Wifi Sniff -> ein vermeintlicher Bot???

infernomercy · 18.07.2008, 12:07

Hi
Da ich denke dass ich iwie von nem Bot oder nem Trojaner oder so befallen bin hab mich heute mit Wireshark hingesetzt und mal meinen Network Adapter gesnifft und da ist mir etwas aufgefallen:
Und zwar tauchten immer mal TCP Verbindungen zu einer bestimmte IP auf und als ich dann mal dem TCP Stream gefolgt bin kamen folgende 2 Codes raus kann mir einer Sagen von was ich befallen bin?

Code:

ATTFilter

HTTP/1.1 200 OK

Date: Thu, 17 Jul 2008 15:30:54 GMT

Server: Apache

Last-Modified: Thu, 05 Jun 2008 13:43:52 GMT

ETag: "1cc006-3c2f-44eeb89249600"

Accept-Ranges: bytes

Content-Length: 15407

Connection: close

Content-Type: text/plain




;------------------------------------------------------------------------------------------------

; . ........ ....... .......... ...............

;--------------------------------------------------------------------------------------------------



;

; ... .. ......... ... issue . .... ...... .......... . ................ ..... 

; ...... issue ........... .... . .... ....... ...... ..... ......:

; [........]

; Detect=<...... ...........>:<......>

; ....... ...........:

; registry              - ........... .. ....... ...... . .......

; service               - ........... .. ....... ......

; driver                - ........... .. ....... ........

; process               - ........... .. ....... ........

;

; ........:

; disable_on_access     - ......... on-access .......

; disable_on_any_access - ........... ..... ...... on-access, ......... ...... ... ..........

; compatible_on_access  - ........... ..... ...... on-access, .. ......... .. ........ .....

; disable_sandbox       - .. ...........
.. sandbox ....... .....

; disable_wlhook        - .. ............. wl_hook .....

; sandbox_exclusion     - ......... .... . .......... sandbox (... .........)

; wl_hook_exclusion     - ......... .... . .......... wl_hook (.. ........)

; cancel_install.- ...... .......... .. ......... .......

; disable_attributes    - ......... ........... ........ (Smart Scan .....)

; disable_content    .- ......... .......... .......
.

;



[issues]

; checked antiviruses

nod32_integrity_issue=NOD32 Integrity Issue

nod32_on_access_issue=NOD32 On-Access Issue

klif_issue=Kaspersky On-Access Scanner Issue

kavavp_issue=Legacy Kaspersky Service Issue

drweb_issue=DrWeb Issue

avg_av_issue=AVG Anti-Virus Issue

avg_av_issue_v7=AVG Anti-Virus Issue

symantec_issue=Norton (Symantec) AntiVirus Issue

symantec_v10_issue=Norton (Symantec) AntiVirus Issue

symantec_autoprotect_issue=Symantec AntiVirus AutoProtect Issue

symantec_filtration_issue=Symantec AntiVirus content filtration Issue

avast_issue=avast! Issue

mcafee_issue=McAfee VirusScan Issue

avira_issue=Avira AntiVir Issue

avira_issue_v7_2000.32_issue=Avira AntiVir Issue

bitdefender_av_issue=BitDefender AntiVirus Issue

bitdefender_av_2008_issue=BitDefender Antivirus 2008 Issue

spysweeper_issue=Spy Sweeper Issue

ca_issue=CA Anti-Virus Issue

ca_av_v8_xp.32_issue=CA Anti-Virus Issue

gdata_avk_issue=GDATA AntiVirusKit Issue



; checked firewalls

lavasoft_firewall_issue=Lavasoft Fi
rewall Issue

quickheal_firewall_issue=Quick Heal Firewall Issue

buhl_firewall_issue=PC Firewall Issue

sophos_firewall_issue=Sophos Client Firewall Issue

agava_firewall_issue=AGAVA Firewall Issue

f-secure_firewall_issue=F-Secure Firewall Issue

jetico_firewall_issue=Jetico Firewall Issue

zonealarm_firewall_issue=ZoneAlarm Firewall Issue

checkpoint_firewall_issue=CheckPoint Firewall Issue

onlinearmor_firewall_issue=Onl
ine Armor Personal Firewall Issue

virusbuster_issue=VirusBuster Issue



; not checked

mcafee_framework_issue=McAffee Framework Self Protection Issue

mcafee_enterprise_issue=McAffee Enterprise Self Protection Issue

mcafee_scan_online=McAffee Online Scan Self Protection Issue

sophos_issue=Sophos Antivirus Issue

comodo.= Comodo Installation

za_inst.= Zone Alarm Installation





;----------------------------------------------------------------------------------------

; Antivirus

;----------------------------------------------------------------------------------------



[nod32_integrity_issue]

Product=nod32_product

Detect=service:nod32krn

Detect=service:ekrn

Action=wl_hook_exclusion ekrn.exe

Action=sandbox_exclusion ekrn.exe

Action=wl_hook_exclusion egui.exe

Action=wl_hook_exclusion nod32.exe

Action=wl_hook_exclusion nod32kui.exe

Action=wl_hook_exclusion nod32krn.exe

Action=disable_content vista



[nod32_on_access_issue]

Product=nod32_product

Detect=driver:amon

Detect=driver:eamon

Action
=disable_on_access



[klif_issue]

Detect=driver:klif

Action=disable_on_access

Product=kis_product



[kavavp_issue]

Detect=service:avp

Product=kis_product

Action=wl_hook_exclusion avp.exe

Action=sandbox_exclusion avp.exe

Action=kaspersky_av_exclusion_action

Action=kaspersky_suspend_protection_action

Action=disable_attributes

Action=disable_content vista



[drweb_issue]

Product=drweb_product

Detect=service:spid
ernt

Detect=driver:spider

Action=disable_on_access



[avg_av_issue]

Product=avg_product

Detect=service:Avg7Alrt

Action=wl_hook_exclusion avgemc.exe

Action=wl_hook_exclusion avgrssvc.exe



[avg_av_issue_v7]

Product=avg_product

Detect=driver:avg7rsxp

Detect=driver:avgmfx86

Detect=driver:avgmfx64

Action=disable_on_access



[symantec_issue]

Product=symantec_product

Detect=service:CLTNetCnService

Action=wl_hook_exclusion ccSvcHst.exe

Action=sandbox_exclusion ccSvcHst.exe

Action=wl_hook_exclusion CCPD-LC\symlcsvc.exe

Action=sandbox_exclusion CCPD-LC\symlcsvc.exe

Action=symantec_disable_auto_protect

Action=disable_attributes



[symantec_v10_issue]

Product=symantec_product

Detect=service:ccEvtMgr

Action=wl_hook_exclusion ccEvtMgr.exe

Action=sandbox_exclusion ccEvtMgr.exe

Action=disable_attributes



[symantec_autoprotect_issue]

Product=symantec_product

Detect=driver:eectrl

Detect=service:ccEvtMgr

Action=disable_on_access



[symantec_filtration_issue]

Product=symantec_product

Detect=
driver:SYMTDI

Action=disable_content



[avast_issue]

Product=avast_product

Detect=registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast!:InstallLocation

Action=wl_hook_exclusion ashserv.exe

Action=sandbox_exclusion ashserv.exe

Action=wl_hook_exclusion ashwebsv.exe

Action=sandbox_exclusion ashwebsv.exe 

Action=wl_hook_exclusion ashmaisv.exe

Action=sandbox_exclusion ashmaisv.exe

Action=disable_on_
access

Action=disable_content vista



[avira_issue]

Product=avira_product

Detect=driver:avgio

Action=disable_on_access

Action=disable_content vista



[avira_issue_v7_2000.32_issue]

Product=avira_product

Detect=driver:avgntdd

Action=disable_on_access



[bitdefender_av_issue]

Product=bitdefender_product

Detect=driver:bdrsdrv

Action=disable_on_access

Action=disable_content vista

Action=bitdefender_product_turnoff



[bitdefender_av_2008_issue]

Product=bitdefender_product

Detect=service:vsserv

Action=wl_hook_exclusion vsserv.exe

Action=disable_on_access



[ca_issue]

Product=ca_product

Detect=service:InoRT

Detect=service:InoRPC

Detect=service:InoTask

Detect=service:InoNmSrv

Action=wl_hook_exclusion InoNmSrv.exe

Action=wl_hook_exclusion InoTask.exe

Action=wl_hook_exclusion InoRT.exe

Action=wl_hook_exclusion InoRpc.exe

Action=disable_on_access



[ca_av_v8_xp.32_issue]

Product=ca_product

Detect=service:vetmsgnt

Action=disable_on_access



[gdata_avk_issue]

Product=gdata_product

De
tect=service:AVKWCtl

Detect=service:AVKService

Action=disable_on_access

Action=wl_hook_exclusion avkwctl.exe

Action=sandbox_exclusion avkwctl.exe

Action=wl_hook_exclusion avkwctlx64.exe

Action=sandbox_exclusion avkwctlx64.exe

Action=wl_hook_exclusion avkservice.exe

Action=sandbox_exclusion avkservice.exe



[spysweeper_issue]

Product=spysweeper_product

Detect=service:WebrootSpySweeperService

Action=wl_hook_exclusi
on ssu.exe

Action=sandbox_exclusion ssu.exe

Action=wl_hook_exclusion spysweeper.exe

Action=sandbox_exclusion spysweeper.exe

Action=wl_hook_exclusion spysweeperui.exe

Action=wl_hook_exclusion safesweeper.exe

Action=disable_on_access



[mcafee_issue]

Product=mcafee_product



Detect=service:McShield

Action=wl_hook_exclusion mcshield.exe

Action=sandbox_exclusion mcshield.exe

Action=disable_on_any_access



;----------------------------------------------------------------------------------------

; Firewall

;----------------------------------------------------------------------------------------



[lavasoft_firewall_issue]

Product=lavasoft_product

Detect=service:LavasoftFirewall

Detect=registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lavasoft Firewall Pro_is1:InstallLocation

Action=cancel_install



[quickheal_firewall_issue]

Product=quickheal_product

Detect=service:QuickHealFirewall

Action=cancel_install



[buhl_firewall_issue]

Product=buhl_firewall_product

Detect=service:S
Firewall

Action=cancel_install



[sophos_firewall_issue]

Product=sophos_fw_product

Detect=service:SophosFirewall

Action=cancel_install



[agava_firewall_issue]

Product=agava_fw_product

Detect=service:fwservice

Action=cancel_install



[f-secure_firewall_issue]

Product=f-secure_fw_product

Detect=driver:fsfw

Action=cancel_install



[jetico_firewall_issue]

Product=jetico_fw_product

Detect=service:Jetico Personal 
Firewall server

Action=cancel_install



[zonealarm_firewall_issue]

Product=za

Detect=service:vsmon

Action=cancel_install



[checkpoint_firewall_issue]

Product=checkpoint_fw_product

Detect=service:FW1SVC

Action=cancel_install



[onlinearmor_firewall_issue]

Product=onlinearmor_fw_product

Detect=service:SvcOnlineArmor

Action=cancel_install



[virusbuster_issue]

Product=virusbuster_product

Detect=service:VBCompManService

Action=cancel_install



;----------------------------------------------------------------------------------------

;unchecked below

;----------------------------------------------------------------------------------------



[mcafee_framework_issue]

Product=mcafee_product

Detect=registry: HKLM\SOFTWARE\Network Associates\TVD\Shared Components\Framework:Installed Path

Action=wl_hook_exclusion frameworkservice.exe

Action=disable_on_access

Action=disable_content vista

Action=disable_mcafee_access_protection



[mcafee_enterprise_issue]

Product=mcafee_product

Detect=registr
y: HKLM\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion:szInstallDir

Action=wl_hook_exclusion vstskmgr.exe

Action=wl_hook_exclusion avf.exe

Action=disable_on_access



[mcafee_scan_online]

Product=mcafee_product

Detect=registry: HKLM\SOFTWARE\McAfee.com\Virusscan Online:Install Dir

Action=wl_hook_exclusion mcshield.exe

Action=wl_hook_exclusion mcvsrte.exe

Action=wl_hook_exclusion mcvsescn.exe

Act
ion=disable_on_access



[sophos_issue]

Product=sophos_product

Detect=service:savprogress.exe

Action=wl_hook_exclusion savprogress.exe



[comodo]

Detect=registry:HKLM\Software\Microsoft\Windows\Uninstall\Comodo Firewall

Action=cancel_install

Product=comodo_app



[za_inst]

Detect=registry:HKLM\Software\Microsoft\Windows\Uninstall\Zone Alarm

Action=cancel_install

Product=za



;--------------------------------------------------------------------------------------------------

; . ........ ....... ........ ....... ........... . ........ ........... ...............

;--------------------------------------------------------------------------------------------------



[msdev]

ProductName=Microsoft Developer Studio .NET

ProductVendor=Microsoft Corp



[suite20]

ProductName=Agnitum Security Suite 2008 or later

ProductVendor=Agnitum Ltd



[sysdrv]

ProductName=OS Hardware Drivers

ProductVendor=Hardware Vendors



[drv]

ProductName=Hardware kernel-mode Drivers

ProductVendor=Hardware Manufacturer




[za]

ProductName=Zone Alarm Firewall/Security Suite

ProductVendor=Zone Labs, LLC



[comodo_app]

ProductName=COMODO Firewall or Firewall Pro

ProductVendor=COMODO



;--- checked firewalls



[lavasoft_product]

ProductName=Lavasoft Personal Firewall

ProductVendor=Lavasoft AB



[quickheal_product]

ProductName=Quick Heal Firewall Pro

ProductVendor=Cat Computer Services Ltd.



[buhl_firewall_product]

ProductName=PC Fi
rewall

ProductVendor=Buhl Data Service GmbH



[sophos_fw_product]

ProductName=Sophos Client Firewall

ProductVendor=Sophos Plc.



[agava_fw_product]

ProductName=AGAVA Firewall

ProductVendor=AGAVA Software



[f-secure_fw_product]

ProductName=F-Secure Internet Security

ProductVendor=F-Secure Corporation.



[jetico_fw_product]

ProductName=Jetico Personal Firewall

ProductVendor=Jetico, Inc



[checkpoint_fw_product]

ProductName=Check Point Firewall

ProductVendor=Check Point Software Technologies Ltd.



[onlinearmor_fw_product]

ProductName=Online Armor Personal Firewall

ProductVendor=Tall Emu Pty Ltd



[virusbuster_product]

ProductName=VirusBuster

ProductVendor=VirusBuster Ltd.



;--- checked anti-viruses



[drweb_product]

ProductName=Dr.Web Antivirus

ProductVendor=Doctor Web, Ltd.



[avg_product]

ProductName=AVG Anti-Virus / AVG Internet Security

ProductVendor=GRISOFT Inc.



[symantec_product]

ProductName=Norton (Symantec) AntiVirus

ProductVendor=Symantec Corporation



[avast_produc
t]

ProductName=avast!

ProductVendor=ALWIL Software



[mcafee_product]

ProductName=McAfee VirusScan

ProductVendor=McAfee, Inc



[avira_product]

ProductName=Avira AntiVir / Avira Security Suite

ProductVendor=Avira GmbH



[nod32_product]

ProductName=NOD32 Antivirus

ProductVendor=ESET



[kis_product]

ProductName=Kaspersky Antivirus/Internet Security Suite

ProductVendor=Kaspersky Lab



[gdata_product]

ProductName=
GDATA Antivirus

ProductVendor=G DATA Software AG.



[bitdefender_product]

ProductName=BitDefender

ProductVendor=Softwin GmbH



[spysweeper_product]

ProductName=Spy Sweeper

ProductVendor=Webroot Software, Inc.



[ca_product]

ProductName=CA eTrust Antivirus

ProductVendor=CA



;--- ported from presets



[sophos_product]

ProductName=SOPHOS Antivirus

ProductVendor=SOPHOS





;--------------------------------------------------------------------------------------------------

; . ........ ....... ........ ....... ............ ...... ......... .............. . ...... GUI ......

; .........

;

; ........! ..... .... ActionCaption .. ...... ......... 70 ........!!!

;--------------------------------------------------------------------------------------------------



[cancel_install]

ActionCaption=Installation is impossible (incompatible product found)

ActionText=Please unsinstall the incompatible product to continue the installation.

Fatal=true



[kaspersky_av_exclusion_action]

ActionCaption=Add 
product installation folder to Kaspersky Antivirus Trusted Zone

ActionText=After product installation, please add its installation folder to Kaspersky Antivirus Trusted Zone.

ActionURL=http://www.agnitum.com/support/kb/article.php?id=1000030&lang=<LANG>#9



[kaspersky_suspend_protection_action]

ActionCaption=Suspend Kaspersky Antivirus protection during installation

ActionText=To avoid warning messages during installati
on, please suspend Kaspersky Antivirus protection using the system tray menu command.



[bitdefender_product_turnoff]

ActionCaption=Unload BitDefender before installation

ActionText=To avoid BitDefender BSODs during installation, please turn it off.



[symantec_disable_auto_protect]

ActionCaption=Disable Norton Antivirus Auto-Protect

ActionText=To avoid conflicts during product operation, please disable Norton Antivirus Auto-Protect feature: open Norton Antivirus main window, select the Norton Antivirus tab, select Settings and click Auto-Protect > Turn Off under Basic Security.



[disable_mcafee_access_protection]

ActionCaption=Disable McAfee VirusScan Access Protection 

ActionText=To avoid conflicts during product operation, please disable McAfee VirusScan Access Protection feature: open McAfee VirusScan console, right-click Access Protection and select Disable.

Der 2 Sniff ist hier zu finden mit ihm wäre der Thread zu lang
nopaste.com (beta)

Ich hoffe, dass ihr mir helfen könnt und mir sagen könnt wie ich den vermeintlichen Schädling bekämfen kann
greets infernomercy

infernomercy · 18.07.2008, 14:53

Hier ist noch der Hijack This Log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:25:14, on 17.07.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Users\Nicklas\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\conime.exe
C:\Windows\system32\cmd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://de.rd.yahoo.com/customize/ycomp/defaults/sp/*http://de.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://de.rd.yahoo.com/customize/ycomp/defaults/su/*http://de.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [PLFSet] rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [vmware-tray] "C:\Program Files\VMware\VMware Workstation\vmware-tray.exe"
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump

s_startup
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: Hinzufügen zu Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Statistik für den Schutz des Web-Datenverkehrs - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll c:\progra~1\kasper~1\kasper~2\mzvkbd.dll,c:\progra~1\kasper~1\kasper~2\adialhk.dll,c:\progra~1\kasper~1\kasper~2\kloehk.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Raw Socket Service (RS_Service) - Acer Inc. - C:\Program Files\Acer\Acer VCM\RS_Service.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11405 bytes

KarlKarl · 18.07.2008, 23:28

Hi,

da hältst Du ja mit Informationen zurück. Z.B. welche IPs, eventuell würde ein Whois die Frage schon beantworten. Vom Inhalt deiner beiden seltsamen Logs tippe ich mal auf Outpost (aber nur ein Tipp). Als Test kannst Du sie ja mal deinstallieren und schauen ob es diese Verbindungen weiterhin gibt.

Gruß, Karl

infernomercy · 19.07.2008, 11:39

also die IP ist 67.15.231.73 und ich habe über die ip nichts weiteres rausbekommen vll findest ja du mehr raus?
greets infernomercy

KarlKarl · 19.07.2008, 18:18

Nimm doch mal TcpView zu deinen Werkzeugen. Das zeigt auch die Prozesse zu den Verbindungen an. Geht mit netstat zwar auch, aber nicht so schön.

Sieht mir wirklich sehr danach aus, dass Outpost nach hause telefoniert ...

18.07.2008, 23:28	#3
KarlKarl /// Helfer-Team	Wifi Sniff -> ein vermeintlicher Bot??? Hi, da hältst Du ja mit Informationen zurück. Z.B. welche IPs, eventuell würde ein Whois die Frage schon beantworten. Vom Inhalt deiner beiden seltsamen Logs tippe ich mal auf Outpost (aber nur ein Tipp). Als Test kannst Du sie ja mal deinstallieren und schauen ob es diese Verbindungen weiterhin gibt. Gruß, Karl __________________

19.07.2008, 18:18	#5
KarlKarl /// Helfer-Team	Wifi Sniff -> ein vermeintlicher Bot??? Nimm doch mal TcpView zu deinen Werkzeugen. Das zeigt auch die Prozesse zu den Verbindungen an. Geht mit netstat zwar auch, aber nicht so schön. Sieht mir wirklich sehr danach aus, dass Outpost nach hause telefoniert ...

Wifi Sniff -> ein vermeintlicher Bot???

Plagegeister aller Art und deren Bekämpfung: Wifi Sniff -> ein vermeintlicher Bot???