eScan findet seltsame Einzräge - alle anderen Scanner zeigen nicht an

Raven_ · 03.12.2007, 07:42

Durch einen Fehler beim LiveUpdate von Norton und meiner Suche kam ich irgendwie auf eine Seite - mit Verweis auf diese hier - wo stand man sollte mal eScan (Microworld Antivirus (MWAV) Escan) über das System laufen lassen.

Ich tat dies laut Anweisungen aus diesem Forum in diesen Anweisungen steht, nach dem Scan sollte man das LogFile hier posten, das möchte ich gerne hiermit tun.

Mein System ist Windows XP SP2
Fehlermeldung hatte ich zuvor keine. Fehler auch nicht. LiveUpdate geht nun auch wieder.

Spybot und Ad-Aware zeigen keinen Befall. Ebenso habe ich einige der genannten Dateien (was ich erkennen und finden konnte) bei http://virusscan.jotti.org/de/ getestet, wo auch nichts gefunden wurde.

Meine Scans:

Zitat:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
find.bat Version 2007.06.16.01

Microsoft Windows XP [Version 5.1.2600]
Bootmodus: NETWORK

eScan Version: 9.5.8
Sprache: English
C:\DOKUME~1\++++\LOKALE~1\Temp\MWAV.LOG

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
System found infected with stylexp Spyware/Adware ({c333cf63-767f-4831-94ac-e683d962c63c})! Action taken: No Action Taken.
System found infected with maxsearch Adware ({c4069e3a-68f1-403e-b40e-20066696354b})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({0ba4ac17-3329-4d46-8cf7-40a8f1cb3dca})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({2a652f47-a8ce-414c-bbb4-203a59031056})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({30571f17-3201-47ed-a8ac-254f3d5c5b5c})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({3c43bba2-9e93-4758-8669-adce56687e0c})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({4898d118-1d1e-4a2d-a8a3-4a75bf333cd5})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({4acc4c22-2baf-46ca-8287-232e785e77ce})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({517f778c-078d-4d33-953b-afbf1720c947})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({76d230aa-fc0c-4dd4-bf9e-4032d60369f1})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({87b24642-366e-4393-851a-b6cec5d7e641})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({8c22668a-d7d8-42f5-99e8-4f30ed0d18b0})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({963dfd8c-2e6a-4db4-bcb3-9d5c78142e41})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({9c1ab46a-1fe8-4953-be30-327e0d6f7d45})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({a06d036f-984f-4482-ad5c-ebd11a638b4c})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({a434ac6f-7286-42c3-982b-20f00263501b})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({c5a786b9-3bd6-4a4e-b4d7-9b752138dc4b})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({d044d89c-01e4-4722-8812-8df543680606})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({d3e78b93-4b65-405d-9095-e82b78555173})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({dd55f5c5-de77-4de1-a139-1025c66acfb0})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({e6857874-b535-46d7-a3eb-4103614e91fc})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({fbd42940-b837-40eb-bdb4-86ae00e1d0d1})! Action taken: No Action Taken.
System found infected with wareout Adware (1.dat)! Action taken: No Action Taken.
System found infected with wareout Adware (1.dat)! Action taken: No Action Taken.
System found infected with savenow Adware (C:\WINDOWS\system32\unrar.dll)! Action taken: No Action Taken.
System found infected with holistyc Dialer (C:\WINDOWS\icons)! Action taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "saminside Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "saminside Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Offending file found: C:\Dokumente und Einstellungen\+++\Lokale Einstellungen\anwendungsdaten\hp\digital imaging\cache\1.dat
Offending file found: C:\Dokumente und Einstellungen\++++\Lokale Einstellungen\Anwendungsdaten\hp\digital imaging\cache\1.dat
Offending file found: C:\WINDOWS\system32\unrar.dll
Offending file found: C:\WINDOWS\icons
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\cyberlink\powerdvd\ipower\im ages\hd
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\zubehör\codec\k-lite codec pack\tools
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Startmenü\programme\zubehör\codec\k-lite codec pack\tools
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{cc8e300f-4438-11dc-90e9-0018de6e950c} !!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Diverses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Prozesse und Module
~~~~~~~~~~~~~~~~~~~~~~
Executable Command Found in {cc8e300f-4438-11dc-90e9-0018de6e950c}\shell\Autoplay\DropTarget\open\comma nd: %SystemRoot%\Explorer.exe /idlist,%I,%L
~~~~~~~~~~~~~~~~~~~~~~
Scanfehler
~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Hosts-Datei
~~~~~~~~~~~~~~~~~~~~~~
DataBasePath: %SystemRoot%\System32\drivers\etc
C:\WINDOWS\System32\drivers\etc\hosts :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan-Optionen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Memory Check: Enabled
Registry Check: Enabled
System Folder Check: Enabled
System Area Check: Disabled
Services Check: Enabled
Drive Check: Enabled
All Drive Check isabled
All Drive Check isabled

Batchstart: 20:17:56,01
Batchende: 20:18:08,76

Zitat:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
find.bat Version 2007.06.16.01

Microsoft Windows XP [Version 5.1.2600]
Bootmodus: NETWORK

eScan Version: 9.5.8
Sprache: English
Virus Database Date: 12/2/2007

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
System found infected with stylexp Spyware/Adware ({c333cf63-767f-4831-94ac-e683d962c63c})! Action taken: No Action Taken.
System found infected with maxsearch Adware ({c4069e3a-68f1-403e-b40e-20066696354b})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({0ba4ac17-3329-4d46-8cf7-40a8f1cb3dca})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({2a652f47-a8ce-414c-bbb4-203a59031056})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({30571f17-3201-47ed-a8ac-254f3d5c5b5c})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({3c43bba2-9e93-4758-8669-adce56687e0c})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({4898d118-1d1e-4a2d-a8a3-4a75bf333cd5})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({4acc4c22-2baf-46ca-8287-232e785e77ce})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({517f778c-078d-4d33-953b-afbf1720c947})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({76d230aa-fc0c-4dd4-bf9e-4032d60369f1})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({87b24642-366e-4393-851a-b6cec5d7e641})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({8c22668a-d7d8-42f5-99e8-4f30ed0d18b0})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({963dfd8c-2e6a-4db4-bcb3-9d5c78142e41})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({9c1ab46a-1fe8-4953-be30-327e0d6f7d45})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({a06d036f-984f-4482-ad5c-ebd11a638b4c})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({a434ac6f-7286-42c3-982b-20f00263501b})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({c5a786b9-3bd6-4a4e-b4d7-9b752138dc4b})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({d044d89c-01e4-4722-8812-8df543680606})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({d3e78b93-4b65-405d-9095-e82b78555173})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({dd55f5c5-de77-4de1-a139-1025c66acfb0})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({e6857874-b535-46d7-a3eb-4103614e91fc})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({fbd42940-b837-40eb-bdb4-86ae00e1d0d1})! Action taken: No Action Taken.
System found infected with wareout Adware (1.dat)! Action taken: No Action Taken.
System found infected with wareout Adware (1.dat)! Action taken: No Action Taken.
System found infected with savenow Adware (C:\WINDOWS\system32\unrar.dll)! Action taken: No Action Taken.
System found infected with holistyc Dialer (C:\WINDOWS\icons)! Action taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "saminside Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "saminside Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Offending file found: C:\Dokumente und Einstellungen\++++\Lokale Einstellungen\anwendungsdaten\hp\digital imaging\cache\1.dat
Offending file found: C:\Dokumente und Einstellungen\++++\Lokale Einstellungen\Anwendungsdaten\hp\digital imaging\cache\1.dat
Offending file found: C:\WINDOWS\system32\unrar.dll
Offending file found: C:\WINDOWS\icons
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\cyberlink\powerdvd\ipower\im ages\hd
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\zubehör\codec\k-lite codec pack\tools
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Startmenü\programme\zubehör\codec\k-lite codec pack\tools
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{cc8e300f-4438-11dc-90e9-0018de6e950c} !!!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Diverses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Prozesse und Module
~~~~~~~~~~~~~~~~~~~~~~
Executable Command Found in {cc8e300f-4438-11dc-90e9-0018de6e950c}\shell\Autoplay\DropTarget\open\comma nd: %SystemRoot%\Explorer.exe /idlist,%I,%L
~~~~~~~~~~~~~~~~~~~~~~
Scanfehler
~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Hosts-Datei
~~~~~~~~~~~~~~~~~~~~~~
DataBasePath: %SystemRoot%\System32\drivers\etc
C:\WINDOWS\System32\drivers\etc\hosts :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Total Critical Objects: 30
Total Disinfected Objects: 0
Total Objects Renamed: 0
Total Deleted Objects: 0
Total Errors: 227
Time Elapsed: 00:04:05
Total Objects Scanned: 33919
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan-Optionen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Memory Check: Enabled
Registry Check: Enabled
System Folder Check: Enabled
System Area Check: Disabled
Services Check: Enabled
Drive Check Option Disabled

Batchstart: 20:24:01,09
Batchende: 20:24:15,73

Dann bekam ich die Information das es sich beim Befall um den
Spyware.IMFMonitor handelt.

Ich entfernte ihn wie bei http://www.symantec.com/ beschrieben.

Danach viel mehr Meldungen bei eScan

Code:

ATTFilter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
find.bat Version 2007.06.16.01

Microsoft Windows XP [Version 5.1.2600]
Bootmodus: NORMAL

eScan Version: 9.5.8
Sprache: English
Virus Database Date: 12/2/2007

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Infektionsmeldungen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
System found infected with stylexp Spyware/Adware ({c333cf63-767f-4831-94ac-e683d962c63c})! Action taken: No Action Taken.
System found infected with maxsearch Adware ({c4069e3a-68f1-403e-b40e-20066696354b})! Action taken: No Action Taken.
System found infected with spyware.imfmonitor Spyware/Adware ({c5a786b9-3bd6-4a4e-b4d7-9b752138dc4b})! Action taken: No Action Taken.
System found infected with wareout Adware (1.dat)! Action taken: No Action Taken.
System found infected with wareout Adware (1.dat)! Action taken: No Action Taken.
System found infected with savenow Adware (C:\WINDOWS\system32\unrar.dll)! Action taken: No Action Taken.
System found infected with holistyc Dialer (C:\WINDOWS\icons)! Action taken: No Action Taken.
Object "wareout Adware" found in File System! Action Taken: No Action Taken.
Object "saminside Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "saminside Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Possible Fujacks-type Worm" found in File System! Action Taken: No Action Taken.
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Offending file found: C:\Dokumente und Einstellungen\++++\Lokale Einstellungen\anwendungsdaten\hp\digital imaging\cache\1.dat
Offending file found: C:\Dokumente und Einstellungen\++++\Lokale Einstellungen\Anwendungsdaten\hp\digital imaging\cache\1.dat
Offending file found: C:\WINDOWS\system32\unrar.dll
Offending file found: C:\WINDOWS\icons
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\cyberlink\powerdvd\ipower\im ages\hd
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\zubehör\codec\k-lite codec pack\tools
Offending Folder found: C:\Dokumente und Einstellungen\All Users\Startmenü\programme\zubehör\codec\k-lite codec pack\tools
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\MountPoints2\{cc8e300f-4438-11dc-90e9-0018de6e950c} !!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Diverses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Prozesse und Module
~~~~~~~~~~~~~~~~~~~~~~
Executable Command Found in {cc8e300f-4438-11dc-90e9-0018de6e950c}\shell\Autoplay\DropTarget\open\comma nd: %SystemRoot%\Explorer.exe /idlist,%I,%L
~~~~~~~~~~~~~~~~~~~~~~
Scanfehler
~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
Hosts-Datei
~~~~~~~~~~~~~~~~~~~~~~
DataBasePath: %SystemRoot%\System32\drivers\etc
C:\WINDOWS\System32\drivers\etc\hosts :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Total Critical Objects: 11
Total Disinfected Objects: 0
Total Objects Renamed: 0
Total Deleted Objects: 0
Total Errors: 223
Time Elapsed: 00:05:11
Total Objects Scanned: 30213
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan-Optionen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Memory Check: Enabled
Registry Check: Disabled
System Folder Check: Disabled
System Area Check: Disabled
Services Check: Disabled
Drive Check Option Disabled

Batchstart: 7:09:42,98
Batchende: 7:10:23,98

Letzter Stand: Ich habe die gelöschten Registery Einträge erst mal wieder hergestellt - da ich Angst habe das mein System sonst nicht mehr startet, ich möchte gern auf Hilfe warten.

Bitte meinen Post nicht wieder löschen - bitte - ich gab mit Mühe alles richtig zu schreiben, ich habe eine Legasthenie und muss mich sehr anstrengen dabei.

cosinus · 03.12.2007, 16:03

Hallo.

mwav/escan neigt dazu unter dem Abschnitt "Infektionsmeldungen" sehr viele Fehlalarme zu erzeugen. Auch andere Abschnitte sind davon nicht verschont, das heißt also noch nicht, dass dein System verseucht ist.

Poste mal zur Grobübersicht des Systems ein Hijackthis-Logfile. Führ auch diese Tools bzw. Anleitungen aus und poste die Logfiles:

- Silentrunners
- combofix

Raven_ · 03.12.2007, 19:11

Vielen Dank für deine Antwort. Ich poste jetzt mal die Logfiles.

- Hijackthis

Zitat:

Logfile of HijackThis v1.99.1
Scan saved at 19:08:10, on 03.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Programme\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\SigmaTel\C-Major Audio\WDM\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe
C:\Programme\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Mozilla Thunderbird\thunderbird.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\hijackthis_199\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.de/
O2 - BHO: G DATA WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Programme\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NXIECatcher Class - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Programme\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Programme\Xi\NetXfer\NXToolBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Programme\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ALDI_SUED_FotoSuite_Download] "C:\Programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe" /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Alles mit NetXfer herunterladen - C:\Programme\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Diese Seite in Firefox öffnen - file://C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\Mozilla\Firefox\Profiles\o3xv8lag.Johnny\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O8 - Extra context menu item: Herunterladen mit NetXfer - C:\Programme\Xi\NetXfer\NXAddLink.html
O8 - Extra context menu item: Link-Ziel in Firefox öffnen - file://C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\Mozilla\Firefox\Profiles\o3xv8lag.Johnny\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/DE/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1183652607187
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A7FDDCC-35B2-4453-A724-9168789600E8}: NameServer = 192.168.178.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Programme\Citrix\GoToAssist\508\G2AWinLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Unknown owner - C:\Programme\Citrix\GoToAssist\508\g2aservice.exe" Start=service (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programme\Norton Internet Security\isPwdSvc.exe
O23 - Service: TOSHIBA RAID Service (kraidsvc) - TOSHIBA Corporation - C:\Programme\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft .NET Framework v1.1.4322 Update (NetFxUpdate_v1.1.4322) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Programme\SigmaTel\C-Major Audio\WDM\StacSV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Programme\TGTSoft\StyleXP\StyleXPService.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Programme\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

Raven_ · 03.12.2007, 19:13

- Silentrunners

Zitat:

"Silent Runners.vbs", revision 53, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"00THotkey" = "C:\WINDOWS\system32\00THotkey.exe" ["TOSHIBA Corporation"]
"000StTHK" = "000StTHK.exe" [null data]
"TFNF5" = "TFNF5.exe" ["TOSHIBA Corp."]
"SmoothView" = "C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe" ["TOSHIBA Corporation"]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"TosHKCW.exe" = ""C:\Programme\TOSHIBA\Wireless Hotkey\TosHKCW.exe"" ["TOSHIBA CORPORATION"]
"NDSTray.exe" = "NDSTray.exe" ["TOSHIBA CORPORATION"]
"TPSODDCtl" = "TPSODDCtl.exe" ["TOSHIBA Corporation"]
"TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]
"IntelWireless" = ""C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" ["Intel Corporation"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"IntelZeroConfig" = ""C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"" ["Intel Corporation"]
"ccApp" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Programme\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"ALDI_SUED_FotoSuite_Download" = ""C:\Programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe" /autorun" ["MAGIX AG"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\NppBho.dll" ["Symantec Corporation"]
{2F85D76C-0569-466F-A488-493E6BD0E955}\(Default) = (no title provided)
-> {HKLM...CLSID} = "dsWebAllowBHO Class"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\dsWebAllow.dll" [MS]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{83B80A9C-D91A-4F22-8DCF-EA7204039F79}\(Default) = (no title provided)
-> {HKLM...CLSID} = "NXIECatcher Class"
\InProcServer32\(Default) = "C:\Programme\Xi\NetXfer\NXIEHelper.dll" ["Xi"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"
-> {HKLM...CLSID} = "TouchShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Deskbar"
-> {HKCU...CLSID} = "Windows-Deskbar"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\deskbar.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\msnlExt.dll" [MS]
"{D426CFD0-87FC-4906-98D9-A23F5D515D61}" = "Windows Desktop Search Outlook Express ISearchFolder Class"
-> {HKLM...CLSID} = "Windows Desktop Search Outlook Express SearchProtocol Class"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\OEPH.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Meine freigegebenen Ordner"
\InProcServer32\(Default) = "C:\Programme\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]
"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]
<<!>> "{93994DE8-8239-4655-B1D1-5F4E91300429}" = (no title provided)
-> {HKLM...CLSID} = "DVDIdleShell Class"
\InProcServer32\(Default) = "C:\PROGRA~1\DVDREG~1\DVDShell.dll" ["Fengtao Software Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> GoToAssist\DLLName = "C:\Programme\Citrix\GoToAssist\508\G2AWinLogon.dll" ["Citrix Online, a division of Citrix Systems, Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zipn.dll" ["Igor Pavlov"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zipn.dll" ["Igor Pavlov"]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Context Menu Extension"
\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2004\sdshelex.dll"" ["TuneUp Software GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zipn.dll" ["Igor Pavlov"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Johnny\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"Norton Internet Security - Systemprüfung ausführen - Johnny" -> launches: "C:\Programme\Norton Internet Security\Norton AntiVirus\Navw32.exe /TASK:"C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A}" = "NetXfer"
-> {HKLM...CLSID} = "NetXfer"
\InProcServer32\(Default) = "C:\Programme\Xi\NetXfer\NXToolBar.dll" ["Xi"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Symantec Shared\coShared\Browser\1.5\UIBHO.dll" ["Symantec Corporation"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]
Automatisches LiveUpdate - Scheduler, Automatisches LiveUpdate - Scheduler, ""C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
ConfigFree Service, CFSvcs, "C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Programme\CyberLink\Shared Files\RichVideo.exe"" [empty string]
GEARSecurity, GEARSecurity, "C:\WINDOWS\System32\GEARSec.exe" ["GEAR Software"]
Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center-Planerdienst, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SigmaTel Audio Service, STacSV, "C:\Programme\SigmaTel\C-Major Audio\WDM\StacSV.exe" ["SigmaTel, Inc."]
Symantec AppCore Service, SymAppCore, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h cltCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
TOSHIBA RAID Service, kraidsvc, ""C:\Programme\TOSHIBA\TOSHIBA RAID\Service\kraidsvc.exe"" ["TOSHIBA Corporation"]
TuneUp WinStyler Theme Service, TUWinStylerThemeSvc, ""C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe"" ["TuneUp Software GmbH"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}
X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
PCL hpz3l054\Driver = "hpz3l054.dll" ["Hewlett-Packard Company"]
Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]

---------- (launch time: 2007-12-03 18:46:48)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 90 seconds, including 16 seconds for message boxes)

Raven_ · 03.12.2007, 19:27

- combofix

Zitat:

ComboFix 07-12-02.7 - Johnny 2007-12-03 18:52:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1141 [GMT 1:00]
ausgeführt von:: D:\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000009_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm

((((((((((((((((((((((( Dateien erstellt von 2007-11-03 bis 2007-12-03 ))))))))))))))))))))))))))))))
.

2007-12-03 06:27 . 2007-12-03 06:27 113,598,850 --a------ C:\Registry_Sicherung.reg
2007-12-03 02:40 . 2007-12-03 02:40 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-12-03 01:55 . 2007-12-03 01:55 <DIR> d-------- C:\Programme\Citrix
2007-12-03 01:55 . 2007-12-03 01:55 61,224 --a------ C:\Dokumente und Einstellungen\Johnny\GoToAssistDownloadHelper.exe
2007-12-02 20:23 . 2007-12-03 06:57 0 --a------ C:\23990098.$$$
2007-12-02 05:25 . 2007-12-02 06:10 <DIR> d-------- C:\Programme\Trojancheck 6
2007-12-02 04:35 . 2007-12-03 07:09 <DIR> d-------- C:\bases_x
2007-12-02 04:18 . 2007-12-02 04:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-02 01:59 . 2007-12-03 05:40 50 --a------ C:\WINDOWS\Lic.xxx
2007-12-02 01:52 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-02 01:03 . 2007-12-02 01:03 <DIR> d-a------ C:\WINDOWS\zts2.exe
2007-12-02 01:03 . 2007-12-02 01:03 <DIR> d-a------ C:\WINDOWS\system32\vcmgcd32.dll
2007-12-02 01:03 . 2007-12-02 01:03 <DIR> d-a------ C:\WINDOWS\system32\iifgfgf.dll
2007-12-02 01:03 . 2007-12-02 01:03 <DIR> d-a------ C:\WINDOWS\rundll16.exe
2007-12-02 01:03 . 2007-12-02 01:03 <DIR> d-a------ C:\WINDOWS\rundl132.dll
2007-12-02 01:03 . 2007-12-02 01:03 <DIR> d-a------ C:\WINDOWS\logo1_.exe
2007-12-02 00:59 . 2004-08-10 13:00 153,600 --a------ C:\WINDOWS\R.COM
2007-12-02 00:59 . 2004-08-10 13:00 140,800 --a------ C:\WINDOWS\system32\T.COM
2007-12-01 07:02 . 2007-12-01 07:02 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MAGIX
2007-12-01 07:01 . 2007-12-01 07:01 <DIR> d-------- C:\Programme\Gemeinsame Dateien\MAGIX Shared
2007-12-01 07:01 . 2007-12-01 07:01 <DIR> d-------- C:\Programme\ALDI Sued Foto Service
2007-12-01 07:01 . 2007-12-01 07:01 <DIR> d-------- C:\Programme\ALDI Online Druck Service (Sued)
2007-12-01 07:00 . 2007-12-01 07:01 <DIR> d-------- C:\WINDOWS\system32\MAGIX
2007-12-01 07:00 . 2007-07-11 11:53 697,560 --a------ C:\WINDOWS\system32\mgxoschk.dll
2007-12-01 07:00 . 2007-12-01 07:01 6,768 --a------ C:\WINDOWS\mgxoschk.ini
2007-11-30 06:06 . 2007-12-03 03:05 <DIR> d-------- C:\Dokumente und Einstellungen\Johnny\dwhelper
2007-11-30 00:47 . 2007-11-30 00:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-30 00:47 . 2007-11-30 00:47 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-28 04:42 . 2007-11-28 04:42 <DIR> d-------- C:\Programme\PC Inspector File Recovery
2007-11-28 04:42 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\INT13EXT.VXD
2007-11-25 18:01 . 2007-11-25 18:01 <DIR> d-------- C:\Programme\EA GAMES
2007-11-25 18:01 . 2004-08-18 09:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-11-24 22:56 . 2004-08-03 01:17 38,602 --a------ C:\donnie102.JPG
2007-11-23 04:15 . 2007-11-23 04:15 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Last.fm
2007-11-23 04:10 . 2007-11-23 04:10 <DIR> d-------- C:\Programme\Last.fm
2007-11-18 01:30 . 2007-11-18 01:32 <DIR> d-------- C:\Programme\Winamp
2007-11-18 01:30 . 2007-11-18 02:01 <DIR> d-------- C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\Winamp
2007-11-04 20:45 . 2007-11-17 18:34 <DIR> d-------- C:\Programme\RSSoft

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-03 17:47 --------- d-----w C:\Programme\Gemeinsame Dateien\Symantec Shared
2007-12-03 14:09 --------- d-----w C:\Programme\Mozilla Thunderbird
2007-12-03 14:07 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2007-12-03 13:28 26,256 ----a-w C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\wklnhst.dat
2007-12-02 16:17 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2007-12-01 23:41 --------- d-----w C:\Programme\Symantec
2007-11-28 20:05 --------- d-----w C:\Programme\Norton Internet Security
2007-11-28 03:42 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-11-03 22:15 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\DVD Shrink
2007-10-30 18:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-30 18:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-30 18:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-30 18:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-30 18:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-30 18:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-30 18:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-30 18:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-30 18:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-27 04:36 --------- d-----w C:\Programme\mp3DirectCut
2007-10-27 04:11 --------- d-----w C:\Programme\MP3Gain
2007-10-19 15:41 --------- d-----w C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\Image Zone Express
2007-10-19 15:39 --------- d-----w C:\Programme\HP
2007-10-19 15:39 --------- d-----w C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\HP
2007-10-19 15:39 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\HP
2007-10-19 15:38 --------- d-----w C:\Programme\Hewlett-Packard
2007-10-19 15:30 --------- d-----w C:\Programme\Gemeinsame Dateien\HP
2007-10-19 15:18 --------- d-----w C:\Programme\Gemeinsame Dateien\Hewlett-Packard
2007-10-06 05:24 --------- d-----w C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\Ahead
2007-10-06 05:18 --------- d-----w C:\Programme\Nero
2007-10-06 05:18 --------- d-----w C:\Programme\Gemeinsame Dateien\Ahead
2007-10-04 04:08 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-04 04:08 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-04 04:08 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-11 19:19 81,920 ----a-w C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\ezpinst.exe
2007-08-11 19:19 47,360 ----a-w C:\Dokumente und Einstellungen\Johnny\Anwendungsdaten\pcouffin.sys
2006-03-20 19:07 5,693,440 ----a-w C:\Programme\mplayerc.exe
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47 31,744 --sh--r C:\WINDOWS\system32\msfDX.dll
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 12:34]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-10 13:00 C:\WINDOWS\system32\rundll32.exe]
"00THotkey"="C:\WINDOWS\system32\00THotkey.exe" [2006-08-11 06:57]
"000StTHK"="000StTHK.exe" [2001-06-23 03:28 C:\WINDOWS\system32\000StTHK.exe]
"TFNF5"="TFNF5.exe" [2006-02-14 02:24 C:\WINDOWS\system32\TFNF5.exe]
"SmoothView"="C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe" [2005-05-13 10:01]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 15:50 C:\WINDOWS\agrsmmsg.exe]
"TosHKCW.exe"="C:\Programme\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2005-05-17 10:42]
"NDSTray.exe"="NDSTray.exe" []
"TPSODDCtl"="TPSODDCtl.exe" [2006-08-09 11:24 C:\WINDOWS\system32\TPSODDCtl.exe]
"TPSMain"="TPSMain.exe" [2006-08-09 11:24 C:\WINDOWS\system32\TPSMain.exe]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 23:32]
"IntelZeroConfig"="C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 23:38]
"ccApp"="C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Programme\Norton Internet Security\osCheck.exe" [2007-01-14 00:11]
"Symantec PIF AlertEng"="C:\Programme\Gemeinsame Dateien\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 09:22]
"ALDI_SUED_FotoSuite_Download"="C:\Programme\ALDI Sued Foto Service\ALDI_Foto_Service\FotoSuite.exe" [2007-01-26 17:44]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 13:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\PROGRA~1\DVDREG~1\DVDShell.dll [2004-10-09 14:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Programme\Citrix\GoToAssist\508\G2AWinLogon.dll 2007-12-03 01:55 10536 C:\Programme\Citrix\GoToAssist\508\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Bluetooth Manager.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Bluetooth Manager.lnk
backup=C:\WINDOWS\pss\Bluetooth Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Service Manager.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2005-10-28 15:25 94208 --a------ C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 01:41 49152 --a------ C:\Programme\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kraidman]
2006-08-21 10:56 1093708 --a------ C:\Programme\TOSHIBA\TOSHIBA RAID\Console\Kraidman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2006-12-05 21:55 54832 --a------ C:\Programme\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Programme\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2005-12-22 12:42 1077329 --a------ C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Philips Intelligent Agent]
NOT_IN_USE_DUMMY_PATH

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Programme\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Red Swoosh]
C:\Programme\RSSoft\RedSwoosh.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 14:10 56928 --------- C:\Programme\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
C:\Programme\TGTSoft\StyleXP\StyleXP.exe -Hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 02:43 83608 --a------ C:\Programme\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TFncKy]
TFncKy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TouchED]
2005-09-01 13:51 118784 --a------ C:\Programme\TOSHIBA\TouchED\TouchED.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_8

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nwiz"=nwiz.exe /install

R0 KR10N;KR10N;C:\WINDOWS\system32\drivers\KR10N.sys
R2 Automatisches LiveUpdate - Scheduler;Automatisches LiveUpdate - Scheduler;"C:\Programme\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
R2 TOS_SPS;TOSHIBA SPS Driver;\??\C:\Programme\Gemeinsame Dateien\Toshiba Shared\tos_sps.sys
R3 tosrfec;Bluetooth ACPI from TOSHIBA;C:\WINDOWS\system32\DRIVERS\tosrfec.sys
R3 ttv400x;TOSHIBA PCI DVB-T/Analog Hybrid Tuner;C:\WINDOWS\system32\drivers\ttv400x.sys
R3 WmaCDriverV32;WmaCDriverV32;C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
R3 X10Hid;X10 Hid Device;C:\WINDOWS\system32\Drivers\x10hid.sys
S2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
S3 GoToAssist;GoToAssist;"C:\Programme\Citrix\GoToAssist\508\g2aservice.exe" Start=service
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc8e300f-4438-11dc-90e9-0018de6e950c}]
\shell\open\command - %SystemRoot%\Explorer.exe /idlist,%I,%L

*Newly Created Service* - COMHOST
.
Inhalt des "geplante Tasks" Ordners
"2007-11-16 16:15:00 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- C:\Programme\TuneUp Utilities 2004\SystemOptimizer.exe
"2007-11-28 20:38:11 C:\WINDOWS\Tasks\Norton Internet Security - Systemprüfung ausführen - Johnny.job"
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-03 18:59:28
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2007-12-03 19:01:15 - machine was rebooted
.
--- E O F ---

cosinus · 03.12.2007, 19:42

Hm..wirklich beängstigende Einträge hab ich nicht gefunden. Nur diese zwei Dateien:

Code:

ATTFilter

C:\WINDOWS\system32\INT13EXT.VXD
C:\WINDOWS\system32\vp6vfw.dll

Bei den ich mir nicht sicher bin, ich aber eher nicht auf Malware tippen würde. Lass die trotzdem mal bei Virustotal prüfen und poste die Ergebnisse.

eScan findet seltsame Einzräge - alle anderen Scanner zeigen nicht an

Plagegeister aller Art und deren Bekämpfung: eScan findet seltsame Einzräge - alle anderen Scanner zeigen nicht an