|
Plagegeister aller Art und deren Bekämpfung: Worm.Win32.Netsky... mal wiederWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
27.12.2007, 04:26 | #1 |
| Worm.Win32.Netsky... mal wieder Hallo, erhalte seit gestern andauernd die Nachricht, dass mein Rechner vom Worm.Win32.Netsky infiziert wurde. Dummerweise bin ich beim ersten mal Virus entfernen gegangen. Habe nun Icons von Spyware and Malware Protection, sowie Error Cleaner und Privacy Protector auf dem Desktop. Zusätzlich poppt ca. alle 10 Minuten ein Security Alert Fenster auf. Manchmal versucht sich der Rechner auch gleich mit dem Internet zu Verbinden bzw postet die Nachrict "die gewünschte Webseite ist im Offlinemodus nicht verfügbar". Auch wenn ich offline bleiben wähle, versucht er sich mit http://www.safenavweb.com/index.php?sid=0&pn=&aid=0&said=0&pid=0 zu verbinden. Habe mich schon ein bischen bei euch informiert und mir Hijack This, Smitfraud, Avenger und Silent Runners runtergeladen und Log Files erstellt. Versteckte Ordner habe ich ebenfalls über den Explorer sichtbar gemacht. Beim durchsehen der Log Files ist mir folgende exe datei augefallen: C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe" hide Diese doch sehr "verdächtige" exe Datei lies sich nur mit Unlocker und Amok löschen (sonst kam immer die Nachricht, dass die exe Datei zur Zeit von einem anderen Programm benutzt wird und nicht gelöscht werden kann). Nach dem Neustart und erneutem anfertigen der Log Files taucht Sie aber wieder auf? Der Ordner auf C: ist aber leer? Meine Hijack und smitfraud Log Files findet ihr als txt Datei anbei. Silent Runners war leider zu groß (s.u.). Bitte seht euch mal meine Log Files an. Hoffe Ihr könnt mir dabei helfen, den sch... Wurm endlich loszuwerden und bedanke mich im Voraus für eure Hilfe. 3) Silent Runners "Silent Runners.vbs", revision 55, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "TOSCDSPD" = "C:\Programme\TOSHIBA\TOSCDSPD\toscdspd.exe" ["TOSHIBA"] "MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS] "updateMgr" = ""C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1" ["Adobe Systems Incorporated"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ATIPTA" = ""C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."] "RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."] "Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."] "SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "THotkey" = "C:\Programme\Toshiba\Toshiba Applet\thotkey.exe" ["TOSHIBA"] "Tvs" = "C:\Programme\TOSHIBA\Tvs\TvsTray.exe" ["TOSHIBA Corporation"] "TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"] "NDSTray.exe" = "NDSTray.exe" ["TOSHIBA CORPORATION"] "SmoothView" = "C:\Programme\TOSHIBA\TOSHIBA Zoom-Dienstprogramm\SmoothView.exe" ["TOSHIBA Corporation"] "PadTouch" = "C:\Programme\TOSHIBA\Touch and Launch\PadExe.exe" ["TOSHIBA"] "DLA" = "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" ["Sonic Solutions"] "SSC_UserPrompt" = "C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] "CFSServ.exe" = "CFSServ.exe -NoClient" ["TOSHIBA CORPORATION"] "Adobe Photo Downloader" = ""C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"] "NeroCheck" = "C:\WINDOWS\system32\\NeroCheck.exe" ["Ahead Software Gmbh"] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "QuickTime Task" = ""C:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."] "iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."] "pviever" = ""C:\Program Files\Gay-Lesbian-Photo\Gay-Lesbian-Photo.exe" hide" [file not found] "NI.UGA6P_0001_N122M2210" = ""C:\Dokumente und Einstellungen\Moerten\Lokale Einstellungen\Temporary Internet Files\Content.IE5\LFFX7LN0\install_en[1].exe"" [file not found] "SM_IAN" = "C:\Programme\AdvancedCleaner Free\ian_monitor.exe" [file not found] "bm" = ""C:\Programme\Gemeinsame Dateien\SichererAntivirus\bm.exe" dm=http://sichererantivirus.com ad=http://sichererantivirus.com sd=http://ykeeper.sichererantivirus.com" [file not found] "ptask" = "C:\Programme\SichererAntivirus\ptask.exe" [file not found] "Salestart" = ""C:\Programme\Gemeinsame Dateien\SecurePCCleaner\mc.exe" dm=http://securepccleaner.com ad=http://securepccleaner.com sd=http://ilp.securepccleaner.com" [file not found] "SPAMfighter Agent" = ""C:\Programme\SPAMfighter\SFAgent.exe" update delay 60" ["SPAMfighter ApS"] "Norman ZANDA" = "C:\VIRUSfighter\Npm\bin\ZLH.EXE /LOAD /SPLASH" ["Norman ASA"] "UnlockerAssistant" = ""C:\Programme\Unlocker\UnlockerAssistant.exe"" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "*b" (unwritable string) -> {HKLM...CLSID} = "DriveLetterAccess" \InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"] {83CDEF6B-98D2-4C60-84FC-00C44606A4F8}\(Default) = (no title provided) -> {HKLM...CLSID} = "BDEX System" \InProcServer32\(Default) = "C:\WINDOWS\domnftwpto.dll" [empty string] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided) -> {HKLM...CLSID} = "MSN Suche Toolbar Helper" \InProcServer32\(Default) = "C:\Programme\MSN Toolbar Suite\TB\02.05.0000.1082\de-de\msntb.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."] "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt" -> {HKLM...CLSID} = "RecordNow! SendToExt" \InProcServer32\(Default) = "C:\Programme\Sonic\RecordNow!\shlext.dll" [null data] "{E91B2703-013E-4A99-AD33-2B6FB00AA356}" = "RecordNow! ContextMenuExt" -> {HKLM...CLSID} = "RecordNow! ContextMenuExt" \InProcServer32\(Default) = "C:\Programme\Sonic\RecordNow!\shlext.dll" [null data] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> {HKLM...CLSID} = "DriveLetterAccess" \InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows-Desktopsuche" -> {HKLM...CLSID} = "Windows-Desktopsuche" \InProcServer32\(Default) = "C:\Programme\MSN Toolbar Suite\EXT\02.05.0001.1119\de-de\msnlExt.dll" [MS] "{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar" -> {HKLM...CLSID} = "MSN Suche-Deskbar" \InProcServer32\(Default) = "C:\Programme\MSN Toolbar Suite\DB\02.05.0000.1082\de-de\deskbar.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] "{411F1A16-DEEE-41D8-9631-12CF7981FE4C}" = "SCSDelete" -> {HKLM...CLSID} = "SCSDelete" \InProcServer32\(Default) = "C:\Programme\SysCleaner\com\scsdelete.dll" [null data] "{B33DE756-DEEE-4D7A-87DB-1D905BA2AA21}" = "secure_del" -> {HKLM...CLSID} = "secure_del" \InProcServer32\(Default) = "C:\Programme\SecurePCCleaner\secure_del.dll" [file not found] "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Programme\Unlocker\UnlockerCOM.dll" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "alxvdvm" = "{2F99A521-C2F4-4BE0-B665-778073159B78}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\alxvdvm.dll" [null data] "bvtqfvx" = "{971E0CBA-4637-4901-AC05-0D55CD00F0D3}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\bvtqfvx.dll" [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ NVC\(Default) = "{D5507020-DB45-11d1-A5F0-00600872F78D}" -> {HKLM...CLSID} = "Norman Virus Control Shell Extension" \InProcServer32\(Default) = "C:\VIRUSfighter\Nvc\BIN\NVCSE.DLL" ["Norman Data Defense Systems"] secure_del\(Default) = "{B33DE756-DEEE-4D7A-87DB-1D905BA2AA21}" -> {HKLM...CLSID} = "secure_del" \InProcServer32\(Default) = "C:\Programme\SecurePCCleaner\secure_del.dll" [file not found] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ NVC\(Default) = "{D5507020-DB45-11d1-A5F0-00600872F78D}" -> {HKLM...CLSID} = "Norman Virus Control Shell Extension" \InProcServer32\(Default) = "C:\VIRUSfighter\Nvc\BIN\NVCSE.DLL" ["Norman Data Defense Systems"] secure_del\(Default) = "{B33DE756-DEEE-4D7A-87DB-1D905BA2AA21}" -> {HKLM...CLSID} = "secure_del" \InProcServer32\(Default) = "C:\Programme\SecurePCCleaner\secure_del.dll" [file not found] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ NVC\(Default) = "{D5507020-DB45-11d1-A5F0-00600872F78D}" -> {HKLM...CLSID} = "Norman Virus Control Shell Extension" \InProcServer32\(Default) = "C:\VIRUSfighter\Nvc\BIN\NVCSE.DLL" ["Norman Data Defense Systems"] secure_del\(Default) = "{B33DE756-DEEE-4D7A-87DB-1D905BA2AA21}" -> {HKLM...CLSID} = "secure_del" \InProcServer32\(Default) = "C:\Programme\SecurePCCleaner\secure_del.dll" [file not found] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Programme\Unlocker\UnlockerCOM.dll" [null data] WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {HKLM...CLSID} = "WinZip" \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ SCSDelete\(Default) = "{411F1A16-DEEE-41D8-9631-12CF7981FE4C}" -> {HKLM...CLSID} = "SCSDelete" \InProcServer32\(Default) = "C:\Programme\SysCleaner\com\scsdelete.dll" [null data] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Programme\Unlocker\UnlockerCOM.dll" [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Moerten\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS] Startup items in "Moerten" & "All Users" startup folders: --------------------------------------------------------- C:\Dokumente und Einstellungen\Moerten\Startmenü\Programme\Autostart "Microsoft Office OneNote 2003 Schnellstart" -> shortcut to: "C:\Programme\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr" [MS] C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Windows-Desktopsuche" -> shortcut to: "C:\Programme\MSN Toolbar Suite\DS\02.05.0001.1119\de-de\bin\WindowsSearch.exe /startup" [MS] "WinZip Quick Pick" -> shortcut to: "C:\Programme\WinZip\WZQKPICK.EXE" ["WinZip Computing LP"] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" -> {HKLM...CLSID} = "MSN Suche Toolbar" \InProcServer32\(Default) = "C:\Programme\MSN Toolbar Suite\TB\02.05.0000.1082\de-de\msntb.dll" [MS] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" -> {HKLM...CLSID} = "MSN Suche Toolbar" \InProcServer32\(Default) = "C:\Programme\MSN Toolbar Suite\TB\02.05.0000.1082\de-de\msntb.dll" [MS] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided) -> {HKLM...CLSID} = "MSN Suche Toolbar" \InProcServer32\(Default) = "C:\Programme\MSN Toolbar Suite\TB\02.05.0000.1082\de-de\msntb.dll" [MS] "{940EBD8D-A3B7-44F9-A850-F60E76BE3B22}" = (no title provided) -> {HKLM...CLSID} = "The emlkdvo" \InProcServer32\(Default) = "C:\WINDOWS\emlkdvo.dll" [null data] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {E8F65084-03A6-47F4-8880-5FCD08E9C9B9}\ "ButtonText" = "eBay" "Exec" = "C:\Programme\Internet Explorer\Signup\ToshibaGotoEbay.exe" [null data] HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.5.0_04" \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Recherchieren" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."] Atheros-Konfigurationsdienst, ACS, "C:\WINDOWS\system32\acs.exe" [null data] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] ConfigFree Service, CFSvcs, "C:\Programme\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"] iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."] Norman eLogger service 6, eLoggerSvc6, ""C:\VIRUSfighter\Npm\bin\ELOGSVC.EXE"" ["Norman ASA"] Norman NJeeves, Norman NJeeves, "C:\VIRUSfighter\Npm\bin\NJEEVES.EXE" ["Norman ASA"] Norman Virus Control on-access component, nvcoas, "C:\VIRUSfighter\Nvc\bin\nvcoas.exe" ["Norman ASA"] Norman Virus Control Scheduler, NVCScheduler, "C:\VIRUSfighter\Nvc\BIN\NVCSCHED.EXE" ["Norman ASA"] Norman ZANDA, Norman ZANDA, ""C:\VIRUSfighter\Npm\Bin\Zanda.exe"" ["Norman ASA"] SPAMfighter Update Service, SPAMfighter Update Service, "C:\Programme\SPAMfighter\sfus.exe" ["SPAMfighter ApS"] SymWMI Service, SymWSC, ""C:\Programme\Gemeinsame Dateien\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"] TOSHIBA Application Service, TAPPSRV, ""C:\Programme\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe"" ["TOSHIBA Corp."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- (launch time: 2007-12-27 02:33:46) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 1197 seconds. ---------- (total run time: 1330 seconds) |
Themen zu Worm.Win32.Netsky... mal wieder |
acroiehelper.dll, agere systems, alle 10 minuten, application, browser, content.ie5, ctfmon.exe, defense, desktop.ini, document, downloader, ebay, einstellungen, entfernen, error, exe, exe datei, finds, fraud, helfen, hijack, hijack this, internet, internet explorer, launch, locker, log files, malware, malware protection, monitor.exe, norman, plug-in, programm, realtek, registry, rthdcpl.exe, saver, security, security center, shortcut, shut down, smitfraud, software, spyware, symantec, system, versteckte ordner, windows, windows xp, worm.win32.netsky, wurm |