Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung
diverse plagegeister, in combofix und silentrunners

diverse plagegeister, in combofix und silentrunners


Plagegeister aller Art und deren Bekämpfung: diverse plagegeister, in combofix und silentrunners

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 22.07.2008, 23:39   #1
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


hallo zusammen,

antivir hat vor einigen tagen die dateien combofix.exe, silent runners red.vbs und uvjoiner-trial.exe als infiziert gemeldet. uvjoiner hatte ich noch nicht installiert, combofix auf anraten des forums mal heruntergeladen, aber bisher noch nicht genutzt.

combofix und silentrunners habe ich erst für eine falschmeldung gehalten, aber da antivir die dateien immer noch als maleware einstuft, mache ich mir nun gedanken.

vor längerem hat es auch in einer zip.datei einer alten vista-dateisicherung, in der u.a. emails sind, einen verdächtigen schädling gefunden: heur/html-maleware. die datei ist in quarantäne. da sie ziemlich gross ist, konnte ich sie nicht zu virus-total bringen. und da sie eh eine alte "archivdatei" war mit mails, die ich schon längst gelöscht habe, ist sie mir auch nicht so wichtig.

jedenfalls: könnt ihr mal wieder über meine logs und virus-total-scans
schauen? wie gesagt, das zip-archiv konnte ich nicht zu virustotal laden, aber alle anderen kommen jetzt:

Alt 22.07.2008, 23:40   #2
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


uvjoiner-trial.exe:


Datei uvjoiner-trial.exe empfangen 2008.07.22 21:22:26 (CET)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.7.22.2 2008.07.22 -
AntiVir 7.8.1.11 2008.07.22 PHISH/FraudTool.SpyNoMore.G.69
Authentium 5.1.0.4 2008.07.22 -
Avast 4.8.1195.0 2008.07.22 -
AVG 8.0.0.130 2008.07.22 -
BitDefender 7.2 2008.07.22 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.22 -
DrWeb 4.44.0.09170 2008.07.22 -
eSafe 7.0.17.0 2008.07.22 -
eTrust-Vet 31.6.5974 2008.07.22 -
Ewido 4.0 2008.07.22 Not-A-Virus.Adware.EShoper
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.22 FraudTool.Win32.SpyNoMore.g
Fortinet 3.14.0.0 2008.07.22 -
GData 2.0.7306.1023 2008.07.22 -
Ikarus T3.1.1.34.0 2008.07.22 -
Kaspersky 7.0.0.125 2008.07.22 not-a-virus:FraudTool.Win32.SpyNoMore.g
McAfee 5344 2008.07.22 -
Microsoft 1.3704 2008.07.22 -
NOD32v2 3288 2008.07.22 -
Norman 5.80.02 2008.07.22 -
Panda 9.0.0.4 2008.07.22 -
PCTools 4.4.2.0 2008.07.22 -
Prevx1 V2 2008.07.22 -
Rising 20.54.12.00 2008.07.22 -
Sophos 4.31.0 2008.07.22 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.22 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.22 -
VBA32 3.12.8.1 2008.07.22 -
VirusBuster 4.5.11.0 2008.07.22 -
Webwasher-Gateway 6.6.2 2008.07.22 -
weitere Informationen
File size: 9258799 bytes
MD5...: 900cef06635654bbffbddfbd52e4b4e4
SHA1..: 2dc491d9205f7d7f80a3bef59d47313f08012b4e
SHA256: 90cc11f22c03389b5bfb71484581c63001a0a723e798907fe4178d8a90244fd6
SHA512: 6aa1806f5bb9930edc454f3ce9c0ccf3cf35a227cfb3cb894cfa6873b212ef6b<br>4974916ae68ef9c15c75cdf991041427d8aa323d0c3430cb67643b9760ba7b10
PEiD..: Armadillo v1.71
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x401eb7<br>timedatestamp.....: 0x45490351 (Wed Nov 01 20:28:01 2006)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x4b0d 0x5000 6.37 b7cbdbd5aa647deebccff0e6ae0492a1<br>.rdata 0x6000 0xa5e 0x1000 3.91 1bacdc57569f04810430aead81206017<br>.data 0x7000 0x1f5c 0x1000 1.82 9abd55ff520c7a1eec6b8d998c6b2261<br>.rsrc 0x9000 0x21c0 0x3000 3.23 c785006660d8bd2133f779afab35541d<br><br>( 4 imports ) <br>&gt; KERNEL32.dll: ReadFile, SetFilePointer, CloseHandle, WriteFile, GetTempPathA, GetSystemTime, lstrlenA, GetTempFileNameA, GetModuleFileNameA, CreateProcessA, GetStartupInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, SetStdHandle, CreateFileA, GetFileSize, GetLastError, GetModuleHandleA, WaitForSingleObject, DeleteFileA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, HeapAlloc, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, FlushFileBuffers<br>&gt; USER32.dll: CreateDialogParamA, GetDlgItem, SendMessageA, UpdateWindow, DestroyWindow<br>&gt; ADVAPI32.dll: RegCreateKeyExA, RegSetValueExA, RegCloseKey<br>&gt; COMCTL32.dll: -<br><br>( 0 exports ) <br>
__________________
Alt 22.07.2008, 23:41   #3
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


combofix.exe

Datei combofix.exe empfangen 2008.07.22 21:30:08 (CET)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.7.22.2 2008.07.22 -
AntiVir 7.8.1.11 2008.07.22 BDS/VB.ZW
Authentium 5.1.0.4 2008.07.22 W32/KillProc.C
Avast 4.8.1195.0 2008.07.22 -
AVG 8.0.0.130 2008.07.22 -
BitDefender 7.2 2008.07.22 Application.Generic.9407
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.22 -
DrWeb 4.44.0.09170 2008.07.22 SCRIPT.Virus
eSafe 7.0.17.0 2008.07.22 -
eTrust-Vet 31.6.5974 2008.07.22 -
Ewido 4.0 2008.07.22 -
F-Prot 4.4.4.56 2008.07.22 W32/KillProc.C
F-Secure 7.60.13501.0 2008.07.22 -
Fortinet 3.14.0.0 2008.07.22 RAT/ProcLaunch
GData 2.0.7306.1023 2008.07.22 -
Ikarus T3.1.1.34.0 2008.07.22 Backdoor.Win32.VB.awx
Kaspersky 7.0.0.125 2008.07.22 -
McAfee 5344 2008.07.22 potentially unwanted program RemAdm-ProcLaunch!171
Microsoft 1.3704 2008.07.22 -
NOD32v2 3288 2008.07.22 -
Norman 5.80.02 2008.07.22 -
Panda 9.0.0.4 2008.07.22 Bck/VB.XB
PCTools 4.4.2.0 2008.07.22 -
Prevx1 V2 2008.07.22 Malicious Software
Rising 20.54.12.00 2008.07.22 Backdoor.Win32.VB.xb
Sophos 4.31.0 2008.07.22 NirCmd
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.22 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.22 -
VBA32 3.12.8.1 2008.07.22 BackDoor.TerraBit
VirusBuster 4.5.11.0 2008.07.22 -
Webwasher-Gateway 6.6.2 2008.07.22 Trojan.Backdoor.VB.ZW
weitere Informationen
File size: 1916951 bytes
MD5...: c77770ec489b785fedcf6a48b211b817
SHA1..: 5209b84ccccc9206d7149cc2a311c2940f16ccd2
SHA256: 2da620d23b1002c956915d2bacbc3901549a82ff61c97146942710c94b36e6db
SHA512: 916b5f92348e326d5a0d99cccb1bc777415a0101b9520d475da860334e1248c7<br>c1da2f492196f1163cf3e3aa124e67fc9491d117737569fc568e657e742305a6
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x41f6f0<br>timedatestamp.....: 0x424aee7a (Wed Mar 30 18:22:50 2005)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>UPX0 0x1000 0x14000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>UPX1 0x15000 0xb000 0xaa00 7.89 3f2bb6e268adae031cba65ad761caf1e<br>.rsrc 0x20000 0x2000 0x1200 5.39 77688e0a2db142425dad6015e01abf55<br><br>( 8 imports ) <br>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<br>&gt; ADVAPI32.DLL: RegCloseKey<br>&gt; COMCTL32.DLL: -<br>&gt; COMDLG32.DLL: GetOpenFileNameA<br>&gt; GDI32.DLL: DeleteObject<br>&gt; OLE32.DLL: OleInitialize<br>&gt; SHELL32.DLL: SHGetMalloc<br>&gt; USER32.DLL: SetMenu<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=C70240591716C23140DF1DE00DBF93005A315042
packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX
packers (F-Prot): RAR, UPX
packers (Authentium): RAR
__________________
Alt 22.07.2008, 23:42   #4
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


silent-runners:

Datei silent_runners_red.vbs empfangen 2008.07.22 21:34:15 (CET)
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.7.22.2 2008.07.22 -
AntiVir 7.8.1.11 2008.07.22 HEUR/HTML.Malware
Authentium 5.1.0.4 2008.07.22 -
Avast 4.8.1195.0 2008.07.22 -
AVG 8.0.0.130 2008.07.22 -
BitDefender 7.2 2008.07.22 -
CAT-QuickHeal 9.50 2008.07.22 -
ClamAV 0.93.1 2008.07.22 -
DrWeb 4.44.0.09170 2008.07.22 BATCH.Virus
eSafe 7.0.17.0 2008.07.22 VBS.Vote.b1.
eTrust-Vet 31.6.5974 2008.07.22 -
Ewido 4.0 2008.07.22 -
F-Prot 4.4.4.56 2008.07.22 -
F-Secure 7.60.13501.0 2008.07.22 -
Fortinet 3.14.0.0 2008.07.22 -
GData 2.0.7306.1023 2008.07.22 -
Ikarus T3.1.1.34.0 2008.07.22 -
Kaspersky 7.0.0.125 2008.07.22 -
McAfee 5344 2008.07.22 -
Microsoft 1.3704 2008.07.22 -
NOD32v2 3288 2008.07.22 -
Norman 5.80.02 2008.07.22 -
Panda 9.0.0.4 2008.07.22 Suspicious file
Prevx1 V2 2008.07.22 -
Rising 20.54.12.00 2008.07.22 Unknown Script Virus
Sophos 4.31.0 2008.07.22 -
Sunbelt 3.1.1536.1 2008.07.18 -
Symantec 10 2008.07.22 -
TheHacker 6.2.96.385 2008.07.20 -
TrendMicro 8.700.0.1004 2008.07.22 -
VBA32 3.12.8.1 2008.07.22 -
VirusBuster 4.5.11.0 2008.07.22 -
Webwasher-Gateway 6.6.2 2008.07.22 Heuristic.HTML.Malware
weitere Informationen
File size: 97256 bytes
MD5...: c0570fb7ec6478646e6fd957e9e2794f
SHA1..: d8a69359a1dcbd7186d3f339516d334c2a4c0526
SHA256: 97721487cf340520c93207895e5c79dae431447e407921922ef64d3730b45b50
SHA512: a74b5862410781dc1ceb09e0bc3f600dfc2e62c6e231f317180e566e2f6310ed<br>43527bc954a5baaaf232a0ecc023bd32c0168968cf5e61de08ac24a4f541eddd
PEiD..: -
PEInfo: -

Alt 22.07.2008, 23:44   #5
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


Deckard's System Scanner v20071014.68
Run by xxx on 2008-07-23 00:07:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.72 GiB (less than 15%) free.


-- HijackThis (run as xxx.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:07:45, on 23.07.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Acer\Empowering Technology\eAudio\eAudio.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\wuauclt.exe
C:\Users\xxx\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\xxx\Downloads\dss.exe
C:\Windows\system32\conime.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\xxx.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = xxx://de.rd.yahoo.com/customize/ycomp/defaults/sp/*xxx://de.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = xxx://de.intl.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = xxx://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = xxx://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = xxx://de.intl.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = xxx://de.rd.yahoo.com/customize/ycomp/defaults/su/*xxx://de.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Programme\Orbitdownloader\orbitcth.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programme\Free Download Manager\iefdm2.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - D:\Programme\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - .DEFAULT User Startup: DSL-Manager.lnk = C:\Program Files\T-Online\DSL-Manager\DslMgr.exe (User 'Default user')
O4 - Global Startup: AutoStart IR.lnk = D:\Programme\WinTV\Ir.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office XP\Office10\OSA.EXE
O8 - Extra context menu item: &Download by Orbit - res://D:\Programme\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://D:\Programme\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Alles mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlall.htm
O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Datei mit FDM herunterladen - file://D:\Programme\Free Download Manager\dllink.htm
O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Programme\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://D:\Programme\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Videos mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlfvideo.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: EPGService - Hauppauge Computer Works - D:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12773 bytes

-- Files created between 2008-06-23 and 2008-07-23 -----------------------------

2008-07-05 21:04:58 0 d-------- C:\Program Files\WinTV
2008-07-05 21:04:54 0 d-------- C:\Program Files\vtplus
2008-07-05 21:04:08 36921 -----n--- C:\Windows\system32\hcwutl32_priv.dll <Not Verified; Hauppauge Computer Works; WinTV>
2008-07-05 21:04:03 149504 --a------ C:\Windows\system32\UNWISE.EXE
2008-07-05 21:04:03 274488 -----n--- C:\Windows\system32\hcwpnp32_priv.dll <Not Verified; Hauppauge Computer Works; WinTV>
2008-07-05 21:03:50 0 d-------- C:\Program Files\Common Files\IviSDK
2008-07-05 21:02:50 28672 --a------ C:\Windows\system32\hcwsched.dll <Not Verified; Hauppauge Computer Works; HCW Scheduler>
2008-07-05 21:02:50 69632 --a------ C:\Windows\system32\3DES.dll <Not Verified; Hauppauge Computer Works; 3DES>
2008-07-05 21:02:49 65536 --a------ C:\Windows\system32\dmcrypto.dll
2008-07-05 21:02:42 0 d-------- C:\Windows\system32\hauppauge
2008-07-05 21:01:52 0 d-------- C:\MyVideos
2008-07-05 21:01:49 36921 --a------ C:\Windows\system32\hcwutl32.dll <Not Verified; Hauppauge Computer Works; WinTV>
2008-07-05 21:01:49 770121 -----n--- C:\Windows\system32\hcwtvwnd.dll <Not Verified; Hauppauge Computer Works; HCWTVWND>
2008-07-05 21:01:49 163840 --a------ C:\Windows\system32\hcwChDB.dll <Not Verified; ; HcwChDB Dynamic Link Library>
2008-07-05 21:01:49 90190 --a------ C:\Windows\system32\Bt848WST.DLL <Not Verified; Hauppauge Computer Works; WinTV>
2008-07-05 21:01:44 106559 --a------ C:\Windows\system32\hcwTVDlg.dll <Not Verified; Hauppauge Computer Works; WinTV>
2008-07-05 21:01:44 278584 -----n--- C:\Windows\system32\hcwpnp32.dll <Not Verified; Hauppauge Computer Works; WinTV>
2008-07-05 21:01:44 213050 --a------ C:\Windows\system32\hcwChan.dll <Not Verified; Hauppauge Computer Works; WinTV>
2008-07-05 21:01:36 393216 --a------ C:\Windows\system32\hcwsnbd9.dll <Not Verified; Snowbound Software Corporation (xxx.Snowbnd.com); SnowBound RasterMaster for NT/W2000>
2008-07-05 21:01:32 106552 --a------ C:\Windows\system32\hcwi2c32.dll <Not Verified; Hauppauge Computer Works, Inc.; WinTV>
2008-07-05 21:01:32 11264 --a------ C:\Windows\system32\hcwhook.dll <Not Verified; Hauppauge Computer Works; HCW hcwhook>
2008-06-24 17:49:54 0 d-------- C:\Program Files\Common Files\SWF Studio


-- Find3M Report ---------------------------------------------------------------

2008-07-23 00:06:46 641344 --a------ C:\Windows\system32\perfh007.dat
2008-07-23 00:06:46 116706 --a------ C:\Windows\system32\perfc007.dat
2008-07-22 22:39:04 27525 --a------ C:\Users\xxx\AppData\Roaming\nvModes.001
2008-07-22 22:03:43 0 d-------- C:\Program Files\Elaborate Bytes
2008-07-15 18:19:01 0 d-------- C:\Users\xxx\AppData\Roaming\dvdcss
2008-07-14 22:28:56 0 d-------- C:\Users\xxx\AppData\Roaming\foobar2000
2008-07-14 21:53:07 0 d-------- C:\Users\xxx\AppData\Roaming\Power Sound Editor Free
2008-07-12 00:03:19 0 d-------- C:\Users\xxx\AppData\Roaming\Winff
2008-07-07 21:48:21 0 d-------- C:\Users\xxx\AppData\Roaming\Orbit
2008-07-06 23:41:36 0 d-------- C:\Users\xxx\AppData\Roaming\Free Download Manager
2008-07-05 21:03:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-05 21:03:50 0 d-------- C:\Program Files\Common Files
2008-06-28 20:28:40 0 d-------- C:\Users\xxx\AppData\Roaming\GrabPro
2008-06-24 18:19:42 0 d-------- C:\Program Files\a-squared Free
2008-06-12 00:16:04 0 d-------- C:\Users\xxx\AppData\Roaming\CyberLink


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{C55BBCD6-41AD-48AD-9953-3609C48EACC7}"= D:\Programme\Orbitdownloader\GrabPro.dll [10.06.2008 03:47 457848]

[-HKEY_CLASSES_ROOT\CLSID\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}]
[HKEY_CLASSES_ROOT\GrabPro.FindBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{8091D09E-B01D-4D32-AC66-BBF8916BB1CF}]
[HKEY_CLASSES_ROOT\GrabPro.FindBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [14.08.2007 15:54]
"RtHDVCpl"="RtHDVCpl.exe" [06.07.2007 05:06 C:\Windows\RtHDVCpl.exe]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [25.04.2007 16:33]
"Acer Tour"="" []
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [25.07.2007 17:39]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [25.07.2007 17:39]
"PLFSetL"="C:\Windows\PLFSetL.exe" [05.07.2007 12:35]
"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [24.05.2007 13:38]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21.03.2007 13:00]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [06.06.2007 10:06]
"eRecoveryService"="" []
"WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05.11.2006 22:48]
"SetPanel"="C:\Acer\APanel\APanel.cmd" []
"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [11.06.2007 15:54]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22.02.2008 05:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12.04.2008 22:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [21.11.2006 06:39]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [21.11.2006 06:36]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [30.01.2008 03:38]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [19.07.2008 19:32]
"LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [27.06.2007 11:15]
"QuickTime Task"="D:\Programme\QuickTime\QTTask.exe" [28.03.2008 23:37]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [29.04.2006 15:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="" []
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02.11.2006 14:35]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28.01.2008 12:43]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AutoStart IR.lnk - D:\Programme\WinTV\Ir.exe [05.07.2008 21:02:57]
Microsoft Office.lnk - D:\Programme\Microsoft Office XP\Office10\OSA.EXE [13.02.2001 10:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"EPGServiceTool"=D:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe
"Acer Tour Reminder"=C:\Acer\AcerTour\Reminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f138528-4d24-11dd-9059-001cbf1bbb7a}]
AutoRun\command- G:\SetupAssistant.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-07-23 00:08:08 ------------


Alt 22.07.2008, 23:47   #6
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


"Silent Runners.vbs", revision 58, xxx://xxx.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Acer Tour Reminder" = "(empty string)" [file not found]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"eDataSecurity Loader" = "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" ["HiTRUST"]
"Acer Tour" = "(empty string)" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"PLFSetL" = "C:\Windows\PLFSetL.exe" ["sonix"]
"PlayMovie" = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"" ["CyberLink Corp."]
"IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"]
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"eRecoveryService" = "(empty string)" [file not found]
"WarReg_PopUp" = "C:\Acer\WR_PopUp\WarReg_PopUp.exe" [null data]
"SetPanel" = "C:\Acer\APanel\APanel.cmd" [file not found]
"eAudio" = ""C:\Acer\Empowering Technology\eAudio\eAudio.exe"" ["CyberLink"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"]
"avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"LManager" = "C:\PROGRA~1\LAUNCH~1\LManager.exe" ["Dritek System Inc."]
"QuickTime Task" = ""D:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com"
-> {HKLM...CLSID} = "Octh Class"
\InProcServer32\(Default) = "D:\Programme\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll" ["Symantec Corporation"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FDMIECookiesBHO Class"
\InProcServer32\(Default) = "D:\Programme\Free Download Manager\iefdm2.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
\InProcServer32\(Default) = "epm-po.dll" [file not found]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programme\Microsoft Office XP\Office10\msohev.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "D:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"
-> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "D:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "D:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
-> {HKLM...CLSID} = "a-squared Free Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

Alt 22.07.2008, 23:49   #7
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\Aurora.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

LightScribeOnArrivalAP\
"Provider" = "LightScribe Direct Disc Labeling"
"InvokeProgID" = "LightScribe.AutoPlayHandler"
"InvokeVerb" = "LabelLightScribeDisc"
HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"]

MDCBlankCDArrival\
"Provider" = "DVDivine"
"InvokeProgID" = "BlankCD"
"InvokeVerb" = "OpenWithMakeDisc"
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"]

MDCDVDBurningOnArrival\
"Provider" = "DVDivine"
"InvokeProgID" = "BlankDVD"
"InvokeVerb" = "OpenWithMakeDisc"
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"]

MMJBAutoplayBURNERPLUS\
"Provider" = "MUSICMATCH Burner Plus"
"InvokeProgID" = "MMJB.BURN"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" [file not found]

NTIBurner\
"Provider" = "NTI CD-Maker"
"InvokeProgID" = "NTIBurnerOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\NTIBurnerOpen\shell\open\command\(Default) = ""C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\Cdmkr32.exe"" ["NewTech Infosystems, Inc."]

PlayMoviePlayDVDMovieOnArrival\
"Provider" = "Play Movie"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPlayMovie"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPlayMovie\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe" "%L"" ["CyberLink Corp."]

PPCDBurningOnArrival\
"Provider" = "PowerProducer"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerProducer"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]

PPDCameraArrival\
"Provider" = "PowerProducer"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerProducer"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]

PPDVArrival\
"Provider" = "PowerProducer"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]


Startup items in "xxx" & "All Users" startup folders:
---------------------------------------------------------

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
<<!>> "AutoStart IR.lnk.disabled" [null data]
"Microsoft Office" -> shortcut to: "D:\Programme\Microsoft Office XP\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 22


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}"
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS]
"{C55BBCD6-41AD-48AD-9953-3609C48EACC7}"
-> {HKLM...CLSID} = "Grab Pro"
\InProcServer32\(Default) = "D:\Programme\Orbitdownloader\GrabPro.dll" [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided)
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{C55BBCD6-41AD-48AD-9953-3609C48EACC7}" = (no title provided)
-> {HKLM...CLSID} = "Grab Pro"
\InProcServer32\(Default) = "D:\Programme\Orbitdownloader\GrabPro.dll" [null data]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"]
ALaunch Service, ALaunchService, "C:\Acer\ALaunch\ALaunchSvc.exe" [null data]
Automatische WLAN-Konfiguration, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
Automatisches LiveUpdate - Scheduler, Automatisches LiveUpdate - Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal – Free Antivirus Planer, AntiVirScheduler, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
CNG-Schlüsselisolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
eDSService.exe, eDataSecurity Service, ""C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe"" ["HiTRSUT"]
eLock Service, eLockService, "C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe" [null data]
eNet Service, eNet Service, "C:\Acer\Empowering Technology\eNet\eNet Service.exe" ["Acer Inc."]
EPGService, EPGService, "D:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe" ["Hauppauge Computer Works"]
ePower Service, WMIService, "C:\Acer\Empowering Technology\ePower\ePowerSvc.exe" ["acer"]
eRecovery Service, eRecoveryService, "C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe" [null data]
eSettings Service, eSettingsService, "C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe" [null data]
Extensible Authentication-Protokoll, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Intel(R) Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
MobilityService, MobilityService, "C:\Acer\Mobility Center\MobilityService.exe -p" [null data]
SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" ["Safer Networking Ltd."]
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
XAudioService, XAudioService, "C:\Windows\system32\DRIVERS\xaudio.exe" ["Conexant Systems, Inc."]
Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2008-07-23 00:22:18)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 76 seconds, including 13 seconds for message boxes)

Alt 23.07.2008, 00:12   #8
myrtille
/// TB-Ausbilder
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


Hi,

die Dateien von Combofix und Silentrunners werden häufig als bösartig erkannt. Das sind "False Positive", Fehlerkennungen.

Du kannst die Dateien aber auch einfach löschen, dann gibt es keine Erkennungen mehr.

lg myrtille
__________________
Anfragen per Email, Profil- oder privater Nachricht werden ignoriert!
Hilfe gibts NUR im Forum!

Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM

Spelling mistakes? Never, but keybaord malfunctions constantly!
Alt 23.07.2008, 18:11   #9
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


hi,

heißt dass, ich bin "clean"? ich frage nur noch mal nach wg. uvjoiner und dem zip-archiv aus dem backup, die antivir auch identifiziert hatte.

danke

s.

Alt 23.07.2008, 21:49   #10
myrtille
/// TB-Ausbilder
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


Hi,

Wenn du die uvjoiner nie ausgeführt hast, sollte eigentlich kein Befall möglich sein.
Die zweite Meldung ist schwer zu beurteilen. Heuristische Treffer sind jedcoh sehr anfällig für Fehlerkennungen.
Es könnte also sein, dass sich Antivir nur an einer Email oder einem Anhang einer Email stößt.

lg myrtille
__________________
Anfragen per Email, Profil- oder privater Nachricht werden ignoriert!
Hilfe gibts NUR im Forum!

Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM

Spelling mistakes? Never, but keybaord malfunctions constantly!
Alt 26.07.2008, 15:50   #11
sunamo
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


hi,

das beruhigt mich wieder. und die logfiles, die ich eingestellt hatte, sind soweit unauffällig?

danke

lg. s

Alt 28.07.2008, 12:19   #12
myrtille
/// TB-Ausbilder
 
diverse plagegeister, in combofix und silentrunners - Standard

diverse plagegeister, in combofix und silentrunners


Hi,

die Logs sind sauber, ABER du hast immernoch 2 Antivirenprogramme installiert...

Warum deinstallierst du nicht endlich eins? Musst du dir dafür erst Windows komplett zerstören?

lg myrtille
__________________
Anfragen per Email, Profil- oder privater Nachricht werden ignoriert!
Hilfe gibts NUR im Forum!

Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM

Spelling mistakes? Never, but keybaord malfunctions constantly!
Antwort

Themen zu diverse plagegeister, in combofix und silentrunners
andere, anderen, combofix, dateien, diverse, emails, falschmeldung, forums, gefunde, gelöscht, hallo zusammen, infiziert, installier, installiert, konnte, längst, maleware, nicht installiert, plagegeister, quara, runner, schädling, silent, silentrunner, tagen, verdächtige, virustotal, zusammen


« Excel Addin Multiprint kann nicht vollständig entfernt werden | Rootkit Revealer Log - Unbenannte Ordner »


Ähnliche Themen: diverse plagegeister, in combofix und silentrunners


  1. Windows RT und Plagegeister
    Diskussionsforum - 14.02.2015 (7)
  2. Mehrere Plagegeister gefunden
    Plagegeister aller Art und deren Bekämpfung - 07.02.2014 (15)
  3. Vermutliche Plagegeister
    Log-Analyse und Auswertung - 07.01.2014 (8)
  4. PUP und sonstige Plagegeister
    Plagegeister aller Art und deren Bekämpfung - 06.01.2014 (6)
  5. unbekannte Plagegeister
    Plagegeister aller Art und deren Bekämpfung - 13.11.2013 (9)
  6. Plagegeister nach Neuinstallation
    Plagegeister aller Art und deren Bekämpfung - 07.07.2013 (28)
  7. Plagegeister
    Log-Analyse und Auswertung - 03.07.2013 (19)
  8. große pc probleme. mal log checken :) (silentrunners)
    Log-Analyse und Auswertung - 27.10.2011 (44)
  9. Plagegeister wie Tr.Lop.com & Tr.Dldr.Swizzor.Gen!!
    Plagegeister aller Art und deren Bekämpfung - 05.11.2008 (5)
  10. Habe irgendwelche Plagegeister und auch schon diverse gelöscht trotzdem bekomme ich
    Plagegeister aller Art und deren Bekämpfung - 21.03.2008 (3)
  11. win*.tmp Plagegeister und andere?
    Log-Analyse und Auswertung - 10.01.2008 (4)
  12. Plagegeister in ZIP-Archiven
    Plagegeister aller Art und deren Bekämpfung - 11.08.2007 (3)
  13. Plagegeister und wie man sie sich fängt
    Plagegeister aller Art und deren Bekämpfung - 11.02.2006 (0)
  14. Plagegeister gefunden ;-(
    Plagegeister aller Art und deren Bekämpfung - 16.01.2006 (2)
  15. W32.Sinnaka.A@mm und andere Plagegeister Was tun?
    Plagegeister aller Art und deren Bekämpfung - 01.01.2006 (3)
  16. Unbekannte Plagegeister?
    Plagegeister aller Art und deren Bekämpfung - 26.12.2005 (10)
  17. diverse Plagegeister gefunden, wie kann ich sie entfernen??
    Plagegeister aller Art und deren Bekämpfung - 16.01.2005 (1)
Anleitungen und Tipps

- Für alle Hilfesuchenden! Was beachten?

- Anleitung: MyStartSearch.com entfernen

- Anleitung: WebSearches löschen

- Hilfe: iStartSurf entfernen – so gehts!

- Anleitung: Omiga Plus richtig entfernen

- Browser Viren entfernen


Zum Thema diverse plagegeister, in combofix und silentrunners - hallo zusammen, antivir hat vor einigen tagen die dateien combofix.exe, silent runners red.vbs und uvjoiner-trial.exe als infiziert gemeldet. uvjoiner hatte ich noch nicht installiert, combofix auf anraten des forums mal - diverse plagegeister, in combofix und silentrunners...
Archiv
Du betrachtest: diverse plagegeister, in combofix und silentrunners auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130