 10 2007.12.01 - TheHacker 6.2.9.146 2007.11.30 - VBA32 3.12.2.5 2007.11.30 - VirusBuster 4.3.26:9 2007.11.30 - Webwasher-Gateway 6.6.2 2007.12.01 - weitere Informationen File size: 388359 bytes MD5: 4148a4893cc50a60fe5bdd442dfca386 SHA1: d62660cf462ec4b65caf9f1519f08ed1ad3ca100 sieht alles soweit normal aus, oder? Die Datei scheint sich bei jedem Start aber zu aktualisieren (zumindest vom Datum her), deswegen hatte ich auch daran gedacht, sie könnte Malware sein. Vielen Dank für die Hilfe. Gruß, Stefan. |
Themen zu Merkwürdige "hidden value" bei Sophos Antirootkit |
avg, einiger, erkenne, erkennen, folge, folgende, free, hidden, meldung, merkwürdige, microsoft, neues, neueste, shell, software, sophos, users, value, version |