|
Plagegeister aller Art und deren Bekämpfung: TR/VB.aqt.58Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
19.05.2008, 22:46 | #16 |
| TR/VB.aqt.58 'prepare first line of report file strLine = Chr(34) & "Silent Runners.vbs" & Chr(34) & ", revision " &_ strRevNo & " (Echo output), launched at: " & FmtTime & "> " If strOS = "W98" Or strOs = "WME" Then 'echo into SFN (echo to LFN incurs 62-chr line length limit) strLine = strLine & strFNS 'avoid > under W98 since it cannot be easily escaped strGT = " -) " Else 'for all other O/S's, echo into LFN strLine = strLine & Chr(34) & strFN & Chr(34) End If 'W98? 'create report file with Echo Wshso.Run "%COMSPEC% /c echo " & strLine,0,TRUE End If 'intErrNum > 0? WriteOut "Operating System: " & strOSLong : SkipLine : SkipLine 'use WMI to connect to the registry On Error Resume Next Dim oReg : Set oReg = GetObject("winmgmts:root\default:StdRegProv") intErrNum = Err.Number On Error Goto 0 Err.Clear If intErrNum <> 0 Then strURL = "http://tinyurl.com/7wd7" If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe" WriteOut "This script requires WMI, which can be downloaded at: " & strURL If IsObject(oFN) Then oFN.Close If flagOut = "W" Then intMB = MsgBox ("This script requires " & Chr(34) & "WMI" & Chr(34) &_ ", Windows Management Instrumentation, to run." & vbCRLF &_ vbCRLF & "It can be downloaded at: " & strURL & vbCRLF & vbCRLF &_ "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_ "the download site or " & Chr(34) & "Cancel" & Chr(34) &_ " to quit.", vbOKCancel + vbExclamation,"WMI Not Installed!") If intMB = 1 Then Wshso.Run strURL Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ Chr(34) & "WMI" & Chr(34) & ", Windows Management Instrumentation, " &_ "to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL End If WScript.Quit End If 'WMI execution error 'I. Examine HKCU/HKLM... Run/RunOnce/RunOnceEx/RunServices/RunServicesOnce ' and HKCU/HKLM... Policies\Explorer\Run 'put keys in array (Key Index 0 - 6) arRunKeys = Array ("SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\Run", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices", _ "SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce") 'Key Execution Flag/Subkey Recursion Flag array ' 'first number in the ordered pair in the array immediately below pertains to execution of the key: '0: not executed (ignore) '1: may be executed so display with EXECUTION UNLIKELY warning '2: executable ' 'second number in the ordered pair pertains to subkey recursion '0: subkeys not used '1: subkey recursion necessary 'Hive HKCU - 0 HKLM - 1 ' 'Key 0 1 2 3 4 5 6 0 1 2 3 4 5 6 'Index ' 'O/S: 'W98 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0 'WME 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0 'NT4 1,0 2,0 2,0 0,0 0,0 0,0 0,0 1,0 2,0 2,0 1,0 2,1 0,0 0,0 'W2K 2,1 2,1 2,1 0,0 0,0 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0 'WXP 2,0 2,0 2,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 1,0 2,1 0,0 0,0 'WS2K3 ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? ??? 'arRegFlag(i,j,k): put flags in array by O/S: 'hive = i (0 or 1), key_# = j (0-6), flags (key execution/subkey recursion) = k (0 or 1) ' k = 0 holds key execution value = 0/1/2 ' 1 holds subkey recursion value = 0/1 Dim arRegFlag() ReDim arRegFlag(1,6,1) 'initialize entire array to zero For i = 0 To 1 : For j = 0 To 6 : For k = 0 To 1 arRegFlag(i,j,k) = 0 Next : Next : Next 'add data to array for O/S that's running 'W98 0,0 2,0 2,0 0,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0 If strOS = "W98" Or strOS = "WME" Then arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn End If 'NT4 1,0 2,0 2,0 0,0 0,0 0,0 0,0 1,0 2,0 2,0 1,0 2,1 0,0 0,0 If strOS = "NT4" Then arRegFlag(0,0,0) = 1 'HKCU,Explorer\Run = warning arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(1,0,0) = 1 'HKLM,Explorer\Run = warning arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,3,0) = 1 'HKLM,RunOnce\Setup = warning arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'W2K 2,1 2,1 2,1 0,0 0,0 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0 If strOs = "W2K" Then arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(0,2,1) = 1 'HKCU,RunOnce = sub-keys arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,2,1) = 1 'HKLM,RunOnce = sub-keys arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'WXP 2,0 2,0 2,0 0,0 0,0 0,0 0,0 2,0 2,0 2,0 1,0 2,1 0,0 0,0 If strOs = "WXP" Then arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,3,0) = 1 'HKLM,RunOnce\Setup = warning arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'write registry header lines to file strLine = "Startup items buried in registry:" WriteOut strLine : WriteOut String(Len(strLine),"-") : SkipLine 'for each hive For i = 0 To 1 'for each key For j = 0 To 6 'if key is not ignored If arRegFlag(i,j,0) > 0 Then 'intialize string with warning if necessary strWarn = "" If arRegFlag(i,j,0) = 1 Then strWarn = "EXECUTION UNLIKELY: " 'find key's entries EnumKeyData arHives(i,1), arHives(i,0), arRunKeys(j), strWarn 'recurse subkeys if necessary If arRegFlag(i,j,1) = 1 Then 'put all subkeys into array oReg.EnumKey arHives(i,1),arRunKeys(j),arKeys 'if sub-keys exist If IsArray(arKeys) Then 'in W98, if no sub-keys exist, IsArray(arKeys) = True & UBound(arKeys) = -1 'in W2K, False If UBound(arKeys) >= 0 Then 'for each subkey For Each oKey in arKeys 'find key's entries EnumKeyData arHives(i,1), arHives(i,0), arRunKeys(j) & "\" & oKey, strWarn Next End If 'UBounds sub-keys array >= 0? End If 'sub-keys array exists? End If 'enum sub-keys? End If 'arRegFlag(i,j,0) > 0 Next 'Run key Next 'Hive 'recover array memory ReDim arRunKeys(0) ReDim arKeys(0) ReDim arRegFlag(0,0,0) 'II. Examine HKLM... Active Setup\Installed Components 'flags True if only numeric & comma chrs in Version values Dim flagHKLMVer, flagHKCUVer 'StubPath Value string, HKLM Version value, HKCU Version value Dim strSPV, strHKLMVer, strHKCUVer Dim arHKLMKeys, arHKCUKeys, oHKLMKey, oHKCUKey strKey = "Software\Microsoft\Active Setup\Installed Components" 'find all the subkeys oReg.EnumKey HKLM, strKey, arHKLMKeys 'HKLM oReg.EnumKey HKCU, strKey, arHKCUKeys 'HKCU 'enumerate HKLM keys if present If IsArray(arHKLMKeys) Then 'for each HKLM key For Each oHKLMKey In arHKLMKeys 'get the StubPath value oReg.GetStringValue HKLM,strKey & "\" & oHKLMKey,"StubPath",strSPV 'if the StubPath value exists If Not IsNull(strSPV) And strSPV <> "" Then flagMatch = False 'if HKCU keys present If IsArray(arHKCUKeys) Then 'for each HKCU key For Each oHKCUKey in arHKCUKeys 'if identical HKLM key exists If oHKLMKey = oHKCUKey Then 'assume Version fmts are OK flagHKLMVer = True : flagHKCUVer = True 'get HKLM & HKCU Version values 'if values are not set, returned strings will be random chrs (W2K) or empty string (W98) oReg.GetStringValue HKLM,strKey & "\" & oHKLMKey,"Version",strHKLMVer 'HKLM Version # oReg.GetStringValue HKCU,strKey & "\" & oHKCUKey,"Version",strHKCUVer 'HKCU Version # 'if HKLM Version name exists (value may not be set!) If Not IsNull(strHKLMVer) Then 'the next two loops check for allowed chars (numeric & comma) ' in returned Version values For i = 1 To Len(strHKLMVer) strChr = Mid(strHKLMVer,i,1) If Not IsNumeric(strChr) And strChr <> "," Then flagHKLMVer = False Next End If 'HKLM Version not null 'if HKCU Version name exists (value may not be set!) If Not IsNull(strHKCUVer) Then 'check that value consists only of numeric & comma chrs For i = 1 To Len(strHKCUVer) strChr = Mid(strHKCUVer,i,1) If Not IsNumeric(strChr) And strChr <> "," Then flagHKCUVer = False Next End If 'HKCU Version null or MT? 'if HKLM Ver # has illegal fmt (i.e., is not set) or doesn't exist (is Null) ' or is empty, match = True 'if HKCU/HKLM Ver # fmts OK And HKCU Ver # >= HKLM Ver #, match = True 'if HKLM Ver # = "0,0" and HKCU Ver # = "", key will output ' but StubPath will not launch If Not flagHKLMVer Or IsNull(strHKLMVer) Or strHKLMVer = "" Then flagMatch = True If flagHKLMVer And flagHKCUVer And strHKCUVer >= strHKLMVer Then flagMatch = True End If 'HKCU key=HKLM key? Next 'HKCU Installed Components key End If 'HKCU Installed Components subkeys exist? 'if the StubPath will launch If Not flagMatch Then 'get the default value (program name) oReg.GetStringValue HKLM,strKey & "\" & oHKLMKey,"",strHKCUVer 'output the title line if not already done If Not flagTLW Then WriteOut "HKLM" & "\" & strKey & "\" flagTLW = True End If On Error Resume Next 'write the quote-delimited name and default value to a file WriteOut Chr(34) & oHKLMKey & "\(Default)" & Chr(34) & " = " &_ Chr(34) & strHKCUVer & Chr(34) If Err.Number <> 0 Then WriteOut Chr(34) & oHKLMKey & "\(Default)" & Chr(34) &_ " = (no title provided)" Err.Clear WriteOut Space(Len(oHKLMKey)+1) & "\StubPath = " &_ Chr(34) & strSPV & Chr(34) & CoName(IDExe(strSPV)) If Err.Number <> 0 Then WriteOut Space(Len(oHKLMKey)+1) & "\StubPath = " &_ "** WARNING -- empty or invalid data! **" Err.Clear On Error GoTo 0 End If 'flagMatch false? End If 'StubPath value exists? Next 'HKLM Installed Components subkey End If 'HKLM Installed Components subkeys exist? If flagTLW Then SkipLine flagTLW = False 'recover array memory ReDim arHKLMKeys(0) ReDim arHKCUKeys(0) 'III. Examine HKLM... Explorer\Browser Helper Objects strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" 'find all the subkeys oReg.EnumKey HKLM, strKey, arKeys 'enumerate data if present If IsArray(arKeys) Then 'for each key For Each oKey In arKeys If Not flagTLW Then WriteOut "HKLM" & "\" & strKey & "\" flagTLW = True End If If Len(oKey) = 38 Then 'oKey is CLSID 'get the data oReg.GetStringValue HKLM,strKey & "\" & oKey,"",strValue 'if the name doesn't exist If IsNull(strValue) Or strValue = "" Then 'check the CLSID default value strKey2 = "Software\Classes\CLSID\" & oKey oReg.GetStringValue HKLM,strKey2,"",strValue End If 'if the name doesn't exist If IsNull(strValue) Or strValue = "" Then 'use a standard string strValue = "(no title provided)" Else 'the name exists so embed it in quotes strValue = Chr(34) & strValue & Chr(34) End If 'resolve the data via HKLM\Software\Classes\CLSID\{data}\InProcServer32 strKey2 = "Software\Classes\CLSID\" & oKey & "\InProcServer32" oReg.GetExpandedStringValue HKLM,strKey2,"",strValue2 If IsNull(strValue2) Or strValue2 = "" Then strValue2 = "(no data)" On Error Resume Next 'write the quote-delimited name and value to a file WriteOut oKey & "\(Default) = " & strValue If Err.Number <> 0 Then WriteOut oKey & "\(Default) = (no title provided)" Err.Clear WriteOut " " & strGT & "resolves to: {CLSID}\InprocServer32\(Default) = " &_ Chr(34) & strValue2 & Chr(34) & CoName(IDExe(strValue2)) If Err.Number <> 0 Then WriteOut " " & strGT & "resolves to: {CLSID}\InprocServer32\(Default) = " &_ "** WARNING! empty or invalid data **" End If Err.Clear On Error GoTo 0 End If 'oKey CSID? Next 'BHO subkey End If 'BHO subkeys exist? If flagTLW Then SkipLine flagTLW = False 'recover array memory ReDim arKeys(0) 'IV. Examine HKLM... Explorer\SharedTaskScheduler strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" 'find all the names in the key oReg.EnumValues HKLM, strKey, arNames, arType 'enumerate data if present If IsArray(arNames) Then 'for each name For Each oName In arNames If Len(oName) = 38 Then 'oName is CLSID 'get the data oReg.GetStringValue HKLM,strKey,oName,strValue 'resolve the data via HKLM\Software\Classes\CLSID\{data}\InProcServer32 strKey2 = "Software\Classes\CLSID\" & oName & "\InProcServer32" oReg.GetExpandedStringValue HKLM,strKey2,"",strValue2 strLine = LCase(Fso.GetSpecialFolder(SysFolder).Path) 'write unexpected quote-delimited name and value to the file If InStr(LCase(strValue2),strLine & "\browseui.dll") = 0 Then 'output the title line if not already done If Not flagTLW Then WriteOut "HKLM" & "\" & strKey & "\" flagTLW = True End If On Error Resume Next WriteOut "INFECTION WARNING! " & Chr(34) & oName & Chr(34) &_ " = " & Chr(34) & strValue & Chr(34) If Err.Number <> 0 Then WriteOut Chr(34) & oName & Chr(34) &_ " = ** WARNING -- empty or invalid data! **" Err.Clear WriteOut " " & strGT & "resolves to: {CLSID}\InprocServer32\(Default) = " &_ strValue2 & CoName(IDExe(strValue2)) If Err.Number <> 0 Then WriteOut " " & strGT & "resolves to: " &_ "{CLSID}\InprocServer32\(Default) = ** WARNING -- empty or invalid data! **" Err.Clear On Error GoTo 0 End If 'unexpected data? Else 'oName is _not_ CLSID 'output the title line if not already done If Not flagTLW Then WriteOut "HKLM" & "\" & strKey & "\" flagTLW = True End If WriteOut Chr(34) & oName & Chr(34) & " = ** INVALID DATA (not CLSID) **" End If 'oName CLSID? Next 'arNames array member End If 'arNames array exists If flagTLW Then SkipLine flagTLW = False 'recover array memory ReDim arNames(0) 'V. Examine HKCU/HKLM... ShellServiceObjectDelayLoad strKey = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" 'Dim arHives(1,1) 'arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM" 'arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002 For i = 0 To 1 'for each hive 'find all the names in the key oReg.EnumValues arHives(i,1), strKey, arNames, arType 'enumerate data if present If IsArray(arNames) Then 'write the full key name WriteOut arHives(i,0) & "\" & strKey & "\" flagTLW = True 'for each name For Each oName In arNames 'get the data oReg.GetStringValue arHives(i,1),strKey,oName,strValue If Len(strValue) = 38 Then 'data is CLSID 'find the data for HKLM\Software\Classes\CLSID\{this data}\InProcServer32 strKey2 = "Software\Classes\CLSID\" & strValue & "\InProcServer32" oReg.GetStringValue HKLM,strKey2,"",strValue2 'write the quote-delimited name and value to the file On Error Resume Next WriteOut Chr(34) & oName & Chr(34) & " = " & Chr(34) & strValue & Chr(34) If Err.Number <> 0 Then WriteOut Chr(34) & oName & Chr(34) &_ " = ** WARNING -- empty or invalid data! **" Err.Clear WriteOut " " & strGT & "resolves to: {CLSID}\InprocServer32\(Default) = " &_ Chr(34) & strValue2 & Chr(34) & CoName(IDExe(strValue2)) If Err.Number <> 0 Then WriteOut " " & strGT & "resolves to: " &_ "{CLSID}\InprocServer32\(Default) = ** WARNING -- empty or invalid data! **" Err.Clear On Error GoTo 0 Else 'corrupt CLSID 'write the quote-delimited name and bad data warning to the file WriteOut Chr(34) & oName & Chr(34) & " = ** INVALID DATA ** (not CLSID)" End If Next End If 'arNames array exists If flagTLW Then SkipLine flagTLW = False Next 'hive strLine = "" 'recover array memory ReDim arType(0) ReDim arNames(0) 'VI. Find values of specific names: ' HKCU... Command Processor\AutoRun ' HKCU... Policies\System\Shell (XP only!) ' HKCU... Windows\load & run ' HKCU... Command Processor\AutoRun ' HKCU... Winlogon\Shell ' HKLM... Windows\AppInit_DLLs ' HKLM... Winlogon\Shell & Userinit & System & Ginadll If strOS <> "W98" And strOS <> "WME" Then 'HKCU\Software\Microsoft\Command Processor\AutoRun RegDataChk HKCU, "SOFTWARE\Microsoft\Command Processor", "AutoRun", strValue, "" If flagTLW Then SkipLine flagTLW = False If strOS = "WXP" Then 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell '"Shell" = "" RegDataChk HKCU, "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "Shell", strValue, "" If flagTLW Then SkipLine flagTLW = False End If 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load & run RegDataChk HKCU, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", "load", strValue, "" RegDataChk HKCU, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", "run", strValue, "" If flagTLW Then SkipLine flagTLW = False 'HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell '"Shell" = "Explorer.exe" RegDataChk HKCU, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", strValue, "explorer.exe" If flagTLW Then SkipLine flagTLW = False 'HKLM\Software\Microsoft\Command Processor\AutoRun RegDataChk HKLM, "SOFTWARE\Microsoft\Command Processor", "AutoRun", strValue, "" If flagTLW Then SkipLine flagTLW = False 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", "AppInit_DLLs", strValue, "" If flagTLW Then SkipLine flagTLW = False 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL & Shell & Userinit & System '"GinaDLL" = "MSGina.dll"; "Shell" = "Explorer.exe"; "Userinit" = "%SystemRoot%\system32\userinit.exe,"; "System" = "" RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "GinaDLL", strValue, "msgina.dll" RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", strValue, "explorer.exe" 'find value for "Userinit" name strKey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" oReg.GetStringValue HKLM,strKey,"Userinit",strValue If strOS = "NT4" And LCase(strValue) <> "userinit,nddeagnt.exe" Then flagInfect = True ElseIf strOS <> "NT4" And (InStr(strValue,",") > 0 And Len(Trim(Mid(strValue,InStr(strValue,",")+1))) > 0 Or _ InStr(LCase(strValue),"userinit.exe") = 0) Then flagInfect = True End If 'userinit string test If flagInfect Then If Not flagTLW Then WriteOut "HKLM" & "\" & strKey flagTLW = True End If strLine = "INFECTION WARNING! " 'write name and value to file WriteOut strLine & Chr(34) & "Userinit" & Chr(34) & " = " &_ Chr(34) & strValue & Chr(34) & LRParse(strValue) End If 'flagInfect flagInfect = False If strOS = "NT4" Then RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "System", strValue, "lsass.exe" Else RegDataChk HKLM, "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", "System", strValue, "" End If If flagTLW Then SkipLine flagTLW = False 'HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute strKey = "System\CurrentControlSet\Control\Session Manager" oReg.GetMultiStringValue HKLM,strKey,"BootExecute",arNames strLine = "" 'alert if autocheck not in string For i = 0 To UBound(arNames) If InStr(LCase(arNames(i)),"autocheck") = 0 Then If Not flagTLW Then WriteOut "HKLM" & "\" & strKey & "\" flagTLW = True End If strLine = strLine & arNames(i) & " " End If 'value = autocheck? Next 'arNames member 'write name and value to file On Error Resume Next If flagTLW Then WriteOut "INFECTION WARNING! " & Chr(34) & "BootExecute" &_ Chr(34) & " = " & Chr(34) & RTrim(strLine) & Chr(34) & LRParse(strLine) If Err.Number <> 0 Then WriteOut strLine & Chr(34) &_ "BootExecute" & Chr(34) & " = ** WARNING -- empty or invalid data! **" Err.Clear On Error GoTo 0 SkipLine End If End If 'not W98/WME flagTLW = False strLine = "" 'VII. Examine HKLM... Winlogon\Notify\ subkey DLLName values Dim arSK : Set arSK = CreateObject("Scripting.Dictionary") 'key, item If strOS = "W2K" Then arSK.Add "crypt32chain", "crypt32.dll" arSK.Add "cryptnet", "cryptnet.dll" arSK.Add "cscdll", "cscdll.dll" arSK.Add "sclgntfy", "sclgntfy.dll" arSK.Add "senslogn", "wlnotify.dll" arSK.Add "termsrv", "wlnotify.dll" arSK.Add "wzcnotif", "wzcdlg.dll" ElseIf strOS = "WXP" Or strOS = "WS2K3" Then arSK.Add "crypt32chain", "crypt32.dll" arSK.Add "cryptnet", "cryptnet.dll" arSK.Add "cscdll", "cscdll.dll" arSK.Add "sccertprop", "wlnotify.dll" arSK.Add "schedule", "wlnotify.dll" arSK.Add "sclgntfy", "sclgntfy.dll" arSK.Add "senslogn", "wlnotify.dll" arSK.Add "termsrv", "wlnotify.dll" arSK.Add "wlballoon", "wlnotify.dll" End If Dim arSKk : arSKk = arSK.Keys Dim arSKi : arSKi = arSK.Items If strOS <> "W98" And strOS <> "WME" Then strKey = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" 'find all the subkeys oReg.EnumKey HKLM, strKey, arKeys 'enumerate data if present If IsArray(arKeys) Then 'for each key For Each oKey In arKeys 'get the DLLName data oReg.GetStringValue HKLM,strKey & "\" & oKey,"DLLName",strValue flagInfect = True For i = 0 To arSK.Count-1 'if key = dictionary key & value = dictionary item If LCase(oKey) = arSKk(i) And LCase(strValue) = arSKi(i) Then 'toggle flag & exit -- no output necessary flagInfect = False : Exit For End If Next 'dictionary key If flagInfect Then 'if flag not found in O/S-specific dictionary 'output section title lines if not already done If Not flagTLW Then WriteOut "HKLM" & "\" & strKey & "\" flagTLW = True End If 'check for empty or null data If IsNull(strValue) Or strValue = "" Then strValue = "(no data)" 'try writing, on error write "no data" On Error Resume Next 'write the quote-delimited name and value to a file WriteOut "INFECTION WARNING! " & Chr(34) & oKey & "\DLLName" &_ Chr(34) & " = " & Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue)) If Err.Number <> 0 Then WriteOut "INFECTION WARNING! " &_ Chr(34) & oKey & "\DLLName" & Chr(34) & " = (no data)" Err.Clear On Error GoTo 0 End If 'flag not found in dictionary? Next 'Notify subkey End If 'Notify subkeys exist? If flagTLW Then SkipLine flagTLW = False End If 'not W98/WME 'recover array memory ReDim arKeys(0) |
19.05.2008, 22:54 | #17 |
| TR/VB.aqt.58 'VIII. For W2K & WXP, check for startup/shutdown & logon/logoff scripts
__________________Dim strCmd : strCmd = "" 'script command line string Select Case strOS Case "W2K" 'collection flag Dim flagColl : flagColl = False 'for every hive For i = 0 To 1 'check for HKCU, then HKLM key strKey = "Software\Policies\Microsoft\Windows\System\Scripts" If oReg.EnumValues(arHives(i,1), strKey, arNames, arType) = 0 Then 'if name/value pairs exist in the Scripts key If TypeName(arNames) <> "Null" Then 'for each name For Each oName In arNames 'get the value oReg.GetStringValue arHives(i,1),strKey,oName,strValue 'if value points to SCRIPTS.INI, parse the file If Fso.FileExists(strValue & "\scripts.ini") Then ScrIP strValue, oName 'if SCRIPTS.INI doesn't appear to exist, output a warning ElseIf strValue <> "" Then WriteOut arHives(i,0) & "\" & strKey WriteOut " ** WARNING! Either " & Chr(34) & strValue & "\scripts.ini" &_ Chr(34) & " doesn't exist" WriteOut Space(13) & "or there is insufficient permission to read it! **" flagTLW = True End If Next 'Scripts key name End If 'Scripts key name/value pairs exist? End If 'Scripts key exists? If flagTLW Then SkipLine flagTLW = False Next 'hive type Case "WXP" 'Base Key string Dim strBK : strBK = "Software\Policies\Microsoft\Windows\System\Scripts\" Dim arXPS() 'WXP Script array ReDim arXPS(1,1) '2 x 2 array arXPS(0,0) = "Logoff" : arXPS(0,1) = "Logon" arXPS(1,0) = "Shutdown" : arXPS(1,1) = "Startup" Dim arNKSE 'Numbered (master) Keys containing Script Executable values Dim strSPXP : strSPXP = "" 'Script Path XP string 'values: DisplayName, FileSysPath, Script, Parameter Dim strDispName, strFSP, strScript, strParam 'for every hive For i = 0 To 1 'for every script type For j = 0 To 1 'look for script type subkeys oReg.EnumKey arHives(i,1),strBK & arXPS(i,j),arKeys 'enumerate data if present If IsArray(arKeys) Then 'for each numbered key header (containing numbered script keys) For Each oKey in arKeys 'find DisplayName & FileSysPath oReg.GetStringValue arHives(i,1),strBK & arXPS(i,j) & "\" & oKey,"DisplayName",strDispName oReg.GetStringValue arHives(i,1),strBK & arXPS(i,j) & "\" & oKey,"FileSysPath",strFSP 'if FileSysPath value exists If strFSP <> "" Then 'look for numbered script subkeys oReg.EnumKey arHives(i,1),strBK & arXPS(i,j) & "\" & oKey,arNKSE 'enumerate data if present If IsArray(arNKSE) Then 'for each numbered script key For Each oKey2 in arNKSE 'find Parameter & Script values oReg.GetStringValue arHives(i,1),strBK & arXPS(i,j) & "\" & oKey & "\" & oKey2,"Parameters",strParam oReg.GetStringValue arHives(i,1),strBK & arXPS(i,j) & "\" & oKey & "\" & oKey2,"Script",strScript 'if executable string exists If strScript <> "" Then 'form script executable string 'if script string has no backslash, use FileSysPath for directory 'and append \Scripts\[script type]\ If InStr(strScript,"\") = 0 Then strSPXP = strFSP & "\Scripts\" & arXPS(i,j) & "\" strCmd = strSPXP & strScript End If 'if parameter string is not empty, append it If Trim(strParam) <> "" Then strScript = strScript & " " & strParam 'write title lines if necessary for this master key If Not flagTLW Then WriteOut arHives(i,0) & "\" & strBK & arXPS(i,j) & "\" & oKey WriteOut "DisplayName = " & Chr(34) & strDispName & Chr(34) flagTLW = True End If 'write script executable WriteOut "\" & oKey2 & strGT & "launches: " & Chr(34) &_ strSPXP & strScript & Chr(34) & CoName(strCmd) strSPXP = "" 'reset script path End If 'executable string not empty? Next 'numbered script executable key If flagTLW Then SkipLine flagTLW = False End If 'script executable key array exists? End If 'FileSysPath exists? Next 'master key If flagTLW Then SkipLine flagTLW = False End If 'master key array exists? If flagTLW Then SkipLine flagTLW = False Next 'script type If flagTLW Then SkipLine flagTLW = False Next 'hive type If flagTLW Then SkipLine flagTLW = False 'recover array memory ReDim arXPS(0,0) End Select 'W2K or WXP? 'IX. Check default executables (except "hta") for default string: "%1\" %* ' Check "hta" for mshta.exe "%1" %* 'set up executables array arExeExt = Array("bat","com","exe","hta","pif") 'for each executable type For i = 0 To 4 'form the registry key string strKey = "SOFTWARE\Classes\" & arExeExt(i) & "file\shell\open\command" 'find the value oReg.GetStringValue HKLM,strKey,"",strValue 'alert if "hta" value not system_folder_path\mshta.exe "%1" %* 'or if any other executable's value is not "%1" %* If arExeExt(i) = "hta" Then 'check found "hta" value against expected value If Trim(LCase(strValue)) <> LCase(Fso.GetSpecialFolder(1)) &_ "\mshta.exe ""%1"" %*" Then 'output section titles if not done already If Not flagTLW Then DefExeTitles 'write name and value to file strLine = "INFECTION WARNING! " WriteOut "HKLM" & "\" & strKey & "\" On Error Resume Next WriteOut strLine & Chr(34) & "Default" & Chr(34) & " = " &_ Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue)) If Err.Number <> 0 Then WriteOut strLine & Chr(34) &_ "Default" & Chr(34) & " = ** WARNING -- empty or invalid data! **" Err.Clear On Error GoTo 0 flagTLW = True End If 'hta value = expected value? 'executable other than "hta" Else 'check against expected value If Trim(LCase(strValue)) <> """%1"" %*" Then 'output section titles if not done already If Not flagTLW Then DefExeTitles 'write name and value to file strLine = "INFECTION WARNING! " WriteOut "HKLM" & "\" & strKey & "\" On Error Resume Next WriteOut strLine & Chr(34) & "Default" & Chr(34) & " = " &_ Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue)) If Err.Number <> 0 Then WriteOut strLine & Chr(34) &_ "Default" & Chr(34) & " = ** WARNING -- empty or invalid data! **" Err.Clear On Error GoTo 0 flagTLW = True End If 'value = expected value? End If 'hta or not Next 'next executable in array If flagTLW Then SkipLine flagTLW = False 'recover array memory ReDim arExeExt(0) 'X. For W98/WME, check inside WIN.INI (load=, run=), SYSTEM.INI (shell=) & ' list contents of non-empty WINSTART.BAT If strOS = "W98" Or strOS = "WME" Then Dim oSCF 'System Configuration File 'true if in INI-file section containing targeted lines Dim flagSection : flagSection = False Dim intEqu 'pos'n of equals sign 'open WIN.INI Set oSCF = Fso.OpenTextFile (strFPWF & "\WIN.INI",1) 'for each line of WIN.INI Do While Not oSCF.AtEndOfStream 'read a line strLine = oSCF.ReadLine 'if inside [windows] section If flagSection Then IniInfParse strLine, "load", "", "WIN.INI","" IniInfParse strLine, "run", "", "WIN.INI","" 'if line is beginning of another section If Left(LTrim(strLine),1) = "[" Then 'toggle flag to false and exit Do flagSection = False Exit Do End If 'next section? End If 'flagSection? 'if first 9 chars of line = [windows], then in the right section 'so toggle flagSection to True If LCase(Left(LTrim(strLine),9)) = "[windows]" Then flagSection = True Loop 'next line of WIN.INI oSCF.Close 'close WIN.INI flagSection = False 'open SYSTEM.INI Set oSCF = Fso.OpenTextFile (strFPWF & "\SYSTEM.INI",1) 'for each line of SYSTEM.INI Do While Not oSCF.AtEndOfStream strLine = oSCF.ReadLine 'if inside [boot] section If flagSection Then IniInfParse strLine, "shell", "explorer.exe", "SYSTEM.INI","" If Left(LTrim(strLine),1) = "[" Then 'toggle flagSection and exit flagSection = False Exit Do End If 'shell line? End If 'inside boot section? 'if first 6 chars of line = [boot], then in the right section 'so toggle flagSection to True If LCase(Left(LTrim(strLine),6)) = "[boot]" Then flagSection = True Loop oSCF.Close If flagTLW Then SkipLine flagTLW = False flagSTLW = False 'open WINSTART.BAT if it exists If Fso.FileExists(strFPWF & "\WINSTART.BAT") Then Set oSCF = Fso.OpenTextFile (strFPWF & "\WINSTART.BAT",1) 'for each line of WINSTART.BAT Do While Not oSCF.AtEndOfStream strLine = oSCF.ReadLine If strLine <> "" Then 'examine line if it's not a CR If Len(strLine) >= 3 Then 'test against REM if long enough 'if not REM, then output If LCase(Left(LTrim(strLine),3)) <> "rem" Then If Not flagTLW Then SkipLine WriteOut "WINSTART.BAT contents:" : WriteOut String(22,"-") : SkipLine flagTLW = True End If WriteOut strLine & CoName(IDExe(strLine)) End If Else 'len 1-2 If Not flagTLW Then SkipLine WriteOut "WINSTART.BAT contents:" : WriteOut String(22,"-") : SkipLine flagTLW = True End If WriteOut strLine End If 'len < 3? End If 'carriage return? Loop 'WINSTART.BAT lines If flagTLW Then SkipLine oSCF.Close Set oSCF=Nothing End If 'WINSTART.BAT exists? End If 'strOS = W98/WME 'reset title line flags flagTLW = False flagSTLW = False |
19.05.2008, 22:57 | #18 |
| TR/VB.aqt.58 'XI. AUTORUN.INF in root directory of local fixed disks for which
__________________' autorun is enabled 'WXP SP2 does not launch AUTORUN.INF on local fixed disks If strOSLong <> "Windows XP SP2" Then 'fixed disk, DWORD value, binary value array, AutoRun.Inf file, integer work variable Dim oDisk, hVal, arBVal, oARI 'array of fixed disks Public arFixedDisks() 'Disk Letter dictionary (needed to calculate power of 2) 'dictDL.Item(6) returns "G:" Public dictDL : Set dictDL = CreateObject("Scripting.Dictionary") dictDL.Add 0, "A:" : dictDL.Add 1, "B:" : dictDL.Add 2, "C:" dictDL.Add 3, "D:" : dictDL.Add 4, "E:" : dictDL.Add 5, "F:" dictDL.Add 6, "G:" : dictDL.Add 7, "H:" : dictDL.Add 8, "I:" dictDL.Add 9, "J:" : dictDL.Add 10, "K:" : dictDL.Add 11, "L:" dictDL.Add 12, "M:" : dictDL.Add 13, "N:" : dictDL.Add 14, "O:" dictDL.Add 15, "P:" : dictDL.Add 16, "Q:" : dictDL.Add 17, "R:" dictDL.Add 18, "S:" : dictDL.Add 19, "T:" : dictDL.Add 20, "U:" dictDL.Add 21, "V:" : dictDL.Add 22, "W:" : dictDL.Add 23, "X:" dictDL.Add 24, "Y:" : dictDL.Add 25, "Z:" 'HKLM NoDriveTypeAutoRun Fixed Disks Enabled Public flagHKLM_NDTAR_FDE : flagHKLM_NDTAR_FDE = True 'HKCU NoDriveTypeAutoRun Fixed Disks Enabled Public flagHKCU_NDTAR_FDE : flagHKCU_NDTAR_FDE = True 'HKLM NoDriveTypeAutoRun value exists Public flagHKLM_NDTAR : flagHKLM_NDTAR = False 'HKCU NoDriveTypeAutoRun value exists (unused, passed for consistency) Public flagHKCU_NDTAR : flagHKCU_NDTAR = False 'HKLM NoDriveAutoRun value exists Public flagHKLM_NDAR : flagHKLM_NDAR = False 'HKCU NoDriveAutoRun value exists (unused, passed for consistency) Public flagHKCU_NDAR : flagHKCU_NDAR = False strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" NDTAR HKLM, flagHKLM_NDTAR, flagHKLM_NDTAR_FDE If Not flagHKLM_NDTAR Then NDTAR HKCU, flagHKCU_NDTAR, flagHKCU_NDTAR_FDE 'if NoDriveTypeAutoRun permits autorun on fixed disks, look at 'individual disks If flagHKLM_NDTAR_FDE And flagHKCU_NDTAR_FDE Then 'enumerate fixed disks Dim colDisks : Set colDisks = GetObject("winmgmts:\root\cimv2")._ ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3") j = 0 'fmt of DeviceID & Name is "A:" For Each oDisk in colDisks 'for every dict entry For i = 0 To 25 'find dictionary element number for drive letter If dictDL.Item(i) = oDisk.DeviceID Then 'store disk letter, power of two for that letter, 'set autorun flag to True, increment counter ReDim Preserve arFixedDisks(2,j) arFixedDisks(0,j) = oDisk.DeviceID arFixedDisks(1,j) = 2^i arFixedDisks(2,j) = True j = j + 1 End If 'dict drive letter located? Next 'dict entry Next 'disk in colDisks NDAR HKLM, flagHKLM_NDAR If Not flagHKLM_NDAR Then NDAR HKCU, flagHKCU_NDAR 'for every fixed disk For i = 0 To UBound(arFixedDisks,2) 'if autorun enabled If arFixedDisks(2,i) Then 'get the drive Set oDisk = Fso.GetDrive(arFixedDisks(0,i)) 'look for AUTORUN.INF in the root If Fso.FileExists(arFixedDisks(0,i) & "\autorun.inf") Then 'open AUTORUN.INF if found Set oARI = Fso.OpenTextFile (arFixedDisks(0,i) & "\autorun.inf",1) 'for each line of AUTORUN.INF Do While Not oARI.AtEndOfStream 'read a line strLine = oARI.ReadLine 'look for "open" or "shellexecute" statements IniInfParse strLine, "open", "", "autorun.inf", arFixedDisks(0,i) IniInfParse strLine, "shellexecute", "", "autorun.inf", arFixedDisks(0,i) Loop 'next AUTORUN.INF line oARI.Close 'close AUTORUN.INF End If 'AUTORUN.INF exists in root? End If 'autorun enabled on drive? Next 'fixed disk End If 'NoDriveTypeAutoRun enables autorun on fixed disks? If flagTLW Then SkipLine End If 'not WXP SP2? 'reset title line flags flagTLW = False flagSTLW = False 'XII. Enumerate contents of startup directories 'All Users StartUp Folder title string (empty by default) Dim flagAUSUF : flagAUSUF = False Dim flagFE : flagFE = True 'folder exists flag 'in W98/WME, see if local-language-specific All Users startup folder location 'appears in registry and form title string if it does If strOS = "W98" Or strOS = "WME" Then 'look for Common Startup value strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" oReg.GetStringValue HKLM,strKey,"Common Startup",strValue 'if Common Startup value exists, extract title string If Not IsNull(strValue) And strValue <> "" Then flagAUSUF = True End If 'startup folder short names If strOS = "W98" Or strOS = "WME" Then arSUFN = Array("Startup") Else arSUFN = Array("Startup","AllUsersStartup") End If 'form output file section title string strLine = "Startup items in " 'in W98/WME, omit username & "All Users" folder if absent from registry If strOS = "W98" Or strOS = "WME" Then strLine = strLine & Chr(34) & "Startup" & Chr(34) If flagAUSUF Then strLine = strLine & " & " & Chr(34) & "All Users...Startup" &_ Chr(34) & " folders:" Else strLine = strLine & " folder:" End If Else 'all other O/S's strLine = strLine & Chr(34) & Wshso.ExpandEnvironmentStrings("%USERNAME%") &_ Chr(34) If flagFW = "SO" Then strLine = strLine & " & " & Chr(34) & "All Users" & Chr(34) & " startup folders:" Else 'Echo output -- escape ampersand strLine = strLine & " ^& " & Chr(34) & "All Users" & Chr(34) & " startup folders:" End If 'flagFW End If 'strOS strTitleLine1 = strLine strTitleLine2 = String(Len(strLine),"-") 'for each startup folder name For i = 0 To 1 '0 = user folder, 1 = All Users folder flagSTLW = False 'get the startup folder 'in W98/WME, set flagFE to False if "All Users" folder doesn't exist If i = 1 And (strOS = "W98" Or strOS = "WME") Then If flagAUSUF Then If Fso.FolderExists(strValue) Then Set oSUF = Fso.GetFolder(strValue) Else flagFE = False 'folder doesn't exist End If Else flagFE = False 'registry key doesn't exist End If Else 'all other O/S's at all times Set oSUF = Fso.GetFolder(Wshso.SpecialFolders(arSUFN(i))) End If 'if startup folder exists If flagFE Then 'for each file in the startup folder For Each oSUFi in oSUF.Files strLine = "" 'empty the line 'treat file as a shortcut On Error Resume Next Set oSUSC = Wshso.CreateShortcut(oSUFi) intErrNum = Err.Number : Err.Clear On Error Goto 0 'if file is a shortcut If intErrNum = 0 Then If LCase(Fso.GetExtensionName(oSUFi)) = "url" Then 'shortcut is URL 'prepare the shortcut file base name and the target path & arguments strLine = Chr(34) & Fso.GetBaseName (oSUFi.Path) & Chr(34) & strGT & "URL shortcut to: " &_ Chr(34) & oSUSC.TargetPath Else 'prepare the shortcut file base name and the target path & arguments strLine = Chr(34) & Fso.GetBaseName (oSUFi.Path) & Chr(34) & strGT & "shortcut to: " &_ Chr(34) & oSUSC.TargetPath If oSUSC.Arguments <> "" Then strLine = strLine & " " & oSUSC.Arguments & Chr(34) Else strLine = strLine & Chr(34) End If 'add co-name strLine = strLine & CoName(oSUSC.TargetPath) End If 'URL or shortcut? 'if file is a PIF ElseIf LCase(Fso.GetExtensionName(oSUFi)) = "pif" Then 'write out pif file target strPIFTgt = "" Dim oFi : Set oFi = Fso.OpenTextFile(oSUFi, 1) oFi.Skip(36) 'target starts after 36 bytes 'target size is up to 63 bytes For ii = 1 To 63 bin1C = oFi.Read(1) 'end of target is single "00" byte If AscB(bin1C) = 0 Then Exit For 'otherwise convert binary to ASCII and append to string strPIFTgt = strPIFTgt & Chr(AscB(bin1C)) Next oFi.Close Set oFi=Nothing strLine = Chr(34) & Fso.GetBaseName(oSUFi.Path) & Chr(34) & strGT & "PIF to: " &_ Chr(34) & strPIFTgt & Chr(34) & CoName(strPIFTgt) 'file is neither shortcut nor PIF Else 'file is probably an executable so write out the file name If LCase(Fso.GetFileName(oSUFi)) <> "desktop.ini" Then _ strLine = Chr(34) & oSUFi.Name & Chr(34) & CoName(IDExe(oSUFi.Name)) End If 'file is shortcut Set oSUSC=Nothing 'if there's something to output If strLine <> "" Then 'output the section title line if not already done If Not flagTLW Then SkipLine : WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine flagTLW = True End If 'output the folder title line if not already done If Not flagSTLW Then 'write the path to the file WriteOut oSUF.Path flagSTLW = True End If 'output the line WriteOut strLine End If Next 'file in startup folder End If 'flagFE? If flagSTLW Then SkipLine Next 'startup folder name 'reset title line flags flagTLW = False flagSTLW = False 'recover array memory ReDim arSUFN(0) 'XIII. Enumerate enabled Scheduled Tasks ' Byte Disabled Enabled '00000030: #####1## #####0## <-- 'file in Tasks directory Dim oFi2 'prepare section title lines strTitleLine1 = "Enabled Scheduled Tasks:" strTitleLine2 = String(Len(strTitleLine1),"-") 'if the tasks directory exists in the Windows directory If Fso.FolderExists(Fso.GetSpecialFolder(WinFolder) & "\Tasks") Then 'get the tasks folder Dim oJobF : Set oJobF = Fso.GetFolder(Fso.GetSpecialFolder(WinFolder) & "\Tasks") 'for each file For Each oFi2 in oJobF.Files 'if file in Tasks directory is a task (has a .JOB extension) If LCase(Fso.GetExtensionName(oFi2)) = "job" Then 'try to open the task file On Error Resume Next Dim oJobFi : Set oJobFi = Fso.OpenTextFile(oFi2,1,False,-1) intErrNum = Err.Number : Err.Clear On Error Goto 0 'if file could be opened If intErrNum = 0 Then 'read the file, determine enabled status, extract the executable name JobFileRead oFi2, oJobFi 'close the .JOB file oJobFi.Close Set oJobFi=Nothing Else 'file couldn't be opened 'write titles if not already done If Not flagTLW Then SkipLine : WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine flagTLW = True End If 'write error message WriteOut Chr(34) & oFi2.Name & Chr(34) &_ " -- insufficient permission to read this file!" End If '.JOB file opened successfully? End If '.JOB file extension selected? Next 'file in TASKS directory Else 'Tasks directory can't be found 'write titles and error message SkipLine : WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine WriteOut "** The " & Chr(34) & Wshso.ExpandEnvironmentStrings("%WINDIR%") &_ "\Tasks" & Chr(34) & " directory does not exist. **" flagTLW = True End If 'Tasks directory exists? Set oJobF=Nothing If flagTLW Then SkipLine flagTLW = False 'XIV. Enumerate Started or Non-disabled Services 'for NT-type O/S's If strOS <> "W98" And strOS <> "WME" Then 'Services collection, Service object, Dim colSvce, oSvce 'counter, lowest-sort subscript, lowest-sort name holder, temp variables x 3 Dim intCnt, intLSS, str1stName, strT0, strT1, strT2 Dim flagSM : flagSM = False 'Safe Mode flag 'for W2K/WXP, determine if running in Safe Mode If strOS <> "NT4" Then strKey = "SYSTEM\CurrentControlSet\Control" oReg.GetStringValue HKLM,strKey,"SystemStartOptions",strValue If InStr(LCase(strValue),"safeboot") <> 0 Then flagSM = True End If 'write title lines strLine = "Running Services (Display Name, Service Name, Path {Service DLL}):" If flagSM Then strLine = "All Non-Disabled Services (Display Name, " &_ "Service Name, Path {Service DLL}):" SkipLine : WriteOut strLine : WriteOut String(Len(strLine),"-") : SkipLine 'if in Safe Mode If flagSM Then 'get collection of services with Auto or Manual "Startup type" Set colSvce = GetObject("winmgmts:root\cimv2").ExecQuery("SELECT DisplayName, " &_ "Name, PathName FROM Win32_Service WHERE StartMode = ""Manual"" " &_ "Or StartMode = ""Auto""") 'not in Safe Mode Else 'get collection of started services Set colSvce = GetObject("winmgmts:root\cimv2").ExecQuery("SELECT DisplayName, " &_ "Name, PathName FROM Win32_Service WHERE Started = True") End If 'safe mode? 'sort services by display name 'get the count intCnt = colSvce.Count 'set up two arrays: work array & sorted array Dim arSvces() ReDim arSvces(intCnt-1, 2) 'services array i = 0 'transfer data from collection to array For Each oSvce in colSvce arSvces(i,0) = oSvce.DisplayName : arSvces(i,1) = oSvce.Name : arSvces(i,2) = oSvce.PathName i = i + 1 Next 'service in collection 'for every service in array up to the next to last one For i = 0 To UBound(arSvces,1) - 1 'store array row in temp variables strT0 = arSvces(i,0) strT1 = arSvces(i,1) strT2 = arSvces(i,2) 'initialize the sorted name & lowest-sort subscript str1stName = arSvces(i,0) intLSS = i 'for every subsequent service in array up to the last one For j = i + 1 To UBound(arSvces,1) 'if current array name < saved lowest-sort name, 'reset sorted array data and 'set lowest-sort subscript = current array subscript If LCase(arSvces(j,0)) < LCase(str1stName) Then str1stName = arSvces(j,0) intLSS = j End If Next 'array element 'set current array position = lowest-sort subscript element arSvces(i,0) = arSvces(intLSS,0) arSvces(i,1) = arSvces(intLSS,1) arSvces(i,2) = arSvces(intLSS,2) 'save data formerly in current array position to array position just vacated arSvces(intLSS,0) = strT0 arSvces(intLSS,1) = strT1 arSvces(intLSS,2) = strT2 Next 'sorted name array element 'for every service sorted by display name For i = 0 To UBound(arSvces,1) 'for services with unique file names If InStr(LCase(arSvces(i,2)),"services.exe") = 0 And _ InStr(LCase(arSvces(i,2)),"svchost") = 0 Then 'output display name, service name, path WriteOut arSvces(i,0) & ", " & arSvces(i,1) & ", " & Chr(34) &_ arSvces(i,2) & Chr(34) & CoName(IDExe(arSvces(i,2))) 'shared process -- look for ServiceDLL value in Parameter subkey ElseIf InStr(LCase(arSvces(i,2)),"svchost") > 0 And _ InStr(LCase(arSvces(i,2))," -k") > 0 Then strKey = "System\CurrentControlSet\Services\" oReg.GetExpandedStringValue HKLM,strKey & arSvces(i,1) &_ "\Parameters","ServiceDll",strValue 'prepare output for missing Parameters key or ServiceDLL value strLine = " {(missing data)}" If strValue <> "" Then strLine = " {" & Chr(34) & strValue &_ Chr(34) & CoName(IDExe(strValue)) & "}" 'output display name, service name, path WriteOut arSvces(i,0) & ", " & arSvces(i,1) & ", " & Chr(34) &_ arSvces(i,2) & Chr(34) & strLine 'if ServicesDll value not returned, output error line If strValue <> "" Then CoName strValue Else WriteOut " ** Corrupt registry entry! **" End If 'services.exe Else 'output display name, service name, path WriteOut arSvces(i,0) & ", " & arSvces(i,1) & ", " & Chr(34) &_ arSvces(i,2) & Chr(34) & CoName(arSvces(i,2)) End If 'independent file, svchost, or services? Next 'service file SkipLine 'recover array memory ReDim arSvces(0,0) End If 'NT4-type O/S? 'rename report file if using Echo under W98 If flagFW = "EO" And (strOS = "W98" Or strOS = "WME") Then _ Wshso.Run "%COMSPEC% /c MOVE /y " & strFNS & " " & Chr(34) & strFN & Chr(34),0,TRUE 'inform user that script is complete If flagOut = "W" Then Wshso.PopUp "All Done! The results are in the file:" &_ vbCRLF & vbCRLF & strFN,2,"Silent Runners R" & strRevNo & " Complete",64 Else WScript.Echo "Silent Runners R" & strRevNo & " is done! The results " &_ "are in the file:" & vbCRLF & vbCRLF & strFN End If 'clean up Set oSUF=Nothing If IsObject(oFN) Then On Error Resume Next oFN.Close On Error Goto 0 End If Set oFN=Nothing Set oReg=Nothing Set Fso=Nothing Set Wshso=Nothing 'YYYY-MM-DD Function FmtDate FmtDate = Year(Now) & "-" & Right("0" & Month(Now),2) & "-" & Right("0" & Day(Now),2) End Function 'hh:mm:ss Function FmtTime FmtTime = Right("0" & Hour(Now),2) & ":" & Right("0" & Minute(Now),2) End Function 'enumerate key's entries Function EnumKeyData (hexHive, strHive, strKey, strWarn) Dim arNames, arType, strValue, i, j Dim strMsg : strMsg = strWarn Const REG_SZ = 1 Const REG_EXPAND_SZ = 2 Const REG_BINARY = 3 Const REG_DWORD = 4 Const REG_MULTI_SZ = 7 'find all the names in the key oReg.EnumValues hexHive, strKey, arNames, arType 'enumerate names if present If IsArray(arNames) Then 'in W98, if key has no name/value pairs, arNames is array with UBound of -1 'in W2K, not an array If UBound(arNames) >= 0 Then 'write the full key name WriteOut strHive & "\" & strKey & "\" 'for each data type in the values array For i = LBound(arType) To UBound(arType) 'find the value that corresponds to its type Select Case arType(i) 'string value Case REG_SZ 'return the string-type value oReg.GetStringValue hexHive,strKey,arNames(i),strValue WriteValueData arNames(i), strValue, "REG_SZ", strWarn 'expandable-string value Case REG_EXPAND_SZ 'return the expandable string-type value oReg.GetExpandedStringValue hexHive,strKey,arNames(i),strValue WriteValueData arNames(i), strValue, "REG_EXPAND_SZ", strWarn 'binary value Case REG_BINARY 'return the binary-type value as array oReg.GetBinaryValue hexHive,strKey,arNames(i),strValue 'set name = default if name is empty string If arNames(i) = "" Then strMsg = strMsg & Chr(34) & "Default" & Chr(34) & " = " Else strMsg = strMsg & Chr(34) & arNames(i) & Chr(34) & " = " End If 'delimit every two-bytes by space For j = LBound(strValue) To UBound(strValue) strMsg = strMsg & strValue(j) & Space(1) Next strMsg = Left(strMsg,Len(strMsg)-1) 'lop off trailing space WriteOut strMsg & " (REG_BINARY)" '4-byte value Case REG_DWORD 'return the DWORD-type value oReg.GetDWORDValue hexHive,strKey,arNames(i),strValue WriteValueData arNames(i), Hex(strValue), "REG_DWORD", strWarn 'multiple-string value Case REG_MULTI_SZ 'return the multiple-string-type value oReg.GetMultiStringValue hexHive,strKey,arNames(i),strValue 'set name = default if name is empty string If arNames(i) = "" Then strMsg = strMsg & Chr(34) & "Default" & Chr(34) & " = " Else strMsg = strMsg & Chr(34) & arNames(i) & Chr(34) & " = " End If 'delimit every quote-enclosed string by "|" For j = LBound(strValue) To UBound(strValue) strMsg = strMsg & Chr(34) & strValue(j) & Chr(34) & "|" Next strMsg = Left(strMsg,Len(strMsg)-1) 'lop off trailing "|" WriteOut strMsg & " (REG_MULTI_SZ)" 'any other type Case Else 'admit we don't know what it is WriteOut Chr(34) & arNames(i) & Chr(34) & " = (data in unrecognized format!)" End Select 'data type Next 'arType member SkipLine End If 'UBound > 0 End If 'arNames array exists ReDim arType(0) End Function |
19.05.2008, 22:58 | #19 |
| TR/VB.aqt.58 'write name/value pair to file Function WriteValueData (strName, strValue, strType, strWarn) Dim strOQEC 'Optionally Quote-Enclosed Comment" If strType = "REG_DWORD" Then strOQEC = strValue & CoName(IDExe(strValue)) Else strOQEC = Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue)) End If 'if name is empty string then output "Default" If strName = "" Then On Error Resume Next 'write the quote-delimited name and value to a file WriteOut strWarn & Chr(34) & "Default" & Chr(34) & " = " & strOQEC If Err.Number <> 0 Then WriteOut strWarn & Chr(34) & "Default" &_ Chr(34) & " = ** WARNING! empty or invalid data **" On Error GoTo 0 Else 'name is non-empty string On Error Resume Next 'write the quote-delimited name and value to a file WriteOut strWarn & Chr(34) & strName & Chr(34) & " = " & strOQEC If Err.Number <> 0 Then WriteOut strWarn & Chr(34) & strName &_ Chr(34) & " = ** WARNING! empty or invalid data **" On Error GoTo 0 End If Err.Clear End Function 'output registry name/value if value <> ref Function RegDataChk (cHive, strKey, strName, strValue, strRef) Dim strHive, strCoName, strValWrk If cHive = HKCU Then strHive = "HKCU" If cHive = HKLM Then strHive = "HKLM" 'if value exists If oReg.GetStringValue (cHive,strKey,strName,strValue) = 0 Then strValWrk = Trim(LCase(strValue)) 'alert if value <> reference and not empty string If strValWrk <> LCase(strRef) And strValWrk <> "" Then If Not flagTLW Then WriteOut strHive & "\" & strKey & "\" flagTLW = True End If If LCase(strName) = "load" Or LCase(strName) = "run" Then strCoName = LRParse(strValue) Else strCoName = CoName(IDExe(strValue)) End If 'write name and value to file On Error Resume Next WriteOut "INFECTION WARNING! " & Chr(34) & strName & Chr(34) &_ " = " & Chr(34) & strValue & Chr(34) & strCoName If Err.Number <> 0 Then WriteOut Chr(34) & strName & Chr(34) &_ " = ** WARNING -- empty or invalid data! **" Err.Clear On Error GoTo 0 End If 'value <> reference End If 'value exists End Function 'set NoDriveTypeAutoRun flag Function NDTAR (cHive, strValueFlag, strFDFlag ) 'DWORD or BINARY value, binary value array Dim hVal, arBVal strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" 'if cHive NoDriveTypeAutoRun DWORD value exists If oReg.GetDWORDValue(cHive,strKey,"NoDriveTypeAutoRun",hVal) = 0 Then strValueFlag = True 'if autorun for fixed drives is disabled, set flag If (hVal And 8) = 8 Then strFDFlag = False 'if cHive NoDriveTypeAutoRun BINARY value exists ElseIf oReg.GetBinaryValue(cHive,strKey,"NoDriveTypeAutoRun",arBVal) = 0 Then 'UBound = -1 if value not set (zero-length binary value) If UBound(arBVal) = -1 Then 'if O/S = W2K/WXP SP0/1, "value not set" interpreted as 0 instead of null! If strOS = "W2K" Or strOS = "WXP" Then strValueFlag = True End If 'W2K/WXP? Else 'UBound <> -1, so value set strValueFlag = True : hVal = 0 'binary value retrieved as array in increments of 16^2 For i = 0 To UBound(arBVal) hVal = hVal + arBVal(i) * 256^i Next 'if autorun for fixed drives is disabled, set flag If (hVal And 8) = 8 Then strFDFlag = False End If 'UBound = -1? End If 'NoDriveTypeAutoRun value exists? End Function 'detect if autorun disabled for individual drives Function NDAR (cHive, strValueFlag) 'DWORD or BINARY value, binary value array Dim hVal, arBVal strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" 'if cHive NoDriveAutoRun DWORD value exists If oReg.GetDWORDValue(cHive,strKey,"NoDriveAutoRun",hVal) = 0 Then strValueFlag = True 'for every fixed disk For i = 0 To UBound(arFixedDisks,2) 'if autorun for fixed drive is disabled, set flag If (hVal And arFixedDisks(1,i)) = arFixedDisks(1,i) Then arFixedDisks(2,i) = False End If 'autorun disabled for this drive? Next 'fixed disk 'if cHive NoDriveAutoRun BINARY value exists ElseIf oReg.GetBinaryValue(cHive,strKey,"NoDriveAutoRun",arBVal) = 0 Then 'UBound = -1 if value not set (zero-length binary value) If UBound(arBVal) = -1 Then 'if O/S = W2K/WXP SP0/1, "value not set" interpreted as 0 instead of null! If strOS = "W2K" Or strOS = "WXP" Then strValueFlag = True 'set all NDAR flags to True For i = 0 To UBound(arFixedDisks,2) arFixedDisks(2,i) = True Next End If 'W2K/WXP? Else 'UBound <> -1, so value set strValueFlag = True hVal = 0 'binary value retrieved as array in increments of 16^2 For i = 0 To UBound(arBVal) hVal = hVal + arBVal(i) * 256^i Next 'for every fixed disk For i = 0 To UBound(arFixedDisks,2) 'if autorun for the fixed disk is disabled, set flag If (hVal And arFixedDisks(1,i)) = arFixedDisks(1,i) Then arFixedDisks(2,i) = False End If 'autorun disabled for fixed disk? Next 'fixed disk End If 'hive NoDriveAutoRun value set? End If 'hive NoDriveAutoRun value exists? End Function 'INI-file Load/Run/Shell parser Function IniInfParse (strLine, strVerb, strEquiv, strINIFile, strDisk) Dim strExe : strExe = "" 'executable after "=" 'if verb is first non-space chars (if line is populated) If Left(LCase(LTrim(strLine)),Len(strVerb)) = strVerb Then 'find pos'n of equals sign Dim intEqu : intEqu = InStr(strLine,"=") 'find executable statement after equals sign strExe = Trim(Mid(strLine,intEqu+1)) 'if non-space chars to right of equals sign different from argument If LCase(strExe) <> strEquiv Then 'output titles IniInfTitles strINIFile 'write warning & verb line If LCase(strVerb) = "load" Or LCase(strVerb) = "run" Then strLine = "INFECTION WARNING! " & Chr(34) & strLine & Chr(34) & LRParse(strExe) ElseIf LCase(strVerb) = "open" Or LCase(strVerb) = "shellexecute" Then strLine = "INFECTION WARNING! " & strDisk & "\AUTORUN.INF" & strGT &_ Chr(34) & strLine & Chr(34) & CoName(IDExe(strDisk & "\" & strExe)) Else strLine = "INFECTION WARNING! " & Chr(34) & strLine & Chr(34) & CoName(IDExe(strExe)) End If flagTLW = True WriteOut strLine End If 'verb populated? End If 'line populated End Function 'output WIN.INI/SYSTEM.INI/AUTORUN.INF titles Function IniInfTitles (strINIFile) Dim strLine 'write section title line if not already done If Not flagTLW Then SkipLine If LCase(strINIFile) = "autorun.inf" Then strLine = "Autostart via AUTORUN.INF on local fixed drives:" Else strLine = "WIN.INI & SYSTEM.INI launch points:" End If WriteOut strLine : WriteOut String(Len(strLine),"-") : SkipLine End If 'section title line already written? 'write subtitle lines for WIN.INI & SYSTEM.INI If LCase(strINIFile) = "win.ini" And Not flagSTLW Then WriteOut "WIN.INI" : Writeout "[windows]" flagSTLW = True ElseIf LCase(strINIFile) = "system.ini" Then If flagTLW Then SkipLine : WriteOut "SYSTEM.INI" : WriteOut "[boot]" End If End Function 'default executable title lines Function DefExeTitles Dim strLine : strLine = "Default executables:" SkipLine : WriteOut strLine : WriteOut String(Len(strLine),"-") : SkipLine End Function 'trim the parameters from a path to find the executable Function IDExe (strPath) 'work path string 'location of ".exe", location of last backslash, 'location of first space after backslash, 'location of second quote, 'executable id'd from location of ".exe", 'executable id'd btwn final backslash & first space following backslash Dim strPWk, intExeL, intBSL, intSpL, int2Q, strID1, strID2, intErrNum strPWk = LTrim(strPath) 'look for leading double quote If Left(strPWk,1) = Chr(34) Then 'if find it, then look for second quote int2Q = InStr(2, strPWk, """") 'if find it, reset the path string to what was between the quotes If int2Q > 0 Then strPWk = Mid(strPWk, 2, int2Q - 2) End If 'locate .exe intExeL = InStr(LCase(strPWk), ".exe") 'if not an .exe, maybe a .cmd? If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".cmd") '.bat? If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".bat") '.pif? If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".pif") '.dll? If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".dll") '.com? If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".com") '.ocx? If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".ocx") '.vbs? If intExeL = 0 Then intExeL = InStr(LCase(strPWk), ".vbs") 'extract exectable through .ext strID1 = Left(strPWk,intExeL + 3) 'locate final backslash intBSL = InStrRev(strPWk, "\") 'locate first space after final backslash intSpL = InStr(intBSL + 1, strPWk, " ") 'extract executable up to space On Error Resume Next strID2 = Left(strPWk, intSpL -1) intErrNum = Err.Number On Error Goto 0 Err.Clear If intErrNum <> 0 Then strID2 = "" 'compare lengths of extracted strings and return longest string If Len(strID1) > Len(strID2) Then IDExe = strID1 Exit Function Else IDExe = strID2 Exit Function End If End Function 'SCRipts.Ini-file Parser 'file name to open, action for which scripts must be parsed Function ScrIP (strValue, strAction) 'form scripts.ini path\FileName Dim strFN : strFN = strValue & "\scripts.ini" 'default path Dim strDefPath : strDefPath = "" 'error number, line read from file, pos'n of CmdLine & equals sign, 'parameter string, line intro ("arrow") string Dim intErrNum, strLine, intCS, intEq, strParam, strArrow Dim strSC : strSC = "" 'script command Dim intSN : intSN = 0 'script number Dim strCmd : strCmd = "" 'command string Dim flagSection : flagSection = False 'True if in strAction section Dim intActL : intActL = Len(strAction) 'action length (used for spacing of output) 'assume not in right action section flagTLW = False 'open the SCRIPTS.INI file For Reading On Error Resume Next Dim oSI : Set oSI = Fso.OpenTextFile(strFN, 1, False,-1) intErrNum = Err.Number On Error Goto 0 Err.Clear 'if couldn't open file, output a warning & quit If intErrNum <> 0 Then If Not flagTLW Then WriteOut arHives(i,0) & "\" & strKey WriteOut " ** WARNING! Insufficient permission to read " &_ Chr(34) & strFN & Chr(34) & " **" flagTLW = True Exit Function End If 'for every line of file Do Until oSI.AtEndOfStream strLine = oSI.ReadLine 'if know already in right section If flagSection Then 'exit if find beginning of next section If InStr(strLine, "[") Then Exit Do '[Logon] '0CmdLine=path\filename.ext '0Parameters= 'find pos'n of equals sign intEq = InStr(strLine,"=") 'if equals sign found in the line If intEq > 0 Then 'output saved info if the script number has changed If intSN <> FLN(strLine) Then 'write titles if necessary If Not flagTLW Then 'write a title WriteOut arHives(i,0) & "\" & strKey strArrow = strAction & strGT & "launches: " flagTLW = True Else strArrow = Space(intActL) & strGT & "launches: " End If 'output script command, reset script command & saved script number WriteOut strArrow & Chr(34) & strSC & Chr(34) & CoName(IDExe(strCmd)) strSC = "" : strCmd = "" intSN = FLN(strLine) End If 'new script number? 'current line is cmdline If InStr(LCase(strLine), "cmdline") > 0 Then 'if cmdline doesn't contain backslash, form script path from 'function parameters If InStr(strLine,"\") = 0 Then strDefPath = strValue & "\" & strAction & "\" 'add script command to command string strSC = strDefPath & Mid(strLine, intEQ + 1) & strSC strCmd = strDefPath & Mid(strLine, intEQ + 1) 'store cmdline field for co-name id 'if parameters line ElseIf InStr(LCase(strLine), "parameters") > 0 Then 'extract parameters string strParam = Mid(strLine, intEq + 1) 'add non-empty parameters command to command string If Trim(strParam) <> "" Then strSC = strSC & " " & strParam End If 'line is cmdline or parameter End If '"=" in this line End If 'inside action section 'if action found in current line, set flag to True If InStr(LCase(strLine), LCase(strAction)) > 0 Then flagSection = True Loop 'next line in SCRIPTS.INI 'if a script was located, output last script command found If strSC <> "" Then If Not flagTLW Then 'write a title WriteOut arHives(i,0) & "\" & strKey strArrow = strAction & strGT & "launches: " flagTLW = True Else strArrow = Space(intActL) & strGT & "launches: " End If WriteOut strArrow & Chr(34) & strSC & Chr(34) & CoName(strCmd) End If 'script located? End Function 'Find Leading Number Function FLN (strLine) 'save the input in a trimmed work variable Dim strWork : strWork = LTrim(strLine) 'initialize the output number Dim intNumber : intNumber = 0 'counter, single character Dim i, str1C 'find length of work variable Dim intLen : intLen = Len(strWork) 'for the length of the work variable For i = 1 To intLen 'take the left-most chr str1C = Left(strWork,1) 'if it's numeric If IsNumeric(str1C) Then 'concatenate the digit intNumber = intNumber + CInt(str1C) 'remove 1st chr from the work variable strWork = Right(strWork,Len(strWork)-1) Else 'left-most chr isn't numeric FLN = intNumber 'output the leading number & exit Exit For End IF Next 'work variable chr End Function |
19.05.2008, 22:59 | #20 |
| TR/VB.aqt.58 'find company name in existing file Function CoName (strFN) If IsNull(strFN) Or strFN = "" Then CoName = " [(file not found)]" Exit Function End If 'does the file exists? If Fso.FileExists(strFN) Then CoName = CNCall(strFN) ElseIf Fso.FileExists(strFPWF & "\" & strFN) Then 'use prefixed windows folder CoName = CNCall(strFPWF & "\" & strFN) ElseIf Fso.FileExists(strFPSF & "\" & strFN) Then 'use prefixed system folder CoName = CNCall(strFPSF & "\" & strFN) ElseIf Fso.FileExists(AppPath(strFN)) Then 'trace executable via App Paths key CoName = CNCall(AppPath(strFN)) Else 'say file can't be found CoName = " [file not found]" End If 'file exists? End Function 'find company name in existing file Function CNCall (strFN) 'WMI file object, co-name, error number Dim oFile, strMftr, intErrNum 'if there are already escaped backslashes, unescape them If InStr(strFN,"\\") <> 0 Then strFN = Replace(strFN,"\\","\") 'now reescape all of them strFN = Replace(strFN,"\","\\") 'get the file object with filename delimited by double quotes '(couldn't get single quotes to work with single quote embedded in path) On Error Resume Next Set oFile = GetObject("winmgmts:root\cimv2").Get _ ("CIM_DataFile.Name=""" & strFN & """") intErrNum = Err.Number On Error Goto 0 Err.Clear If intErrNum <> 0 Then CNCall = " [(path error)]" Exit Function End If 'find the co-name strMftr = oFile.Manufacturer Set oFile=Nothing 'if null, say so If IsNull(strMftr) Then CNCall = " [null data]" 'if empty, say so ElseIf strMftr = "" Then CNCall = " [empty string]" 'if some company, say it Else 'if MS, say it with 2 letters If strMftr = "Microsoft Corporation" Then CNCall = " [MS]" 'if some other company, provide all the data, which may take up several lines Else CNCall = " [" & Chr(34) & Replace(strMftr,Chr(13) & Chr(10),Space(1)) & Chr(34) & "]" End If 'MS or not? End If 'null, mt, MS or not? End Function 'look for the App Path default value for an executable Function AppPath (strFN) Dim strKey, strValue strKey = "Software\Microsoft\Windows\CurrentVersion\App Paths" oReg.GetStringValue HKLM,strKey & "\" & strFN,"",strValue 'return the value or an empty string If IsNull(strValue) Then strValue = "" AppPath = strValue End Function 'parse HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run for executables 'and return co-name for each executable 'executables are delimited by spaces and/or commas Function LRParse (strLine) Dim i, strLRSeg 'counter, line segment Dim strIn : strIn = Trim(strLine) 'input string Dim intSLLI : intSLLI = Len(strIn) 'Input String Line Length Dim strOut : strOut = "" 'output string Dim arOut() 'dynamic executable output array Dim cntAr : cntAr = -1 'output array UBound Dim cntChr : cntChr = 0 'number of chrs in executable string Dim intStartChr : intStartChr = 1 'start of executable string in input string 'for every chr in input string For i = 1 To intSLLI 'if the chr is a delimiter If Mid(strIn,i,1) = " " Or Mid(strIn,i,1) = "," Then 'if at least one non-delimiter chr has been encountered If cntChr > 0 Then 'extract the executable from the input string strLRSeg = Mid(strIn,intStartChr,cntChr) cntChr = 0 'reset the executable counter cntAr = cntAr + 1 'increment the output array UBound ReDim Preserve arOut(cntAr) 'redim the output array arOut(cntAr) = strLRseg 'add the executable to the output array End If 'non-delimiter chr encountered? intStartChr = i + 1 'reset the executable string start to next chr Else 'chr not a delimiter cntChr = cntChr + 1 'increment the exec string counter End If 'chr a delimiter? Next 'line chr 'check the end-string If cntChr > 0 Then 'extract the executable strLRSeg = Mid(strIn,intStartChr,cntChr) cntAr = cntAr + 1 'increment the output array UBound ReDim Preserve arOut(cntAr) 'redim the output array arOut(cntAr) = strLRSeg 'add the executable to the output array End If 'exec string found at end of line? 'if exec strings found If cntAr >= 0 Then 'for every string For i = 0 To UBound(arOut) 'concatenate a comma & co-name (with leading space) strOut = strOut & "," & CoName(arOut(i)) Next 'trim obligatory leading comma strOut = Right(strOut,Len(strOut)-1) End If 'return delimited string LRParse = strOut End Function 'read JOB file & output error if file corrupt Function JobFileRead (oFile, oJobFi) '# Unicode chrs in Run field executable statements, decimal value of enabled byte, 'command string, error number Dim intUChrCtr, int1C, strCmd, intErrNum Dim strJobExe : strJobExe = "" 'concatenated executable string Dim flagEnStatus : flagEnStatus = False 'task enabled status 'prepare output file title lines Dim strLine Dim strTitleLine1 : strTitleLine1 = "Enabled Scheduled Tasks:" Dim strTitleLine2 : strTitleLine2 = String(Len(strTitleLine1),"-") 'check for minimum length If oFile.Size <= 80 Then JobFileReadError oFile, strTitleLine1, strTitleLine2, " (too small)" : Exit Function End If On Error Resume Next 'determine enabled/disabled status by reading one Unicode chr oJobFi.Skip(24) int1C = AscB(oJobFi.Read(1)) 'for a DISabled task: byte 48 (30h), 0-based-bit 2 (4-bit) = 1 If (int1C And 4) = 0 Then flagEnStatus = True 'if an enabled task If flagEnStatus Then 'write titles if not already done If Not flagTLW Then SkipLine : WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine flagTLW = True End If 'skip to the counter for the number of chrs in the first executable statement oJobFi.Skip(10) '# bytes at unicode chr 35 (byte 70) '# chrs includes final zero chr so subtract one chr intUChrCtr = AscW(oJobFi.Read(1))-1 'check for 0 or negative executable length If intUChrCtr <= 0 Then JobFileReadError oFile, strTitleLine1, strTitleLine2, " (no executable)" Exit Function End If 'read the chrs and convert to ASCII strJobExe = MidB(oJobFi.Read(intUChrCtr),1) intErrNum = Err.Number : Err.Clear 'check for truncated executable If intErrNum <> 0 Then JobFileReadError oFile, strTitleLine1, strTitleLine2, " (truncated executable)" Exit Function End If strCmd = strJobExe 'store executable for co-name ID 'add ".exe" extension to bare executables If Fso.GetExtensionName(strCmd) = "" Then strCmd = strCmd & ".exe" 'skip to parameters counter oJobFi.Skip(1) intErrNum = Err.Number : Err.Clear 'check for truncated file If intErrNum <> 0 Then JobFileReadError oFile, strTitleLine1, strTitleLine2, " (too small)" Exit Function End If 'read the parameters counter intUChrCtr = AscW(oJobFi.Read(1)) intErrNum = Err.Number : Err.Clear 'check for absence of parameters counter If intErrNum <> 0 Then JobFileReadError oFile, strTitleLine1, strTitleLine2, " (parameter string size missing)" Exit Function End If 'if parameters exist, concatenate the executable If intUChrCtr <> 0 Then _ strJobExe = strJobExe & Space(1) & MidB(oJobFi.Read(intUChrCtr-1),1) intErrNum = Err.Number : Err.Clear 'check for truncated parameter string If intErrNum <> 0 Then JobFileReadError oFile, strTitleLine1, strTitleLine2," (truncated parameter string)" Exit Function End If 'write out the .JOB file name & executable string WriteOut Chr(34) & Fso.GetBaseName(oFile.Path) & Chr(34) &_ strGT & "launches: " & Chr(34) & strJobExe & Chr(34) & CoName(strCmd) End If 'enabled task? On Error Goto 0 End Function 'output reason for JOB file corruption Function JobFileReadError (oFile, strTitleLine1, strTitleLine2, strReason) 'write titles if not already done If Not flagTLW Then WriteOut strTitleLine1 : WriteOut strTitleLine2 : SkipLine flagTLW = True End If 'write out the .JOB file name & executable string WriteOut Chr(34) & Fso.GetBaseName(oFile.Path) & Chr(34) &_ strGT & "WARNING -- The file " & Chr(34) & oFile.Name & Chr(34) &_ " is corrupt!" & strReason End Function 'write strOut to the report file Function WriteOut (strOut) 'needed for W98/WME Dim intQ1, intQ2, strOut1, strOutWk Dim strOut2 : strOut2 = "" 'if output via Script Object If flagFW = "SO" Then oFN.WriteLine strOut 'write the line to the file 'in W98/WME, echo to SFN ElseIf strOS = "W98" Or strOS = "WME" Then Wshso.Run "%COMSPEC% /c echo " & strOut & ">> " & strFNS,0,TRUE 'in NT4/W2K/WXP, echo to LFN Else 'use LFN Wshso.Run "%COMSPEC% /c echo " & strOut & ">> " & Chr(34) & strFN & Chr(34),0,TRUE End If 'Script Object or Echo? End Function 'skip a line in the report file Function SkipLine 'if output via Script Object If flagFW = "SO" Then oFN.WriteBlankLines (1) 'if output via Echo in W98/WME ElseIf strOS = "W98" Or strOS = "WME" Then Wshso.Run "%COMSPEC% /c echo.>> " & strFNS,0,TRUE 'if output via Echo in NT4/WS2/WXP Else Wshso.Run "%COMSPEC% /c echo.>> " & Chr(34) & strFN & Chr(34),0,TRUE End If 'Script Object or Echo? End Function 'R00 'initial rev. 2004-04-20 'R01 'avoided trailing backslash for ScrPath if path is drive root; added 'detection of W98 and HKLM... RunOnceEx, RunServices, RunServicesOnce; 'enumeration of RunOnceEx keys; error if WMI not installed with launch 'of browser to download site & message in text file 'R02 'minor report enhancements 'R03 'added computer name to report file name 'R04 'added: 'HKCU-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load & run 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell & Userinit 'HKLM\SOFTWARE\Classes\[exe-type]file\shell\open\command 'WIN.INI [windows] load= & run= 'SYSTEM.INI [boot] shell= 'R05 'added: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx 'HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ' value of name is CLSID whose InProcServer32 default name's value = executable 'omitted output if keys empty 'R06 'omitted all output if anomalies absent; added W98Titles & DefExeTitles 'functions 'R07 'added RegDataChk sub 'added: 'HKLM\Software\Microsoft\Active Setup\Installed Components\ 'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ 'HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ 'HKCU & HKLM\SOFTWARE\Microsoft\Command Processor\AutoRun 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute 'R08 'removed: 'HKCU & HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ 'manages restricted/trusted sites, but not an executable launch point 'added MsgBox at script completion 'R09 'added identification of PIF target, converted script completion 'MsgBox to PopUp 'R10 'added VIII. shortcut parameters 'R11 'added length check for CLSID data, error handling for bad values ' & missing BHO InprocServer32 key 'added: 'WINSTART.BAT contents listing 'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ 'R12 'added 10-line "unalterable" comments header 'added detected O/S to output file (incl. WME & WS2K3) 'changed terminology from "value/data" to "name/value" 'added to section I: ' arRegFlag array (for each O/S: hive,key,execution applicability & warning flags) ' W98,WME,NT4,W2K,WXP arRegFlag data ' EnumKeyData function for parsing of all value data types & display ' in output file ' subkey recursion (for handling of W2K bug & HKCU/HKLM... RunOnce\Setup) 'removed from Section I: ' HKCU...RunServices & RunServicesOnce for W98 ' HKCU... / HKLM... Explorer\Run for NT4 'R13 'added MsgBox to quit if WS2K3 detected 'added HKLM... Winlogon\Notify 'encoded MsgBox e-mail address in hex 'R14 'added INFECTION WARNING! for non-default Winlogon\Notify entry 'R15 'added default value as program's title to HKLM...Active 'Setup\Installed Components section 'R16 'corrected R07 comments concerning HKLM...BootExecute 'R17 'added detection of URL shortcuts in Start Menu folders 'R18 'changed attribution header to accommodate SE results 'added Echo output for CScript host 'added revision number to output file 'modified section II: ' list HKLM\Software\Microsoft\Active Setup\Installed Components\ if ' StubPath value exists and HKCU... Active Setup\Installed Components ' key does not exist, or if HKLM comma-delimited version number > HKCU ' version number 'added to section VI: ' HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell ' HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell 'modified section X: suppressed startup folder title in output file if folder empty 'added section XI - enabled Scheduled Tasks 'redimmed arrays to 0 to recover memory at end of every section 'R19 'added to section X: ' %WINDIR%\All Users... Startup for W98 'in section XI: ' fixed executable statement parsing bug due to use of Asc instead of AscW ' changed enabled criterion to single byte (44) 'added revision number to MsgBox/Echo at EOJ 'R20 'added output file directory via argument 'added two sections & renumbered existing sections 'added tests for WME in sections VI, VII, X, XI 'in section III: ' obtained BHO names from CLSID key if unavailable from BHO key 'added section VIII for W2K/WXP: ' HKCU/HKLM\Software\Policies\Microsoft\Windows\System\Scripts 'in section XI: ' excluded DESKTOP.INI files when present in startup directories, ' revised startup folder name title output to only occur if shortcut, ' PIF or executable found in folder 'in section XII: ' changed enabled criteria to single byte: 30h (48), ' bit 2 (0-based) = 0 'added section XIII: started service name, display name, path, ' CompanyName != Microsoft 'added functions: IDExe - extract service executable from path ' FLN - find leading script executable number ' ScrIP - SCRIPTS.INI parser ' CoName - find CompanyName in file 'R21 'added trap for VBScript version for W98/NT4 'added detection of W95 (interpreted as W98) 'added Err.Clear statement after every invocation of On Error Resume Next 'added script name to report header 'added namespace to WMI connection statement 'revised CoName function to concatenate several path strings and call ' 2nd function that uses WMI to retrieve co-name 'added functions: LRParse - parse load/run lines for executables ' CNCall - locate file in initial string, windows, ' system, app paths; retrieve co-name via WMI 'added co-name ID to all pgm sections 'removed output of value type from section I 'fixed bug in section VI - HKLM\...Winlogon\Userinit, infection alert ' was being issued when no comma in string 'changed BootExecute output in VI from output line for every ' multistring entry to single line 'R22 'fixed CNCall malformed path (leading backslash) bug, improved CNCall 'error handling; protected CoName from null or empty ImagePath strings 'due to deleted service left running 'R23 'changed strAUSUF to flagAUSUF in section XI 'added error handling for corrupt JOB file in section XII 'added function: JobFileRead 'changed "empty data" to "empty string" in CNCall 'added ".exe" to extension-less executable in JobFileRead 'R24 'revised R23 changes 'added back strTitleLine assignment in section XII 'R25 'added test for arHKCUKeys array in HKCU... Active Setup\Installed ' Components (section II) 'DIMed local variables in AppPath to avoid conflict with strValue used ' in Section VI; fixed same bug in IniLRS 'suppressed section title if both startup folders empty in section XI 'R26 'changed endpoint in services sort in section XIII so that sort ' included last service in initial array 'R27 'declared strFPSF & strFPWF Public (used in CoName sub) 'script host bug workaround: in some script versions, ' CreateTextFile/OpenTextFile with Create parameter=True overwrites ' file contents line by line instead of overwriting file, so now delete ' output file if it exists before writing to it 'added trap for CreateTextFile error 'added colons to all section titles 'added comments to better explain array in section I 'added to section V: HKCU...ShellServiceObjectDelayLoad 'added to section VI: GinaDLL 'added to section VII: Notify values for W2K (termsrv) & WS2K3 (=WXP) 'new section XI: AUTORUN.INF in root of fixed disks, renumbered XII-XIV 'added functions: NDTAR, NDAR, FmtTime 'changed function titles: W98Titles -> IniInfTitles; IniLRS -> IniInfParse 'modified function RegDataChk to handle no value or empty+expected value 'added script launch time to output file header 'R28 'added functions WriteOut, SkipLine to enable output via Echo when 'Fso generates error, debugged output under W98: Echo output not 'possible from network drive, interference from double quote & >, 'limited to 62-63 chrs/line 'changed output file name '** Updated Revision Number on line #15 ** |
19.05.2008, 23:03 | #21 |
| TR/VB.aqt.58 so, alle logs müßten oben sein (mehr habe ich jedenfalls nicht im angebot )- trotz der 25000 zeichen begrenzung. |
19.05.2008, 23:10 | #22 |
/// TB-Ausbilder | TR/VB.aqt.58 Hi, ich schau mir die logs noch genauer an, editier, solang es noch möglich ist, bitte, die Links in deinem Log. EDIT: Bei silentrunners ist was schiefgelaufen. Das was du da gepostet hast, ist das Skript, nicht das Ergebnis von dem Skript lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
20.05.2008, 19:09 | #23 |
| TR/VB.aqt.58 LACH NICH!!!! ich hab mich schon gewundert, weil die datei so groß war jedenfalls lief das skript über die zip.datei nicht wg. vista. stattdessen wurde ich hierher geleitet: http://www.silentrunners.org/Silent%20Runners%20RED.vbs ich hab gedacht, die webseite führt das skript selbst aus. war wohl nicht. und jetzt habe ich den vorführeffekt: heute läuft auch die zip.datei. vista auf einmal kein problem mehr. glg sunamo |
20.05.2008, 19:14 | #24 |
| TR/VB.aqt.58 "Silent Runners.vbs", revision 58, Silent Runners - Adware? Disinfect, don't reformat! Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Acer Tour Reminder" = "(empty string)" [file not found] "ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS] "SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide" "RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"] "eDataSecurity Loader" = "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" ["HiTRUST"] "Acer Tour" = "(empty string)" [file not found] "NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS] "NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS] "PLFSetL" = "C:\Windows\PLFSetL.exe" ["sonix"] "PlayMovie" = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"" ["CyberLink Corp."] "IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"] "Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."] "eRecoveryService" = "(empty string)" [file not found] "Acer Tour Reminder" = "C:\Acer\AcerTour\Reminder.exe" ["Acer Inc."] "WarReg_PopUp" = "C:\Acer\WR_PopUp\WarReg_PopUp.exe" [null data] "SetPanel" = "C:\Acer\APanel\APanel.cmd" [file not found] "eAudio" = ""C:\Acer\Empowering Technology\eAudio\eAudio.exe"" ["CyberLink"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."] "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"] "Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"] "avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll" ["Symantec Corporation"] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch" -> {HKLM...CLSID} = "FGCatchUrl" \InProcServer32\(Default) = "D:\Programme\FlashGet\jccatch.dll" ["webseite.flashget.com"] {3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided) -> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer" \InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}\(Default) = (no title provided) -> {HKLM...CLSID} = "ShowBarObj Class" \InProcServer32\(Default) = "C:\Windows\system32\ActiveToolBand.dll__BHODemonDisabled" [file not found] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided) -> {HKLM...CLSID} = "FDMIECookiesBHO Class" \InProcServer32\(Default) = "D:\Programme\Free Download Manager\iefdm2.dll" [null data] {F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided) -> {HKLM...CLSID} = "FlashGet GetFlash Class" \InProcServer32\(Default) = "D:\Programme\FlashGet\getflash.dll" ["webseite.flashget.com"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension" -> {HKLM...CLSID} = "EPM-PO Shell Extensions" \InProcServer32\(Default) = "epm-po.dll" [file not found] "{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\Programme\Microsoft Office XP\Office10\msohev.dll" [MS] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] "{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}" -> {HKLM...CLSID} = "eDSshlExt Class" \InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}" -> {HKLM...CLSID} = "IEContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}" -> {HKLM...CLSID} = "eDSshlExt Class" \InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}" -> {HKLM...CLSID} = "IEContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] Group Policies {GPedit.msc branch and setting}: Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} Active Desktop and Wallpaper: Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg" Enabled Screen Saver: HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\Windows\system32\Aurora.scr" [MS] Windows Portable Device AutoPlay Handlers HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ LightScribeOnArrivalAP\ "Provider" = "LightScribe Direct Disc Labeling" "InvokeProgID" = "LightScribe.AutoPlayHandler" "InvokeVerb" = "LabelLightScribeDisc" HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"] MDCBlankCDArrival\ "Provider" = "DVDivine" "InvokeProgID" = "BlankCD" "InvokeVerb" = "OpenWithMakeDisc" HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"] MDCDVDBurningOnArrival\ "Provider" = "DVDivine" "InvokeProgID" = "BlankDVD" "InvokeVerb" = "OpenWithMakeDisc" HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"] MMJBAutoplayBURNERPLUS\ "Provider" = "MUSICMATCH Burner Plus" "InvokeProgID" = "MMJB.BURN" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" [file not found] NTIBurner\ "Provider" = "NTI CD-Maker" "InvokeProgID" = "NTIBurnerOpen" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\NTIBurnerOpen\shell\open\command\(Default) = ""C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\Cdmkr32.exe"" ["NewTech Infosystems, Inc."] PlayMoviePlayDVDMovieOnArrival\ "Provider" = "Play Movie" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPlayMovie" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPlayMovie\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe" "%L"" ["CyberLink Corp."] PPCDBurningOnArrival\ "Provider" = "PowerProducer" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerProducer" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"] PPDCameraArrival\ "Provider" = "PowerProducer" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerProducer" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"] PPDVArrival\ "Provider" = "PowerProducer" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "Shell Execute Hardware Event Handler" \LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] RPCDBurningOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.CDBurn.6" "InvokeVerb" = "open" HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."] RPDeviceOnArrival\ "Provider" = "RealPlayer" "ProgID" = "RealPlayer.HWEventHandler" HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}" -> {HKLM...CLSID} = "RealNetworks Scheduler" \LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."] RPPlayCDAudioOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AudioCD.6" "InvokeVerb" = "play" HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."] RPPlayDVDMovieOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.DVD.6" "InvokeVerb" = "play" HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."] RPPlayMediaOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AutoPlay.6" "InvokeVerb" = "open" HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."] VLCPlayCDAudioOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"] VLCPlayDVDMovieOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"] |
20.05.2008, 19:16 | #25 |
| TR/VB.aqt.58 SilentRunners Teil 2 Startup items in "benutzername" & "All Users" startup folders: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup "Microsoft Office" -> shortcut to: "D:\Programme\Microsoft Office XP\Office10\OSA.EXE -b -l" [MS] Winsock2 Service Provider DLLs: Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 22 Toolbars, Explorer Bars, Extensions: Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" -> {HKLM...CLSID} = "Acer eDataSecurity Management" \InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided) -> {HKLM...CLSID} = "Acer eDataSecurity Management" \InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"] "{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar" -> {HKLM...CLSID} = "Show Norton Toolbar" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."] {2670000A-7350-4F3C-8081-5663EE0C6C49}\ "ButtonText" = "An OneNote senden" "MenuText" = "An OneNote s&enden" "CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}" -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ "ButtonText" = "FlashGet" "MenuText" = "FlashGet" "Exec" = "D:\Programme\FlashGet\FlashGet.exe" ["FlashGet.com"] {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ "MenuText" = "Spybot - Search & Destroy Configuration" "CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}" -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] Miscellaneous IE Hijack Points HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"] ALaunch Service, ALaunchService, "C:\Acer\ALaunch\ALaunchSvc.exe" [null data] Automatische WLAN-Konfiguration, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]} Automatisches LiveUpdate - Scheduler, Automatisches LiveUpdate - Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"] Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"] Avira AntiVir Personal – Free Antivirus Planer, AntiVirScheduler, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"] CNG-Schlüsselisolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS] Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string] eDSService.exe, eDataSecurity Service, ""C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe"" ["HiTRSUT"] eLock Service, eLockService, "C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe" [null data] eNet Service, eNet Service, "C:\Acer\Empowering Technology\eNet\eNet Service.exe" ["Acer Inc."] ePower Service, WMIService, "C:\Acer\Empowering Technology\ePower\ePowerSvc.exe" ["acer"] eRecovery Service, eRecoveryService, "C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe" [null data] eSettings Service, eSettingsService, "C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe" [null data] Extensible Authentication-Protokoll, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]} Intel(R) Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"] LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"] LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] MobilityService, MobilityService, "C:\Acer\Mobility Center\MobilityService.exe -p" [null data] SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" ["Safer Networking Ltd."] Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]} Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]} XAudioService, XAudioService, "C:\Windows\system32\DRIVERS\xaudio.exe" ["Conexant Systems, Inc."] Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]} Print Monitors: HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS] (launch time: 2008-05-20 10:33:44) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. (total run time: 69 seconds, including 10 seconds for message boxes) |
22.05.2008, 13:13 | #26 |
| TR/VB.aqt.58 hallo zusammen, ich hoffe, ich habe silentrunners jetzt richtig ausgeführt. das file und das von dss sind jetzt online. könnt ihr mal schauen, ob euch noch was auffällt. schönen rest-feiertag |
22.05.2008, 13:25 | #27 | |
/// TB-Ausbilder | TR/VB.aqt.58 Hi, sry hab gar nicht mitgekriegt, dass du Silentrunners nachgereicht hast. Zitat:
Die beiden Logs sind sauber. Wenn du die beiden autorun.inf gelöscht hast und sie nicht wieder neuerstellt wurden, würde ich denken, dass die Infektion bei dir nicht aktiv ist. lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
22.05.2008, 16:19 | #28 |
| TR/VB.aqt.58 :aplaus::aplaus::aplaus: juhu, noch mal glück gehabt. bisher ist keine neue datei dieses namens auf meinen festplatten aufgetaucht. wenn's sauber ist, darfst du auch ruhig lachen ich hab aber noch zwei fragen, wenns nicht unverschämt ist: 1. zu dem silentrunner: am ende steht doch, das <<!>> wenn es angezeigt wird, bedeutet, das da eine verdächtige datei kurz vor dem start steht. und in dem log wird folgendes angezeigt: HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.D LL" [MS] hat das nichts zu bedeuten bzw. was bedeutet es? 2. zu meiner funktionsunfähigen systemwiederherstellung. kennst du jemand bzw. ein forum, wo ich das noch mal posten kann und wo ich ne andere antwort kriegen kann als format c: oder schmeiß vista weg ? lg sunamo |
22.05.2008, 16:23 | #29 |
/// TB-Ausbilder | TR/VB.aqt.58 Die Einträge mit <<!>> werden als verdächtig eingstuft, wie genau diese ausgewählt werden, weiß ich nicht. Der Eintrag [MS] am Ende bedeutet jedoch, dass die Datei von Microsoft signiert ist und eine Überprüfung zeigte, dass der ganze Eintrag von Microsoft stammt und damit unbedenklich ist. Mit der Systemwiederherstellung kannst du es hier im Windowsunterforum mal probieren. lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
22.05.2008, 19:21 | #30 |
| Neuer Fund: TR/Hijacker.GEN, AW: TR/VB.aqt.58 jetzt wollte ich dich gerade heilig sprechen, wg. der guten nachrichten und nun geht es in die zweite runde. diesmal hat antivir gemeldet, eine update.exe, die in einem verzeichnis von flashget steckt, sei Hijacker.Gen. laut virus total stimmt das zu 15 prozenzt. die datei ist in quarantäne und beim neustart auch nicht wieder aufgetaucht. trotzdem poste ich noch mal die ganzen logs mit der bitte, noch einmal nachzuschauen. ich werde dann flashget deinstallieren. habe gelesen, dass das nicht ohne ist. die datei befand sich unter D:\Programme\FlashGet\FGUpdate soll ich auch deren inhalt wieder posten? anbei das hijack-log. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:58:32, on 22.05.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16643) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe C:\Windows\System32\rundll32.exe C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Apoint2K\Apoint.exe C:\Acer\Empowering Technology\eAudio\eAudio.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Users\Corinna\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\Program Files\Launch Manager\LManager.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo! Deutschland R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! Deutschland R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! Deutschland R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! Deutschland R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\Programme\FlashGet\jccatch.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll (disabled by BHODemon) O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programme\Free Download Manager\iefdm2.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\Programme\FlashGet\getflash.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - .DEFAULT User Startup: DSL-Manager.lnk = C:\Program Files\T-Online\DSL-Manager\DslMgr.exe (User 'Default user') O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office XP\Office10\OSA.EXE O8 - Extra context menu item: &Alles mit FlashGet laden - D:\Programme\FlashGet\jc_all.htm O8 - Extra context menu item: &Mit FlashGet laden - D:\Programme\FlashGet\jc_link.htm O8 - Extra context menu item: Alles mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlall.htm O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlselected.htm O8 - Extra context menu item: Datei mit FDM herunterladen - file://D:\Programme\Free Download Manager\dllink.htm O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Videos mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlfvideo.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programme\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 12522 bytes |
Themen zu TR/VB.aqt.58 |
adobe, antivir, antivirus, avg, bho, browser, defender, drivers, excel, fehler, festplatte, free download, helper, hijackthis, internet, internet explorer, internet security, local\temp, maleware, monitor, pop-up-blocker, popup, quara, rundll, safer networking, security center, senden, software, symantec, system, t-online, temp, urlsearchhook, vista, windows, windows defender, windows sidebar, windows\system32\drivers |