|
Plagegeister aller Art und deren Bekämpfung: diverse plagegeister, in combofix und silentrunnersWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
22.07.2008, 23:39 | #1 |
| diverse plagegeister, in combofix und silentrunners hallo zusammen, antivir hat vor einigen tagen die dateien combofix.exe, silent runners red.vbs und uvjoiner-trial.exe als infiziert gemeldet. uvjoiner hatte ich noch nicht installiert, combofix auf anraten des forums mal heruntergeladen, aber bisher noch nicht genutzt. combofix und silentrunners habe ich erst für eine falschmeldung gehalten, aber da antivir die dateien immer noch als maleware einstuft, mache ich mir nun gedanken. vor längerem hat es auch in einer zip.datei einer alten vista-dateisicherung, in der u.a. emails sind, einen verdächtigen schädling gefunden: heur/html-maleware. die datei ist in quarantäne. da sie ziemlich gross ist, konnte ich sie nicht zu virus-total bringen. und da sie eh eine alte "archivdatei" war mit mails, die ich schon längst gelöscht habe, ist sie mir auch nicht so wichtig. jedenfalls: könnt ihr mal wieder über meine logs und virus-total-scans schauen? wie gesagt, das zip-archiv konnte ich nicht zu virustotal laden, aber alle anderen kommen jetzt: |
22.07.2008, 23:40 | #2 |
| diverse plagegeister, in combofix und silentrunners uvjoiner-trial.exe:
__________________Datei uvjoiner-trial.exe empfangen 2008.07.22 21:22:26 (CET) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.22.2 2008.07.22 - AntiVir 7.8.1.11 2008.07.22 PHISH/FraudTool.SpyNoMore.G.69 Authentium 5.1.0.4 2008.07.22 - Avast 4.8.1195.0 2008.07.22 - AVG 8.0.0.130 2008.07.22 - BitDefender 7.2 2008.07.22 - CAT-QuickHeal 9.50 2008.07.22 - ClamAV 0.93.1 2008.07.22 - DrWeb 4.44.0.09170 2008.07.22 - eSafe 7.0.17.0 2008.07.22 - eTrust-Vet 31.6.5974 2008.07.22 - Ewido 4.0 2008.07.22 Not-A-Virus.Adware.EShoper F-Prot 4.4.4.56 2008.07.22 - F-Secure 7.60.13501.0 2008.07.22 FraudTool.Win32.SpyNoMore.g Fortinet 3.14.0.0 2008.07.22 - GData 2.0.7306.1023 2008.07.22 - Ikarus T3.1.1.34.0 2008.07.22 - Kaspersky 7.0.0.125 2008.07.22 not-a-virus:FraudTool.Win32.SpyNoMore.g McAfee 5344 2008.07.22 - Microsoft 1.3704 2008.07.22 - NOD32v2 3288 2008.07.22 - Norman 5.80.02 2008.07.22 - Panda 9.0.0.4 2008.07.22 - PCTools 4.4.2.0 2008.07.22 - Prevx1 V2 2008.07.22 - Rising 20.54.12.00 2008.07.22 - Sophos 4.31.0 2008.07.22 - Sunbelt 3.1.1536.1 2008.07.18 - Symantec 10 2008.07.22 - TheHacker 6.2.96.385 2008.07.20 - TrendMicro 8.700.0.1004 2008.07.22 - VBA32 3.12.8.1 2008.07.22 - VirusBuster 4.5.11.0 2008.07.22 - Webwasher-Gateway 6.6.2 2008.07.22 - weitere Informationen File size: 9258799 bytes MD5...: 900cef06635654bbffbddfbd52e4b4e4 SHA1..: 2dc491d9205f7d7f80a3bef59d47313f08012b4e SHA256: 90cc11f22c03389b5bfb71484581c63001a0a723e798907fe4178d8a90244fd6 SHA512: 6aa1806f5bb9930edc454f3ce9c0ccf3cf35a227cfb3cb894cfa6873b212ef6b<br>4974916ae68ef9c15c75cdf991041427d8aa323d0c3430cb67643b9760ba7b10 PEiD..: Armadillo v1.71 PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x401eb7<br>timedatestamp.....: 0x45490351 (Wed Nov 01 20:28:01 2006)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x4b0d 0x5000 6.37 b7cbdbd5aa647deebccff0e6ae0492a1<br>.rdata 0x6000 0xa5e 0x1000 3.91 1bacdc57569f04810430aead81206017<br>.data 0x7000 0x1f5c 0x1000 1.82 9abd55ff520c7a1eec6b8d998c6b2261<br>.rsrc 0x9000 0x21c0 0x3000 3.23 c785006660d8bd2133f779afab35541d<br><br>( 4 imports ) <br>> KERNEL32.dll: ReadFile, SetFilePointer, CloseHandle, WriteFile, GetTempPathA, GetSystemTime, lstrlenA, GetTempFileNameA, GetModuleFileNameA, CreateProcessA, GetStartupInfoA, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, MultiByteToWideChar, SetStdHandle, CreateFileA, GetFileSize, GetLastError, GetModuleHandleA, WaitForSingleObject, DeleteFileA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, HeapAlloc, VirtualAlloc, HeapReAlloc, GetProcAddress, LoadLibraryA, FlushFileBuffers<br>> USER32.dll: CreateDialogParamA, GetDlgItem, SendMessageA, UpdateWindow, DestroyWindow<br>> ADVAPI32.dll: RegCreateKeyExA, RegSetValueExA, RegCloseKey<br>> COMCTL32.dll: -<br><br>( 0 exports ) <br> |
22.07.2008, 23:41 | #3 |
| diverse plagegeister, in combofix und silentrunners combofix.exe
__________________Datei combofix.exe empfangen 2008.07.22 21:30:08 (CET) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.22.2 2008.07.22 - AntiVir 7.8.1.11 2008.07.22 BDS/VB.ZW Authentium 5.1.0.4 2008.07.22 W32/KillProc.C Avast 4.8.1195.0 2008.07.22 - AVG 8.0.0.130 2008.07.22 - BitDefender 7.2 2008.07.22 Application.Generic.9407 CAT-QuickHeal 9.50 2008.07.22 - ClamAV 0.93.1 2008.07.22 - DrWeb 4.44.0.09170 2008.07.22 SCRIPT.Virus eSafe 7.0.17.0 2008.07.22 - eTrust-Vet 31.6.5974 2008.07.22 - Ewido 4.0 2008.07.22 - F-Prot 4.4.4.56 2008.07.22 W32/KillProc.C F-Secure 7.60.13501.0 2008.07.22 - Fortinet 3.14.0.0 2008.07.22 RAT/ProcLaunch GData 2.0.7306.1023 2008.07.22 - Ikarus T3.1.1.34.0 2008.07.22 Backdoor.Win32.VB.awx Kaspersky 7.0.0.125 2008.07.22 - McAfee 5344 2008.07.22 potentially unwanted program RemAdm-ProcLaunch!171 Microsoft 1.3704 2008.07.22 - NOD32v2 3288 2008.07.22 - Norman 5.80.02 2008.07.22 - Panda 9.0.0.4 2008.07.22 Bck/VB.XB PCTools 4.4.2.0 2008.07.22 - Prevx1 V2 2008.07.22 Malicious Software Rising 20.54.12.00 2008.07.22 Backdoor.Win32.VB.xb Sophos 4.31.0 2008.07.22 NirCmd Sunbelt 3.1.1536.1 2008.07.18 - Symantec 10 2008.07.22 - TheHacker 6.2.96.385 2008.07.20 - TrendMicro 8.700.0.1004 2008.07.22 - VBA32 3.12.8.1 2008.07.22 BackDoor.TerraBit VirusBuster 4.5.11.0 2008.07.22 - Webwasher-Gateway 6.6.2 2008.07.22 Trojan.Backdoor.VB.ZW weitere Informationen File size: 1916951 bytes MD5...: c77770ec489b785fedcf6a48b211b817 SHA1..: 5209b84ccccc9206d7149cc2a311c2940f16ccd2 SHA256: 2da620d23b1002c956915d2bacbc3901549a82ff61c97146942710c94b36e6db SHA512: 916b5f92348e326d5a0d99cccb1bc777415a0101b9520d475da860334e1248c7<br>c1da2f492196f1163cf3e3aa124e67fc9491d117737569fc568e657e742305a6 PEiD..: - PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x41f6f0<br>timedatestamp.....: 0x424aee7a (Wed Mar 30 18:22:50 2005)<br>machinetype.......: 0x14c (I386)<br><br>( 3 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>UPX0 0x1000 0x14000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>UPX1 0x15000 0xb000 0xaa00 7.89 3f2bb6e268adae031cba65ad761caf1e<br>.rsrc 0x20000 0x2000 0x1200 5.39 77688e0a2db142425dad6015e01abf55<br><br>( 8 imports ) <br>> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess<br>> ADVAPI32.DLL: RegCloseKey<br>> COMCTL32.DLL: -<br>> COMDLG32.DLL: GetOpenFileNameA<br>> GDI32.DLL: DeleteObject<br>> OLE32.DLL: OleInitialize<br>> SHELL32.DLL: SHGetMalloc<br>> USER32.DLL: SetMenu<br><br>( 0 exports ) <br> Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=C70240591716C23140DF1DE00DBF93005A315042 packers (Kaspersky): PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX packers (F-Prot): RAR, UPX packers (Authentium): RAR |
22.07.2008, 23:42 | #4 |
| diverse plagegeister, in combofix und silentrunners silent-runners: Datei silent_runners_red.vbs empfangen 2008.07.22 21:34:15 (CET) Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.22.2 2008.07.22 - AntiVir 7.8.1.11 2008.07.22 HEUR/HTML.Malware Authentium 5.1.0.4 2008.07.22 - Avast 4.8.1195.0 2008.07.22 - AVG 8.0.0.130 2008.07.22 - BitDefender 7.2 2008.07.22 - CAT-QuickHeal 9.50 2008.07.22 - ClamAV 0.93.1 2008.07.22 - DrWeb 4.44.0.09170 2008.07.22 BATCH.Virus eSafe 7.0.17.0 2008.07.22 VBS.Vote.b1. eTrust-Vet 31.6.5974 2008.07.22 - Ewido 4.0 2008.07.22 - F-Prot 4.4.4.56 2008.07.22 - F-Secure 7.60.13501.0 2008.07.22 - Fortinet 3.14.0.0 2008.07.22 - GData 2.0.7306.1023 2008.07.22 - Ikarus T3.1.1.34.0 2008.07.22 - Kaspersky 7.0.0.125 2008.07.22 - McAfee 5344 2008.07.22 - Microsoft 1.3704 2008.07.22 - NOD32v2 3288 2008.07.22 - Norman 5.80.02 2008.07.22 - Panda 9.0.0.4 2008.07.22 Suspicious file Prevx1 V2 2008.07.22 - Rising 20.54.12.00 2008.07.22 Unknown Script Virus Sophos 4.31.0 2008.07.22 - Sunbelt 3.1.1536.1 2008.07.18 - Symantec 10 2008.07.22 - TheHacker 6.2.96.385 2008.07.20 - TrendMicro 8.700.0.1004 2008.07.22 - VBA32 3.12.8.1 2008.07.22 - VirusBuster 4.5.11.0 2008.07.22 - Webwasher-Gateway 6.6.2 2008.07.22 Heuristic.HTML.Malware weitere Informationen File size: 97256 bytes MD5...: c0570fb7ec6478646e6fd957e9e2794f SHA1..: d8a69359a1dcbd7186d3f339516d334c2a4c0526 SHA256: 97721487cf340520c93207895e5c79dae431447e407921922ef64d3730b45b50 SHA512: a74b5862410781dc1ceb09e0bc3f600dfc2e62c6e231f317180e566e2f6310ed<br>43527bc954a5baaaf232a0ecc023bd32c0168968cf5e61de08ac24a4f541eddd PEiD..: - PEInfo: - |
22.07.2008, 23:44 | #5 |
| diverse plagegeister, in combofix und silentrunners Deckard's System Scanner v20071014.68 Run by xxx on 2008-07-23 00:07:36 Computer is in Normal Mode. -------------------------------------------------------------------------------- System Drive C: has 0.72 GiB (less than 15%) free. -- HijackThis (run as xxx.exe) --------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:07:45, on 23.07.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16681) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe C:\Windows\System32\rundll32.exe C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Apoint2K\Apoint.exe C:\Acer\Empowering Technology\eAudio\eAudio.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\Windows\system32\wuauclt.exe C:\Users\xxx\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\Apoint2K\Apntex.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\xxx\Downloads\dss.exe C:\Windows\system32\conime.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\xxx.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = xxx://de.rd.yahoo.com/customize/ycomp/defaults/sp/*xxx://de.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = xxx://de.intl.acer.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = xxx://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = xxx://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = xxx://de.intl.acer.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = xxx://de.rd.yahoo.com/customize/ycomp/defaults/su/*xxx://de.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - D:\Programme\Orbitdownloader\orbitcth.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Programme\Free Download Manager\iefdm2.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - D:\Programme\Orbitdownloader\GrabPro.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe O4 - HKLM\..\Run: [QuickTime Task] "D:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - .DEFAULT User Startup: DSL-Manager.lnk = C:\Program Files\T-Online\DSL-Manager\DslMgr.exe (User 'Default user') O4 - Global Startup: AutoStart IR.lnk = D:\Programme\WinTV\Ir.exe O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office XP\Office10\OSA.EXE O8 - Extra context menu item: &Download by Orbit - res://D:\Programme\Orbitdownloader\orbitmxt.dll/201 O8 - Extra context menu item: &Grab video by Orbit - res://D:\Programme\Orbitdownloader\orbitmxt.dll/204 O8 - Extra context menu item: Alles mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlall.htm O8 - Extra context menu item: Auswahl mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlselected.htm O8 - Extra context menu item: Datei mit FDM herunterladen - file://D:\Programme\Free Download Manager\dllink.htm O8 - Extra context menu item: Do&wnload selected by Orbit - res://D:\Programme\Orbitdownloader\orbitmxt.dll/203 O8 - Extra context menu item: Down&load all by Orbit - res://D:\Programme\Orbitdownloader\orbitmxt.dll/202 O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Videos mit FDM herunterladen - file://D:\Programme\Free Download Manager\dlfvideo.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O13 - Gopher Prefix: O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Automatisches LiveUpdate - Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: eDSService.exe (eDataSecurity Service) - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe O23 - Service: EPGService - Hauppauge Computer Works - D:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: Symantec IS Kennwortprüfung (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 12773 bytes -- Files created between 2008-06-23 and 2008-07-23 ----------------------------- 2008-07-05 21:04:58 0 d-------- C:\Program Files\WinTV 2008-07-05 21:04:54 0 d-------- C:\Program Files\vtplus 2008-07-05 21:04:08 36921 -----n--- C:\Windows\system32\hcwutl32_priv.dll <Not Verified; Hauppauge Computer Works; WinTV> 2008-07-05 21:04:03 149504 --a------ C:\Windows\system32\UNWISE.EXE 2008-07-05 21:04:03 274488 -----n--- C:\Windows\system32\hcwpnp32_priv.dll <Not Verified; Hauppauge Computer Works; WinTV> 2008-07-05 21:03:50 0 d-------- C:\Program Files\Common Files\IviSDK 2008-07-05 21:02:50 28672 --a------ C:\Windows\system32\hcwsched.dll <Not Verified; Hauppauge Computer Works; HCW Scheduler> 2008-07-05 21:02:50 69632 --a------ C:\Windows\system32\3DES.dll <Not Verified; Hauppauge Computer Works; 3DES> 2008-07-05 21:02:49 65536 --a------ C:\Windows\system32\dmcrypto.dll 2008-07-05 21:02:42 0 d-------- C:\Windows\system32\hauppauge 2008-07-05 21:01:52 0 d-------- C:\MyVideos 2008-07-05 21:01:49 36921 --a------ C:\Windows\system32\hcwutl32.dll <Not Verified; Hauppauge Computer Works; WinTV> 2008-07-05 21:01:49 770121 -----n--- C:\Windows\system32\hcwtvwnd.dll <Not Verified; Hauppauge Computer Works; HCWTVWND> 2008-07-05 21:01:49 163840 --a------ C:\Windows\system32\hcwChDB.dll <Not Verified; ; HcwChDB Dynamic Link Library> 2008-07-05 21:01:49 90190 --a------ C:\Windows\system32\Bt848WST.DLL <Not Verified; Hauppauge Computer Works; WinTV> 2008-07-05 21:01:44 106559 --a------ C:\Windows\system32\hcwTVDlg.dll <Not Verified; Hauppauge Computer Works; WinTV> 2008-07-05 21:01:44 278584 -----n--- C:\Windows\system32\hcwpnp32.dll <Not Verified; Hauppauge Computer Works; WinTV> 2008-07-05 21:01:44 213050 --a------ C:\Windows\system32\hcwChan.dll <Not Verified; Hauppauge Computer Works; WinTV> 2008-07-05 21:01:36 393216 --a------ C:\Windows\system32\hcwsnbd9.dll <Not Verified; Snowbound Software Corporation (xxx.Snowbnd.com); SnowBound RasterMaster for NT/W2000> 2008-07-05 21:01:32 106552 --a------ C:\Windows\system32\hcwi2c32.dll <Not Verified; Hauppauge Computer Works, Inc.; WinTV> 2008-07-05 21:01:32 11264 --a------ C:\Windows\system32\hcwhook.dll <Not Verified; Hauppauge Computer Works; HCW hcwhook> 2008-06-24 17:49:54 0 d-------- C:\Program Files\Common Files\SWF Studio -- Find3M Report --------------------------------------------------------------- 2008-07-23 00:06:46 641344 --a------ C:\Windows\system32\perfh007.dat 2008-07-23 00:06:46 116706 --a------ C:\Windows\system32\perfc007.dat 2008-07-22 22:39:04 27525 --a------ C:\Users\xxx\AppData\Roaming\nvModes.001 2008-07-22 22:03:43 0 d-------- C:\Program Files\Elaborate Bytes 2008-07-15 18:19:01 0 d-------- C:\Users\xxx\AppData\Roaming\dvdcss 2008-07-14 22:28:56 0 d-------- C:\Users\xxx\AppData\Roaming\foobar2000 2008-07-14 21:53:07 0 d-------- C:\Users\xxx\AppData\Roaming\Power Sound Editor Free 2008-07-12 00:03:19 0 d-------- C:\Users\xxx\AppData\Roaming\Winff 2008-07-07 21:48:21 0 d-------- C:\Users\xxx\AppData\Roaming\Orbit 2008-07-06 23:41:36 0 d-------- C:\Users\xxx\AppData\Roaming\Free Download Manager 2008-07-05 21:03:50 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-07-05 21:03:50 0 d-------- C:\Program Files\Common Files 2008-06-28 20:28:40 0 d-------- C:\Users\xxx\AppData\Roaming\GrabPro 2008-06-24 18:19:42 0 d-------- C:\Program Files\a-squared Free 2008-06-12 00:16:04 0 d-------- C:\Users\xxx\AppData\Roaming\CyberLink -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{C55BBCD6-41AD-48AD-9953-3609C48EACC7}"= D:\Programme\Orbitdownloader\GrabPro.dll [10.06.2008 03:47 457848] [-HKEY_CLASSES_ROOT\CLSID\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}] [HKEY_CLASSES_ROOT\GrabPro.FindBar.1] [HKEY_CLASSES_ROOT\TypeLib\{8091D09E-B01D-4D32-AC66-BBF8916BB1CF}] [HKEY_CLASSES_ROOT\GrabPro.FindBar] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [14.08.2007 15:54] "RtHDVCpl"="RtHDVCpl.exe" [06.07.2007 05:06 C:\Windows\RtHDVCpl.exe] "eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [25.04.2007 16:33] "Acer Tour"="" [] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [25.07.2007 17:39] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [25.07.2007 17:39] "PLFSetL"="C:\Windows\PLFSetL.exe" [05.07.2007 12:35] "PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [24.05.2007 13:38] "IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [21.03.2007 13:00] "Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [06.06.2007 10:06] "eRecoveryService"="" [] "WarReg_PopUp"="C:\Acer\WR_PopUp\WarReg_PopUp.exe" [05.11.2006 22:48] "SetPanel"="C:\Acer\APanel\APanel.cmd" [] "eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [11.06.2007 15:54] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22.02.2008 05:25] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12.04.2008 22:20] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [21.11.2006 06:39] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [21.11.2006 06:36] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [30.01.2008 03:38] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [19.07.2008 19:32] "LManager"="C:\PROGRA~1\LAUNCH~1\LManager.exe" [27.06.2007 11:15] "QuickTime Task"="D:\Programme\QuickTime\QTTask.exe" [28.03.2008 23:37] "VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [29.04.2006 15:21] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Acer Tour Reminder"="" [] "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [02.11.2006 14:35] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28.01.2008 12:43] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ AutoStart IR.lnk - D:\Programme\WinTV\Ir.exe [05.07.2008 21:02:57] Microsoft Office.lnk - D:\Programme\Microsoft Office XP\Office10\OSA.EXE [13.02.2001 10:01:04] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"=2 (0x2) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}] @="IEEE 1394 Bus host controllers" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}] @="SBP2 IEEE 1394 Devices" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}] @="SecurityDevices" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "EPGServiceTool"=D:\PROGRA~1\WinTV\EPG Services\System\EPGClient.exe "Acer Tour Reminder"=C:\Acer\AcerTour\Reminder.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9f138528-4d24-11dd-9059-001cbf1bbb7a}] AutoRun\command- G:\SetupAssistant.exe *Newly Created Service* - COMHOST [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] C:\Windows\system32\unregmp2.exe /ShowWMP [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}] %SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI -- End of Deckard's System Scanner: finished at 2008-07-23 00:08:08 ------------ |
22.07.2008, 23:47 | #6 |
| diverse plagegeister, in combofix und silentrunners "Silent Runners.vbs", revision 58, xxx://xxx.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Acer Tour Reminder" = "(empty string)" [file not found] "ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS] "SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide" "RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"] "eDataSecurity Loader" = "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" ["HiTRUST"] "Acer Tour" = "(empty string)" [file not found] "NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS] "NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS] "PLFSetL" = "C:\Windows\PLFSetL.exe" ["sonix"] "PlayMovie" = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"" ["CyberLink Corp."] "IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"] "Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."] "eRecoveryService" = "(empty string)" [file not found] "WarReg_PopUp" = "C:\Acer\WR_PopUp\WarReg_PopUp.exe" [null data] "SetPanel" = "C:\Acer\APanel\APanel.cmd" [file not found] "eAudio" = ""C:\Acer\Empowering Technology\eAudio\eAudio.exe"" ["CyberLink"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."] "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"] "Symantec PIF AlertEng" = ""C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"" ["Symantec Corporation"] "avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "LManager" = "C:\PROGRA~1\LAUNCH~1\LManager.exe" ["Dritek System Inc."] "QuickTime Task" = ""D:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."] "VirtualCloneDrive" = ""C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s" ["Elaborate Bytes AG"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com" -> {HKLM...CLSID} = "Octh Class" \InProcServer32\(Default) = "D:\Programme\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"] {02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll" ["Symantec Corporation"] {3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided) -> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer" \InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided) -> {HKLM...CLSID} = "FDMIECookiesBHO Class" \InProcServer32\(Default) = "D:\Programme\Free Download Manager\iefdm2.dll" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension" -> {HKLM...CLSID} = "EPM-PO Shell Extensions" \InProcServer32\(Default) = "epm-po.dll" [file not found] "{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\Programme\Microsoft Office XP\Office10\msohev.dll" [MS] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] "{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "D:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "D:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"] "{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive" -> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "D:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"] EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}" -> {HKLM...CLSID} = "eDSshlExt Class" \InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}" -> {HKLM...CLSID} = "IEContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "D:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"] EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}" -> {HKLM...CLSID} = "eDSshlExt Class" \InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}" -> {HKLM...CLSID} = "IEContextMenu Class" \InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}" -> {HKLM...CLSID} = "a-squared Free Shell Extension" \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] |
22.07.2008, 23:49 | #7 |
| diverse plagegeister, in combofix und silentrunners Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Desert Landscape.jpg" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\Windows\system32\Aurora.scr" [MS] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ LightScribeOnArrivalAP\ "Provider" = "LightScribe Direct Disc Labeling" "InvokeProgID" = "LightScribe.AutoPlayHandler" "InvokeVerb" = "LabelLightScribeDisc" HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"] MDCBlankCDArrival\ "Provider" = "DVDivine" "InvokeProgID" = "BlankCD" "InvokeVerb" = "OpenWithMakeDisc" HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"] MDCDVDBurningOnArrival\ "Provider" = "DVDivine" "InvokeProgID" = "BlankDVD" "InvokeVerb" = "OpenWithMakeDisc" HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"] MMJBAutoplayBURNERPLUS\ "Provider" = "MUSICMATCH Burner Plus" "InvokeProgID" = "MMJB.BURN" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Program Files\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" [file not found] NTIBurner\ "Provider" = "NTI CD-Maker" "InvokeProgID" = "NTIBurnerOpen" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\NTIBurnerOpen\shell\open\command\(Default) = ""C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\Cdmkr32.exe"" ["NewTech Infosystems, Inc."] PlayMoviePlayDVDMovieOnArrival\ "Provider" = "Play Movie" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPlayMovie" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPlayMovie\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe" "%L"" ["CyberLink Corp."] PPCDBurningOnArrival\ "Provider" = "PowerProducer" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerProducer" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"] PPDCameraArrival\ "Provider" = "PowerProducer" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerProducer" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"] PPDVArrival\ "Provider" = "PowerProducer" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "Shell Execute Hardware Event Handler" \LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] RPCDBurningOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.CDBurn.6" "InvokeVerb" = "open" HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."] RPDeviceOnArrival\ "Provider" = "RealPlayer" "ProgID" = "RealPlayer.HWEventHandler" HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}" -> {HKLM...CLSID} = "RealNetworks Scheduler" \LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."] RPPlayCDAudioOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AudioCD.6" "InvokeVerb" = "play" HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."] RPPlayDVDMovieOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.DVD.6" "InvokeVerb" = "play" HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."] RPPlayMediaOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AutoPlay.6" "InvokeVerb" = "open" HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "D:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."] VLCPlayCDAudioOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"] VLCPlayDVDMovieOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"] Startup items in "xxx" & "All Users" startup folders: --------------------------------------------------------- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup <<!>> "AutoStart IR.lnk.disabled" [null data] "Microsoft Office" -> shortcut to: "D:\Programme\Microsoft Office XP\Office10\OSA.EXE -b -l" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 22 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" -> {HKLM...CLSID} = "Acer eDataSecurity Management" \InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS] "{C55BBCD6-41AD-48AD-9953-3609C48EACC7}" -> {HKLM...CLSID} = "Grab Pro" \InProcServer32\(Default) = "D:\Programme\Orbitdownloader\GrabPro.dll" [null data] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided) -> {HKLM...CLSID} = "Acer eDataSecurity Management" \InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"] "{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar" -> {HKLM...CLSID} = "Show Norton Toolbar" \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"] "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] "{C55BBCD6-41AD-48AD-9953-3609C48EACC7}" = (no title provided) -> {HKLM...CLSID} = "Grab Pro" \InProcServer32\(Default) = "D:\Programme\Orbitdownloader\GrabPro.dll" [null data] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."] {2670000A-7350-4F3C-8081-5663EE0C6C49}\ "ButtonText" = "An OneNote senden" "MenuText" = "An OneNote s&enden" "CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}" -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ "MenuText" = "Spybot - Search & Destroy Configuration" "CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}" -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ a-squared Free Service, a2free, ""C:\Program Files\a-squared Free\a2service.exe"" ["Emsi Software GmbH"] ALaunch Service, ALaunchService, "C:\Acer\ALaunch\ALaunchSvc.exe" [null data] Automatische WLAN-Konfiguration, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]} Automatisches LiveUpdate - Scheduler, Automatisches LiveUpdate - Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"] Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"] Avira AntiVir Personal – Free Antivirus Planer, AntiVirScheduler, ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"] CNG-Schlüsselisolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS] Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string] eDSService.exe, eDataSecurity Service, ""C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe"" ["HiTRSUT"] eLock Service, eLockService, "C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe" [null data] eNet Service, eNet Service, "C:\Acer\Empowering Technology\eNet\eNet Service.exe" ["Acer Inc."] EPGService, EPGService, "D:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe" ["Hauppauge Computer Works"] ePower Service, WMIService, "C:\Acer\Empowering Technology\ePower\ePowerSvc.exe" ["acer"] eRecovery Service, eRecoveryService, "C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe" [null data] eSettings Service, eSettingsService, "C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe" [null data] Extensible Authentication-Protokoll, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]} Intel(R) Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"] LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"] LiveUpdate Notice Service Ex, LiveUpdate Notice Ex, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] MobilityService, MobilityService, "C:\Acer\Mobility Center\MobilityService.exe -p" [null data] SBSD Security Center Service, SBSDWSCService, "C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe" ["Safer Networking Ltd."] Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"] Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]} Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]} XAudioService, XAudioService, "C:\Windows\system32\DRIVERS\xaudio.exe" ["Conexant Systems, Inc."] Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS] ---------- (launch time: 2008-07-23 00:22:18) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 76 seconds, including 13 seconds for message boxes) |
23.07.2008, 00:12 | #8 |
/// TB-Ausbilder | diverse plagegeister, in combofix und silentrunners Hi, die Dateien von Combofix und Silentrunners werden häufig als bösartig erkannt. Das sind "False Positive", Fehlerkennungen. Du kannst die Dateien aber auch einfach löschen, dann gibt es keine Erkennungen mehr. lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
23.07.2008, 18:11 | #9 |
| diverse plagegeister, in combofix und silentrunners hi, heißt dass, ich bin "clean"? ich frage nur noch mal nach wg. uvjoiner und dem zip-archiv aus dem backup, die antivir auch identifiziert hatte. danke s. |
23.07.2008, 21:49 | #10 |
/// TB-Ausbilder | diverse plagegeister, in combofix und silentrunners Hi, Wenn du die uvjoiner nie ausgeführt hast, sollte eigentlich kein Befall möglich sein. Die zweite Meldung ist schwer zu beurteilen. Heuristische Treffer sind jedcoh sehr anfällig für Fehlerkennungen. Es könnte also sein, dass sich Antivir nur an einer Email oder einem Anhang einer Email stößt. lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
26.07.2008, 15:50 | #11 |
| diverse plagegeister, in combofix und silentrunners hi, das beruhigt mich wieder. und die logfiles, die ich eingestellt hatte, sind soweit unauffällig? danke lg. s |
28.07.2008, 12:19 | #12 |
/// TB-Ausbilder | diverse plagegeister, in combofix und silentrunners Hi, die Logs sind sauber, ABER du hast immernoch 2 Antivirenprogramme installiert... Warum deinstallierst du nicht endlich eins? Musst du dir dafür erst Windows komplett zerstören? lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
Themen zu diverse plagegeister, in combofix und silentrunners |
andere, anderen, combofix, dateien, diverse, emails, falschmeldung, forums, gefunde, gelöscht, hallo zusammen, infiziert, installier, installiert, konnte, längst, maleware, nicht installiert, plagegeister, quara, runner, schädling, silent, silentrunner, tagen, verdächtige, virustotal, zusammen |