|
Plagegeister aller Art und deren Bekämpfung: [Windows XP] mal wieder VirusWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
27.07.2008, 17:23 | #1 |
| [Windows XP] mal wieder Virus Hallo Leute, mal wieder einer, der es geschafft hat, seinen PC mit Viren voll zu packen. Ist mir heute passiert, hatte den Free AnitVir Guard an, der hat sie auch erkannt, hab dann immer gesagt, dass er sie loeschen soll. Dennoch hat sich mein Hintergrund veraendert und sagt, dass ich einen Virus habe und kann ihn nicht veraendern. Benutze Windows XP. Habe eben das System pruefen lassen (mit AntiVir Gurad) und da hatte er auch ein paar Viren gefunden, aber irgendwie ist der PC abgestuerzt, nachdem Neustarten habe ich ihn wieder durchlaufen lassen und diesmal hats geklappt, hat aber keinen Virus gefunden. Nun kann ich aber immer noch nicht meinen Hintergrund aendern. Jetzt weiß ich net, ob ich nen Virus habe oder nicht, daher sicherheitshalber nochmal nachgefragt. Bitte um Hilfe und schonmal Danke im vorraus. Ararat Calisir |
27.07.2008, 17:25 | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ | [Windows XP] mal wieder Virus Wir brauchen mehr Infos. Klick mal auf DSS in meiner Signatur und befolge die Anweisungen.
__________________
__________________ |
27.07.2008, 19:06 | #3 |
| [Windows XP] mal wieder Virus main.txt :
__________________Code:
ATTFilter Deckard's System Scanner v20071014.68 Run by *** on 2008-07-27 19:56:38 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Failed to create restore point; System Restore is disabled (service is not running). Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-07-27 19:58:34 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\lphcgtmj0ep1r.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Dokumente und Einstellungen\***\Desktop\dss.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [lphcgtmj0ep1r] C:\WINDOWS\system32\lphcgtmj0ep1r.exe O4 - HKLM\..\Run: [SMrhcltmj0ep1r] C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.3897453704 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Nero BackItUp Scheduler 3 - Unknown owner - C:\Programme\Nero\Nero8\Nero O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\system32\TuneUpDefragService.exe -- End of file - 5791 bytes -- File Associations ----------------------------------------------------------- .reg - regfile - shell\open\command - "regedit.exe" "%1" -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 ssmdrv - c:\windows\system32\drivers\ssmdrv.sys <Not Verified; AVIRA GmbH; > R2 ACEDRV07 - c:\windows\system32\drivers\acedrv07.sys <Not Verified; Protect Software GmbH; > R3 CEUSBAUD (Lexicon USB MIDI Driver1) - c:\windows\system32\drivers\ceusbaud.sys <Not Verified; CEntrance, Inc.; USB MIDI device> S3 catchme - c:\combofix\catchme.sys (file missing) S3 EVOLUSB (%EVOL_USB_SvcDesc%) - c:\windows\system32\drivers\evolusb.sys (file missing) S3 SynasUSB - c:\windows\system32\drivers\synasusb.sys (file missing) S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys <Not Verified; MCCI; Sony Ericsson W810 Driver> S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Modem Filter Driver> S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Data Modem> S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Device Management> S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface> S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Planer) - "c:\programme\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation> R2 LogWatch (Ereignisprotokoll-Überwachung) - c:\programme\ca\sharedcomponents\ca_lic\logwatnt.exe <Not Verified; Computer Associates; Computer Associates LogWatNT> R2 Nero BackItUp Scheduler 3 - c:\programme\nero\nero8\nero backitup\nbservice.exe R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application> S3 CA_LIC_CLNT (CA-Lizenz-Client) - c:\programme\ca\sharedcomponents\ca_lic\lic98rmt.exe <Not Verified; Computer Associates; Computer Associates lic98rmt> S3 CA_LIC_SRVR (CA-Lizenzserver) - c:\programme\ca\sharedcomponents\ca_lic\lic98rmtd.exe <Not Verified; Computer Associates; Computer Associates lic98rmtd> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: PRISM 802.11g Wireless Adapter (3890) Device ID: PCI\VEN_1260&DEV_3890&SUBSYS_001417CF&REV_01\4&1F7DBC9F&0&00F0 Manufacturer: Intersil Americas Inc. Name: PRISM 802.11g Wireless Adapter (3890) PNP Device ID: PCI\VEN_1260&DEV_3890&SUBSYS_001417CF&REV_01\4&1F7DBC9F&0&00F0 Service: PRISM_A00 Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: VIA VT6105 Rhine III Fast Ethernet Adapter Device ID: PCI\VEN_1106&DEV_3106&SUBSYS_52504D4F&REV_8B\4&1F7DBC9F&0&48F0 Manufacturer: VIA Technologies, Inc. Name: VIA VT6105 Rhine III Fast Ethernet Adapter PNP Device ID: PCI\VEN_1106&DEV_3106&SUBSYS_52504D4F&REV_8B\4&1F7DBC9F&0&48F0 Service: FETNDISB -- Scheduled Tasks ------------------------------------------------------------- 2008-07-18 17:16:36 378 --a------ C:\WINDOWS\Tasks\1-Klick-Wartung.job -- Files created between 2008-06-27 and 2008-07-27 ----------------------------- 2008-07-27 16:54:01 0 d-------- C:\Programme\rhcltmj0ep1r 2008-07-27 16:47:40 60928 --a------ C:\WINDOWS\system32\blphcgtmj0ep1r.scr <Not Verified; Sysinternals; Sysinternals Blue Screen> 2008-07-27 16:47:30 110080 --a------ C:\WINDOWS\system32\lphcgtmj0ep1r.exe 2008-07-27 13:49:01 0 d-------- C:\Programme\Outsim 2008-07-11 11:34:26 0 d-------- C:\Programme\Bla 2008-07-11 00:19:44 0 d-------- C:\Programme\TuneUp Utilities 2008 2008-07-11 00:19:10 0 d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard 2008-07-09 18:02:32 0 d-------- C:\Programme\MagicISO 2008-07-09 17:25:11 0 --a------ C:\WINDOWS\PowerReg.dat 2008-07-09 17:23:03 0 d-------- C:\Programme\Infogrames Interactive 2008-07-09 16:40:49 85408 -ra------ C:\WINDOWS\system32\drivers\w810mgmt.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Device Management> 2008-07-09 16:40:45 83344 -ra------ C:\WINDOWS\system32\drivers\w810obex.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface> 2008-07-09 16:40:35 94064 -ra------ C:\WINDOWS\system32\drivers\w810mdm.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Data Modem> 2008-07-09 16:40:35 8336 -ra------ C:\WINDOWS\system32\drivers\w810mdfl.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC Modem Filter Driver> 2008-07-09 16:40:35 6176 -ra------ C:\WINDOWS\system32\drivers\w810cmnt.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface> 2008-07-09 16:40:35 6176 -ra------ C:\WINDOWS\system32\drivers\w810cm.sys <Not Verified; MCCI; Sony Ericsson W810 USB WMC OBEX Interface> 2008-07-09 16:26:46 0 d-------- C:\WINDOWS\Downloaded Installations 2008-07-09 16:24:30 0 d-------- C:\Programme\DAEMON Tools 2008-07-09 16:05:20 0 d-------- C:\Programme\MyPhoneExplorer 2008-07-06 13:44:38 0 d-------- C:\Programme\Miranda IM 2008-07-03 18:42:51 0 d-------- C:\Programme\uTorrent 2008-07-03 12:09:15 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll 2008-07-03 00:14:28 0 d-------- C:\Programme\Monkey Island 2 2008-07-01 12:37:35 0 d-------- C:\Programme\ScummVM 2008-07-01 12:29:52 0 d-------- C:\Programme\Monkey Island 1 -- Find3M Report --------------------------------------------------------------- 2008-07-27 16:47:53 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\foobar2000 2008-07-27 16:46:20 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\uTorrent 2008-07-27 16:16:50 0 d-------- C:\Programme\Warcraft III 2008-07-27 16:15:54 124082 --a------ C:\WINDOWS\War3Unin.dat 2008-07-27 13:49:46 0 d-------- C:\Programme\Image-Line 2008-07-25 10:14:42 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\OpenOffice.org2 2008-07-25 10:12:18 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\AdobeUM 2008-07-22 22:49:24 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\dvdcss 2008-07-11 11:33:40 0 d-------- C:\Programme\OpenOffice.org 2.3 2008-07-11 00:20:06 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\TuneUp Software 2008-07-11 00:19:10 0 d-------- C:\Programme\Gemeinsame Dateien 2008-07-09 17:23:02 0 d--h----- C:\Programme\InstallShield Installation Information 2008-07-09 17:15:10 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\MyPhoneExplorer 2008-07-09 16:40:02 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Teleca 2008-07-09 16:33:28 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Sony Ericsson 2008-07-06 23:23:41 0 d-------- C:\Programme\Paint.NET 2008-07-06 23:21:47 0 d-------- C:\Programme\Gemeinsame Dateien\InstallShield 2008-07-06 21:49:12 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Miranda 2008-07-03 22:14:45 0 d-------- C:\Programme\Native Instruments 2008-07-03 12:12:42 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Atari 2008-07-03 12:08:22 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Leadertech 2008-07-03 11:57:23 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\DAEMON Tools Pro 2008-07-03 11:29:19 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\DAEMON Tools 2008-07-02 13:30:12 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\ICQ 2008-07-01 12:37:39 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\ScummVM 2008-06-30 14:21:47 410808 --a------ C:\WINDOWS\system32\perfh007.dat 2008-06-30 14:21:47 73994 --a------ C:\WINDOWS\system32\perfc007.dat 2008-06-23 18:11:22 0 d-------- C:\Programme\Mobiola Video Studio 2008-06-23 13:20:54 0 d-------- C:\Programme\Cucusoft 2008-06-22 15:24:35 801 --a------ C:\WINDOWS\mozver.dat 2008-06-22 15:23:41 0 d-------- C:\Programme\DivX 2008-06-22 12:48:05 0 d--hs--c- C:\Programme\Gemeinsame Dateien\WindowsLiveInstaller 2008-06-20 23:27:47 0 d-------- C:\Programme\Gemeinsame Dateien\AVSMedia 2008-06-20 23:27:45 0 d-------- C:\Programme\AVS4YOU 2008-06-19 16:29:45 0 d-------- C:\Programme\GK3neu 2008-06-19 10:05:28 0 d-------- C:\Programme\Messenger 2008-06-18 22:27:01 0 d-------- C:\Programme\MSXML 4.0 2008-06-18 18:12:46 0 d-------- C:\Dokumente und Einstellungen\Ara\Anwendungsdaten\Malwarebytes 2008-06-18 14:14:25 0 d-------- C:\Programme\Avira 2008-05-28 22:36:18 0 d-------- C:\Programme\PokerStars.NET 2008-05-22 16:35:25 16 --a------ C:\WINDOWS\msocreg32.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [19.07.2008 00:53] "NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" [28.02.2008 10:59] "lphcgtmj0ep1r"="C:\WINDOWS\system32\lphcgtmj0ep1r.exe" [27.07.2008 16:47] "SMrhcltmj0ep1r"="C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 00:57] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "HideLegacyLogonScripts"=0 (0x0) "HideLogoffScripts"=0 (0x0) "RunLogonScriptSync"=1 (0x1) "RunStartupScriptSync"=0 (0x0) "HideStartupScripts"=0 (0x0) "NoDispBackgroundPage"=1 (0x1) "NoDispScrSavPage"=1 (0x1) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe "DAEMON Tools"="C:\Programme\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "NBKeyScan"="C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" "SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" "Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd "QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" -atboottime HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp -- End of Deckard's System Scanner: finished at 2008-07-27 19:59:59 ------------ |
27.07.2008, 19:07 | #4 |
| [Windows XP] mal wieder Virus extra.txt : Code:
ATTFilter Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Home Edition (build 2600) SP 2.0 Architecture: X86; Language: German CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz Percentage of Memory in Use: 28% Physical Memory (total/avail): 1279.48 MiB / 914.79 MiB Pagefile Memory (total/avail): 3054.1 MiB / 2795.4 MiB Virtual Memory (total/avail): 2047.88 MiB / 1926.95 MiB C: is Fixed (NTFS) - 37.31 GiB total, 20.62 GiB free. D: is CDROM (No Media) G: is CDROM (Unformatted) H: is CDROM (CDFS) I: is Removable (No Media) J: is Removable (No Media) K: is Removable (No Media) L: is Removable (No Media) \\.\PHYSICALDRIVE0 - SAMSUNG SV0411N - 37.31 GiB - 1 partition \PARTITION0 (bootable) - Installierbares Dateisystem - 37.31 GiB - C: \\.\PHYSICALDRIVE3 - Medion Flash XL MMC/SD USB Device \\.\PHYSICALDRIVE1 - Medion Flash XL CF USB Device \\.\PHYSICALDRIVE2 - Medion Flash XL MS USB Device \\.\PHYSICALDRIVE4 - Medion Flash XL SM USB Device -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. AV: Avira AntiVir PersonalEdition v8.0.1.26 (Avira GmbH) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Programme\\Windows Live\\Messenger\\livecall.exe"="C:\\Programme\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Programme\\iTunes\\iTunes.exe"="C:\\Programme\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Programme\\uTorrent\\uTorrent.exe"="C:\\Programme\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent" "C:\\Programme\\Miranda IM\\miranda32.exe"="C:\\Programme\\Miranda IM\\miranda32.exe:*:Enabled:Miranda IM" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Dokumente und Einstellungen\All Users APPDATA=C:\Dokumente und Einstellungen\***\Anwendungsdaten CLASSPATH=.;C:\Programme\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Programme\Gemeinsame Dateien COMPUTERNAME=*** ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Dokumente und Einstellungen\*** LOGONSERVER=\\*** NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Programme\QuickTime\QTSystem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0209 ProgramFiles=C:\Programme PROMPT=$P$G QTJAVA=C:\Programme\QuickTime\QTSystem\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOKUME~1\Ara\LOKALE~1\Temp TMP=C:\DOKUME~1\Ara\LOKALE~1\Temp USERDOMAIN=*** USERNAME=*** USERPROFILE=C:\Dokumente und Einstellungen\*** windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- *** (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Programme\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL --> C:\WINDOWS\IsUn0407.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL --> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL --> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL --> C:\WINDOWS\UNRecode.exe /UNINSTALL --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe Adobe Reader 6.0 - Deutsch --> MsiExec.exe /I{AC76BA86-7AD7-1031-7646-000000000001} AntivirXP08 --> "C:\Programme\rhcltmj0ep1r\uninstall.exe" ASIO4ALL --> C:\Programme\ASIO4ALL v2\uninstall.exe ATI - Dienstprogramm zur Deinstallation der Software --> C:\Programme\ATI Technologies\UninstallAll\AtiCimUn.exe ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7} µTorrent --> "C:\Programme\uTorrent\uTorrent.exe" /UNINSTALL Avira AntiVir Personal - Free Antivirus --> C:\Programme\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe C-Media WDM Audio Driver --> C:\WINDOWS\system32\cmirmdrv.exe DivX Web Player --> C:\Programme\DivX\DivXWebPlayerUninstall.exe /PLUGIN FL Studio 7 --> C:\Programme\Image-Line\FL Studio 7\uninstall.exe FL Studio 8 --> F:\Fruity Loops\uninstall.exe FLV Player --> "C:\WINDOWS\FLV Player\uninstall.exe" "/U:C:\Programme\FLV Player\Uninstall\uninstall.xml" foobar2000 v0.9.5.1 --> "M:\foobar2000\uninstall.exe" Icy Tower v1.3 --> "c:\Icy Tower\icytower1.3\unins000.exe" IL Download Manager --> C:\Programme\Image-Line\Downloader\uninstall.exe iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306} Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030} Lexicon Omega Studio(remove only) --> F:\Musik machen\Cubase LE\OmegaStudioUninstaller.exe Magic ISO Maker v5.5 (build 0261) --> C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG Mediscript-CD GK3 --> C:\PROGRA~1\GK3neu\UNWISE.EXE C:\PROGRA~1\GK3neu\INSTALL.LOG Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Windows-Journal-Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7} Miranda IM 0.7.7 --> C:\Programme\Miranda IM\Uninstall.exe Mozilla Firefox (2.0.0.16) --> C:\Programme\Mozilla Firefox\uninstall\helper.exe MyPhoneExplorer --> C:\Programme\MyPhoneExplorer\uninstall.exe Native Instruments Guitar Rig 3 --> F:\MUSIKM~1\GUITAR~2\UNWISE.EXE F:\MUSIKM~1\GUITAR~2\INSTALL.LOG Nero 8 Trial --> MsiExec.exe /X{BE282C23-5484-47FF-B2C1-EBEA5C891031} neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} OpenOffice.org 2.3 --> MsiExec.exe /I{A625D45F-1DC4-47FB-ABCF-6B27684AA717} PoiZone --> C:\Programme\Image-Line\PoiZone\uninstall.exe QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC} RollerCoaster Tycoon 2 --> RunDll32 C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programme\InstallShield Installation Information\{72DF62BD-FF36-424E-AA5F-D89BAFF2C249}\Setup.exe" -l0x9 ScummVM 0.11.1 --> "C:\Programme\ScummVM\unins000.exe" Sicherheitsupdate für Step by Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB944338) --> "C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB950749) --> "C:\WINDOWS\$NtUninstallKB950749$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB950760) --> "C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB950762) --> "C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB951376-v2) --> "C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB951376) --> "C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB951698) --> "C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe" Sicherheitsupdate für Windows XP (KB951748) --> "C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe" Steinberg Cubase LE --> "F:\Musik machen\Cubase LE\Steinberg\Cubase LE\Uninstall.exe" "F:\Musik machen\Cubase LE\Steinberg\Cubase LE\Install.log" Toxic Biohazard --> C:\Programme\Image-Line\Toxic Biohazard\uninstall.exe TuneUp Utilities 2008 --> MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA} Update für Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe" Update für Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe" Update für Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe" Update für Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe" Update für Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe" Update für Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe" Update für Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe" Update für Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe" Update für Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe" Update für Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe" Update für Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe" Update für Windows XP (KB932823-v3) --> "C:\WINDOWS\$NtUninstallKB932823-v3$\spuninst\spuninst.exe" Update für Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe" Update für Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe" Update für Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe" VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027} VideoLAN VLC media player 0.8.6d --> C:\Programme\VideoLAN\VLC\uninstall.exe Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat Windows-Sicherungsprogramm --> MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE} Windows XP-Hotfix - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe Windows XP-Hotfix - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe Windows XP-Hotfix - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe Windows XP-Hotfix - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe Windows XP-Hotfix - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe Windows XP-Hotfix - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe" Windows XP-Hotfix - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe WinRAR archiver --> C:\Programme\WinRAR\uninstall.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type4899 / Warning Event Submitted/Written: 07/27/2008 04:54:02 PM Event ID/Source: 4113 / Avira AntiVir Event Description: PHISH/FraudTool.XPAntivirus.MPC:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe Event Record #/Type4898 / Warning Event Submitted/Written: 07/27/2008 04:54:02 PM Event ID/Source: 4113 / Avira AntiVir Event Description: PHISH/FraudTool.XPAntivirus.MPC:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe Event Record #/Type4897 / Warning Event Submitted/Written: 07/27/2008 04:54:02 PM Event ID/Source: 4113 / Avira AntiVir Event Description: PHISH/FraudTool.XPAntivirus.MPC:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe Event Record #/Type4890 / Warning Event Submitted/Written: 07/27/2008 04:48:08 PM Event ID/Source: 4113 / Avira AntiVir Event Description: TR/Dldr.Agent.xkgC:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temp\smchk.exe Event Record #/Type4889 / Warning Event Submitted/Written: 07/27/2008 04:48:08 PM Event ID/Source: 4113 / Avira AntiVir Event Description: TR/Dldr.Agent.xkgC:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temporary Internet Files\Content.IE5\D9ODWGXL\d226[1].exe -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type62906 / Error Event Submitted/Written: 07/27/2008 06:04:49 PM Event ID/Source: 10005 / DCOM Event Description: Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56} Event Record #/Type62903 / Error Event Submitted/Written: 07/27/2008 06:04:48 PM Event ID/Source: 10005 / DCOM Event Description: Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56} Event Record #/Type62882 / Error Event Submitted/Written: 07/27/2008 05:16:44 PM Event ID/Source: 10005 / DCOM Event Description: Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56} Event Record #/Type62876 / Error Event Submitted/Written: 07/27/2008 05:16:43 PM Event ID/Source: 10005 / DCOM Event Description: Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56} Event Record #/Type62852 / Error Event Submitted/Written: 07/27/2008 04:52:53 PM Event ID/Source: 10005 / DCOM Event Description: Bei DCOM ist der Fehler "%%1058" aufgetreten, als der Dienst "upnphost" mit den Argumenten "" gestartet wurde, um den folgenden Server zu verwenden: {204810B9-73B2-11D4-BF42-00B0D0118B56} -- End of Deckard's System Scanner: finished at 2008-07-27 19:59:59 ------------ |
27.07.2008, 20:47 | #5 |
/// Winkelfunktion /// TB-Süch-Tiger™ | [Windows XP] mal wieder VirusCode:
ATTFilter C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe C:\WINDOWS\system32\blphcgtmj0ep1r.scr C:\WINDOWS\system32\lphcgtmj0ep1r.exe
__________________ Logfiles bitte immer in CODE-Tags posten |
27.07.2008, 21:44 | #6 |
| [Windows XP] mal wieder Virus C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe Code:
ATTFilter 0 bytes size received / Se ha recibido un archivo vacio C:\WINDOWS\system32\blphcgtmj0ep1r.scr : Code:
ATTFilter MD5: 538f9ead95eba12134d95b4fe7082331 First received: 2008.06.11 23:35:27 (CET) Datum 2008.07.27 02:27:32 (CET) [<1D] Ergebnisse 6/35 Permalink: analisis/3b4e666cf740cd20e45a5bb464cf3b8a Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.26.0 2008.07.27 Win-AppCare/Xema.716800 AntiVir 7.8.1.12 2008.07.26 - Authentium 5.1.0.4 2008.07.27 - Avast 4.8.1195.0 2008.07.26 - AVG 8.0.0.130 2008.07.27 - BitDefender 7.2 2008.07.27 - CAT-QuickHeal 9.50 2008.07.25 - ClamAV 0.93.1 2008.07.27 - DrWeb 4.44.0.09170 2008.07.27 - eSafe 7.0.17.0 2008.07.27 Suspicious File eTrust-Vet 31.6.5983 2008.07.26 - Ewido 4.0 2008.07.27 - F-Prot 4.4.4.56 2008.07.27 - F-Secure 7.60.13501.0 2008.07.27 - Fortinet 3.14.0.0 2008.07.26 Joke/Bluescreen GData 2.0.7306.1023 2008.07.27 - Ikarus T3.1.1.34.0 2008.07.27 - Kaspersky 7.0.0.125 2008.07.27 - McAfee 5347 2008.07.25 potentially unwanted program Joke-Bluescreen Microsoft 1.3704 2008.07.27 - NOD32v2 3301 2008.07.27 - Norman 5.80.02 2008.07.25 - Panda 9.0.0.4 2008.07.27 - PCTools 4.4.2.0 2008.07.27 Application.BluSOD Prevx1 V2 2008.07.27 Malicious Software Rising 20.54.62.00 2008.07.27 - Sophos 4.31.0 2008.07.27 - Sunbelt 3.1.1536.1 2008.07.25 - Symantec 10 2008.07.27 Joke.Blusod TheHacker 6.2.96.389 2008.07.25 - TrendMicro 8.700.0.1004 2008.07.26 - VBA32 3.12.8.1 2008.07.27 - ViRobot 2008.7.26.1311 2008.07.26 Joke.Bluescreen.60928 VirusBuster 4.5.11.0 2008.07.27 - Webwasher-Gateway 6.6.2 2008.07.27 - weitere Informationen File size: 60928 bytes MD5...: 538f9ead95eba12134d95b4fe7082331 SHA1..: 527c50b92b5cededdd5b7e3edda71cb13d108dac SHA256: a416bab39037854c14540edaaf80cff7b5f2e9db31eee235527574e8dedd54e6 SHA512: 4631ff7cf868348585ee0e26591b95be3ee8b232c7980f5013f4464f285b0fbd ef41794c44cb8653d6fb6dc815c0c0a9f4af780bfeb9b23d2f4c3bdc62bf4581 PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4b2b20 timedatestamp.....: 0x452e6fe8 (Thu Oct 12 16:40:08 2006) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0xa4000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0xa5000 0xe000 0xde00 7.90 b6d22c9552fb5d20b4877ea36d1dff4f .rsrc 0xb3000 0x1000 0xc00 3.91 af2222062a7a7f5fda0a2fd3ed07591d ( 8 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess > ADVAPI32.dll: RegCloseKey > COMCTL32.dll: InitCommonControlsEx > comdlg32.dll: PrintDlgA > DDRAW.dll: DirectDrawCreate > GDI32.dll: EndDoc > USER32.dll: GetDC > WINMM.dll: timeSetEvent ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=3FB3E960006D9112EEE7009A960AC800008EA791 ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=538f9ead95eba12134d95b4fe7082331 packers (F-Prot): UPX C:\WINDOWS\system32\lphcgtmj0ep1r.exe Code:
ATTFilter MD5: 453e5e7037c952afa05a0cfa2d1f155d First received: 2008.07.27 15:37:41 (CET) Datum 2008.07.27 17:37:01 (CET) [<1D] Ergebnisse 10/35 Permalink: analisis/38ecc9fc108f29868188717868927a96 Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.7.26.0 2008.07.27 - AntiVir 7.8.1.12 2008.07.26 HEUR/Crypted Authentium 5.1.0.4 2008.07.27 - Avast 4.8.1195.0 2008.07.26 - AVG 8.0.0.130 2008.07.27 Downloader.FraudLoad.A BitDefender 7.2 2008.07.27 Trojan.Peed.JPX CAT-QuickHeal 9.50 2008.07.25 (Suspicious) - DNAScan ClamAV 0.93.1 2008.07.27 - DrWeb 4.44.0.09170 2008.07.27 - eSafe 7.0.17.0 2008.07.27 Suspicious File eTrust-Vet 31.6.5983 2008.07.26 - Ewido 4.0 2008.07.27 - F-Prot 4.4.4.56 2008.07.27 - F-Secure 7.60.13501.0 2008.07.27 - Fortinet 3.14.0.0 2008.07.26 W32/Tibs.JC!tr GData 2.0.7306.1023 2008.07.27 - Ikarus T3.1.1.34.0 2008.07.27 Trojan.Peed.JPX Kaspersky 7.0.0.125 2008.07.27 - McAfee 5347 2008.07.25 - Microsoft 1.3704 2008.07.27 Worm:Win32/Nuwar.KE NOD32v2 3301 2008.07.27 - Norman 5.80.02 2008.07.25 - Panda 9.0.0.4 2008.07.27 - PCTools 4.4.2.0 2008.07.27 - Prevx1 V2 2008.07.27 Malicious Software Rising 20.54.62.00 2008.07.27 - Sophos 4.31.0 2008.07.27 - Sunbelt 3.1.1536.1 2008.07.25 - Symantec 10 2008.07.27 Packed.Generic.174 TheHacker 6.2.96.389 2008.07.25 - TrendMicro 8.700.0.1004 2008.07.26 - VBA32 3.12.8.1 2008.07.27 - ViRobot 2008.7.26.1311 2008.07.26 - VirusBuster 4.5.11.0 2008.07.27 - Webwasher-Gateway 6.6.2 2008.07.27 Heuristic.Crypted weitere Informationen File size: 110080 bytes MD5...: 453e5e7037c952afa05a0cfa2d1f155d SHA1..: a28d28d3da055d1b13eddeda12d4f2d07173a7d1 SHA256: 04d3bb7d272d8542c0c986579c5cc7422f6c6c76d5b0642222cfb7c1a7b7765e SHA512: 04401d4937d2d5f265f46598e62e201dde6b2a2d97c4fb5f695ff047e45142f0 d81b4fcf1bf3e0e9ca9648ea5c7e901555a57a9814cdfb6a5bd92ca580ff962e PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x403811 timedatestamp.....: 0x48776b9b (Fri Jul 11 14:18:03 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x8f3b 0x6200 7.99 8a5e57ffefbd0f64e9644da2d66da8e0 .rdata 0xa000 0x38ad 0x1600 7.97 a12ba4e6286f830e973fb06a3c6fc722 .data 0xe000 0x25f60 0x11200 8.00 9fc31b11dd8fea75728f9daf48fb43bc .rsrc 0x34000 0x2000 0x2000 5.31 3b2e0792fe9da580674d305ab7e5ef1a ( 3 imports ) > urlmon.dll: URLOpenStreamA, IsLoggingEnabledA, CoInstall, GetClassFileOrMime, AsyncInstallDistributionUnit, IsValidURL > gdi32.dll: SetICMMode, SetRelAbs, ResetDCW, StretchBlt, SetDIBColorTable, UpdateColors, SaveDC, TextOutW > shell32.dll: StrCmpNA, SHFormatDrive, SHAppBarMessage ( 0 exports ) Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=266BA71A006AFBF3AE3401A4CD395A00C0E6BC18 ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=453e5e7037c952afa05a0cfa2d1f155d |
27.07.2008, 22:33 | #7 |
| [Windows XP] mal wieder VirusCode:
ATTFilter Malwarebytes' Anti-Malware 1.23 Datenbank Version: 999 Windows 5.1.2600 Service Pack 2 23:32:25 27.07.2008 mbam-log-7-27-2008 (23-32-25).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 88109 Laufzeit: 43 minute(s), 14 second(s) Infizierte Speicherprozesse: 2 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 3 Infizierte Registrierungswerte: 6 Infizierte Dateiobjekte der Registrierung: 2 Infizierte Verzeichnisse: 1 Infizierte Dateien: 14 Infizierte Speicherprozesse: C:\WINDOWS\system32\blphcgtmj0ep1r.scr (Trojan.FakeAlert) -> Unloaded process successfully. C:\WINDOWS\system32\lphcgtmj0ep1r.exe (Trojan.FakeAlert) -> Unloaded process successfully. Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcltmj0ep1r (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\rhcltmj0ep1r (Rogue.Multiple) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcgtmj0ep1r (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcltmj0ep1r (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Infizierte Verzeichnisse: C:\Programme\rhcltmj0ep1r (Rogue.Multiple) -> Quarantined and deleted successfully. Infizierte Dateien: C:\Programme\rhcltmj0ep1r\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Programme\rhcltmj0ep1r\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Programme\rhcltmj0ep1r\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Programme\rhcltmj0ep1r\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Programme\rhcltmj0ep1r\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Programme\rhcltmj0ep1r\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Programme\rhcltmj0ep1r\rhcltmj0ep1r.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Programme\rhcltmj0ep1r\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Ara\Lokale Einstellungen\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\blphcgtmj0ep1r.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lphcgtmj0ep1r.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\phcgtmj0ep1r.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. |
27.07.2008, 22:50 | #8 |
| [Windows XP] mal wieder Virus Blacklight (nichts gefunden): Code:
ATTFilter 07/27/08 23:38:15 [Info]: BlackLight Engine 1.0.70 initialized 07/27/08 23:38:15 [Info]: OS: 5.1 build 2600 (Service Pack 2) 07/27/08 23:38:15 [Note]: 7019 4 07/27/08 23:38:15 [Note]: 7005 0 07/27/08 23:38:20 [Note]: 7006 0 07/27/08 23:38:20 [Note]: 7011 1308 07/27/08 23:38:20 [Note]: 7035 0 07/27/08 23:38:20 [Note]: 7026 0 07/27/08 23:38:20 [Note]: 7026 0 07/27/08 23:38:23 [Note]: FSRAW library version 1.7.1024 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:46:55 [Note]: 2000 1012 07/27/08 23:48:31 [Note]: 7007 0 MBR-Tool: Code:
ATTFilter Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK |
28.07.2008, 08:14 | #9 |
/// Winkelfunktion /// TB-Süch-Tiger™ | [Windows XP] mal wieder Virus Das sieht soweit schon wieder ganz ok aus. Antimalware hat da einiges entfernt. Erstell noch bitte mal ein Logfile mit silentrunners.
__________________ Logfiles bitte immer in CODE-Tags posten |
28.07.2008, 13:28 | #10 |
| [Windows XP] mal wieder Virus Aehm ich weiß nicht, gegen 10 nach 11 das Programm gestartet und da wurde gesagt, dass nahc dem Scan eine Textbox und ein Logfile geoffnet wird, allerdings wurde auch betont, dass dieser Scan sehr lange dauert. Nunja, bei mir laeuft der bereits seit 3 Stunden und es kam noch nix? Eine Textfile gibt es aber schon: Startup Programs (***) 2008-07-28 11.13.12.txt: Code:
ATTFilter "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "NeroFilterCheck" = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" ["Nero AG"] HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider" \StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte" -> {HKLM...CLSID} = "Universelle Plug & Play-Geräte" \InProcServer32\(Default) = "C:\WINDOWS\System32\upnpui.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons" -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class" \InProcServer32\(Default) = "C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] "{BEFAC8C8-2100-4315-AE9A-2A9127AF02D8}" = "MobiolaShlExt extension" -> {HKLM...CLSID} = "MobiolaShlExt Class" \InProcServer32\(Default) = "C:\Programme\Mobiola Video Studio\MobiolaExt.dll" [null data] "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"] "{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension" -> {HKLM...CLSID} = "TuneUp Theme Extension" \InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"] HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\ <<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll," HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}" -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class" \InProcServer32\(Default) = "C:\Programme\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"] MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Programme\MagicISO\misosh.dll" ["MagicISO, Inc."] MyPhoneExplorer\(Default) = "{A372C6DF-7A85-41B1-B3B0-D1E24073DCBF}" -> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt" \InProcServer32\(Default) = "C:\Programme\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] SMobiolaShlExt\(Default) = "{BEFAC8C8-2100-4315-AE9A-2A9127AF02D8}" -> {HKLM...CLSID} = "MobiolaShlExt Class" \InProcServer32\(Default) = "C:\Programme\Mobiola Video Studio\MobiolaExt.dll" [null data] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Programme\MagicISO\misosh.dll" ["MagicISO, Inc."] TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension" \InProcServer32\(Default) = "C:\Programme\TuneUp Utilities 2008\SDShelEx-win32.dll" ["TuneUp Software GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}" -> {HKLM...CLSID} = "MShellExtMenu Class" \InProcServer32\(Default) = "C:\Programme\MagicISO\misosh.dll" ["MagicISO, Inc."] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Default executables: -------------------- HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile" <<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoDrives" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoDrives" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideLogoffScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideStartupScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoDispBackgroundPage" = (REG_DWORD) dword:0x00000000 {Hide Desktop tab} "NoDispScrSavPage" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKCU\Software\Policies\Microsoft\Windows\System\ "DisableCMD" = (REG_DWORD) dword:0x00000000 {Disable the command prompt} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideLogoffScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideStartupScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ iTunesBurnCDOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.BurnCD" "InvokeVerb" = "burn" HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."] iTunesImportSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ImportSongsOnCD" "InvokeVerb" = "import" HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."] iTunesPlaySongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.PlaySongsOnCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."] iTunesShowSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ShowSongsOnCD" "InvokeVerb" = "showsongs" HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."] MSVideoCameraArrival\ "Provider" = "@C:\Programme\Movie Maker\1031\wmm2res.dll,-100" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Programme\Movie Maker\moviemk.exe" /RECORD" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] NeroAutoPlay8AudioToNeroDigital\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"] NeroAutoPlay8CDAudio\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "CDAudio_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"] NeroAutoPlay8CopyCD\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"] NeroAutoPlay8DataDisc_CD\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"] NeroAutoPlay8DataDisc_DVD\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"] NeroAutoPlay8LaunchNeroStartSmart\ "Provider" = "Nero StartSmart" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"] NeroAutoPlay8PlayAudioCD\ "Provider" = "Nero ShowTime" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"] NeroAutoPlay8PlayDVD\ "Provider" = "Nero ShowTime" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"] NeroAutoPlay8RipCD\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "RipCD_PlayCDAudioOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"] NeroAutoPlay8TranscodeVideo\ "Provider" = "Nero Recode" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"] NeroAutoPlay8VideoCapture\ "Provider" = "Nero Vision" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Programme\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] NeroAutoPlay8ViewPhotos\ "Provider" = "Nero PhotoSnap Viewer" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Programme\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"] VLCPlayCDAudioOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"] VLCPlayDVDMovieOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"] Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2008\OneClick.exe /schedulestart" ["TuneUp Software GmbH"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {8DC086C2-5C5E-4B71-8413-18139AC3D9CF}\ "ButtonText" = "MedionShop" "Exec" = "http://www.medionshop.de/" [file not found] HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "C:\Programme\ICQLite\ICQLite.exe" [file not found] {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."] Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"] Avira AntiVir Personal – Free Antivirus Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"] Ereignisprotokoll-Überwachung, LogWatch, "C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe" ["Computer Associates"] Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"] PLFlash DeviceIoControl Service, PLFlash DeviceIoControl Service, "C:\WINDOWS\System32\IoctlSvc.exe" ["Prolific Technology Inc."] TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor MP750\Driver = "CNMLM6z.DLL" ["CANON INC."] LPR Port\Driver = "lprmon.dll" [MS] ---------- (launch time: 2008-07-28 11:13:12) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 70 seconds. ---------- (total run time: 203 seconds) |
29.07.2008, 12:33 | #11 |
/// Winkelfunktion /// TB-Süch-Tiger™ | [Windows XP] mal wieder Virus Hmja, silentrunners läuft nicht immer 100% sauber durch, aber das Logfile hat er bei Dir vollständig erzeugt. Code:
ATTFilter "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] Ansonsten seh ich keine Auffälligkeiten im Logfile. Falls sich noch weitere "krumme" Dateien im System befinden, können wir die evtl. so aufspüren: Über ein filelisting mit diesem script:Diese listing.txt z.B. bei file-upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.
__________________ Logfiles bitte immer in CODE-Tags posten |
Themen zu [Windows XP] mal wieder Virus |
abges, anitvir, antivir, arten, erkannt, free, gefunde, geklappt, guard, heute, hintergrund, leute, loeschen, neustarten, schonmal, sicherheitshalber, system, veraendert, viren, virus, voll, windows, windows xp |