| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Upload nahezu nicht vorhanden, Surfen eine PlageWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
02.08.2008, 14:14
| #1 |
 |  Upload nahezu nicht vorhanden, Surfen eine Plage Hallo! Seit ein paar Tagen ist das Surfen im Internet teilweise extrem langsam und laut Speedtests der Upload völlig im Keller. Ich dachte erst es liegt an der Hitze, aber hab dann mal Spybot laufen lassen und der hat ein paar kleine Sachen sowie einen Win32.Shark.af hinweis entdeckt, die Probleme wurden alle gelöscht und nach Neustart wuerde auch nichtsmehr gefunden, das Problem besteht aber weiterhin. Hier mal ein LOG vom Deckard Scanner: Deckard Scanner: Code:
ATTFilter Deckard's System Scanner v20071014.68 Run by Ryan on 2008-08-02 14:40:27 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as Ryan.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:40:31, on 02.08.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\WINDOWS\system32\Rundll32.exe C:\Programme\FreePDF_XP\fpassist.exe D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe D:\TuneUp Utilities 2007\MemOptimizer.exe C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Logitech\SetPoint\SetPoint.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Viewpoint\Common\ViewpointService.exe C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe C:\WINDOWS\System32\svchost.exe C:\Dokumente und Einstellungen\a\Desktop\dss.exe D:\Trend Micro\HijackThis\Ryan.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.de/webhp?hl=de R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favoriten R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE" O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [AWMON] "D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" O4 - HKCU\..\Run: [TuneUp MemOptimizer] "D:\TuneUp Utilities 2007\MemOptimizer.exe" autostart O4 - HKCU\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2004\MemOptimizer.exe" autostart (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Logitech SetPoint.lnk = ? O8 - Extra context menu item: An vorhandenes PDF anfügen - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing) O15 - Trusted Zone: http://www.gmx.de O15 - Trusted Zone: http://www.gmx.net O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/a-UNO1/GAME_UNO1.cab O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{1D59F153-870D-4C80-A021-649D09D0A132}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{1D59F153-870D-4C80-A021-649D09D0A132}: NameServer = 192.168.0.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{1D59F153-870D-4C80-A021-649D09D0A132}: NameServer = 192.168.0.1 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - D:\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programme\Viewpoint\Common\ViewpointService.exe -- End of file - 11800 bytes -- Files created between 2008-07-02 and 2008-08-02 ----------------------------- 2008-07-02 11:24:12 0 d-------- C:\Programme\TiffSplitter 2008-07-02 11:21:24 0 d-------- C:\Programme\MainMedia -- Find3M Report --------------------------------------------------------------- 2008-08-02 04:56:57 0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Malwarebytes 2008-08-02 04:06:50 0 d-------- C:\Programme\DivX 2008-08-02 04:06:50 0 d-------- C:\Programme\bfgclient 2008-08-02 04:06:50 0 d-------- C:\Programme\Avanquest update 2008-08-02 03:22:49 0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Skype 2008-07-26 16:35:29 0 d-------- C:\Programme\Wisdom-soft AutoScreenRecorder Free 2008-07-26 11:39:11 0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\uTorrent 2008-07-24 19:32:06 0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Adobe 2008-07-06 16:33:47 0 d--h----- C:\Programme\InstallShield Installation Information 2008-07-01 18:56:29 0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Mozilla 2008-07-01 18:47:36 0 d-------- C:\Programme\ICQ6 2008-07-01 18:47:30 0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\ICQ 2008-06-21 02:08:13 0 d-------- C:\Programme\AIM6 2008-06-06 22:00:24 0 d-------- C:\Programme\Gemeinsame Dateien 2008-06-06 22:00:24 0 d-------- C:\Programme\Gemeinsame Dateien\PlayOnline 2008-06-06 21:45:50 0 d-------- C:\Programme\PlayOnline 2008-06-06 18:45:36 0 d-------- C:\Programme\Gemeinsame Dateien\buhl data service 2008-06-06 17:18:52 0 d-------- C:\Programme\Gemeinsame Dateien\BioWare 2008-06-05 20:43:50 0 d-------- C:\Programme\Viewpoint -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [19.07.2005 18:32] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [19.07.2006 13:03 C:\WINDOWS\KHALMNPR.Exe] "Logitech Hardware Abstraction Layer"="C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE" [19.07.2006 13:03] "P17Helper"="P17.dll" [03.05.2005 19:38 C:\WINDOWS\system32\P17.dll] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [11.05.2000 01:00] "AtiPTA"="atiptaxx.exe" [22.02.2006 03:05 C:\WINDOWS\system32\atiptaxx.exe] "NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [12.01.2006 15:40] "FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [25.04.2007 21:05] "Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [31.12.2002 14:00] "AWMON"="D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [25.05.2005 12:12] "TuneUp MemOptimizer"="D:\TuneUp Utilities 2007\MemOptimizer.exe" [26.04.2007 20:08] "StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [15.01.2007 16:14] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "ICQ Lite"=C:\Programme\ICQLite\ICQLite.exe -trayboot [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "TuneUp MemOptimizer"="C:\Programme\TuneUp Utilities 2004\MemOptimizer.exe" autostart C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\ Logitech SetPoint.lnk - C:\Programme\Logitech\SetPoint\SetPoint.exe [06.01.2007 19:10:51] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"=0 (0x0) "ForceClassicControlPanel"=1 (0x1) "NoRecentDocsHistory"=1 (0x1) "NoRecentDocsMenu"=1 (0x1) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSMBalloonTip"=0 (0x0) "ForceClassicControlPanel"=1 (0x1) "NoRecentDocsHistory"=1 (0x1) "NoRecentDocsMenu"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=avgrsstx.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk] path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^a^Startmenü^Programme^Autostart^Adobe Gamma.lnk] path=C:\Dokumente und Einstellungen\a\Startmenü\Programme\Autostart\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA] atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Programme\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate] C:\Programme\Logitech\Video\ManifestEngine.exe boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair] C:\Programme\Logitech\Video\ISStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray] C:\Programme\Logitech\Video\LogiTray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "HostManager"=C:\Programme\Gemeinsame Dateien\AOL\1159212728\ee\AOLSoftware.exe "IPHSend"=C:\Programme\Gemeinsame Dateien\AOL\IPHSend\IPHSend.exe "MessengerPlus3"="C:\Programme\MessengerPlus! 3\MsgPlus.exe" "iTunesHelper"="D:\iTunes\iTunesHelper.exe" "QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime "BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent "NeroFilterCheck"=C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe "FreePDF Assistant"=C:\Programme\FreePDF_XP\fpassist.exe "AtiPTA"=atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] bthsvcs BthServ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs UxTuneUp [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bdb6542-a1ab-11da-b414-806d6172696f}] AutoRun\command- E:\ASUSACPI.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ce8efa-c862-11da-b1ec-0015f23c72ef}] AutoRun\command- F:\BSAutoRun.exe *Newly Created Service* - GMER *Newly Created Service* - RKREVEAL150 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F90F0706-E0C0-EF53-B7E4-CD62C00106D0}] C:\WINDOWS\system32\winupdt.exe -- End of Deckard's System Scanner: finished at 2008-08-02 14:40:50 ------------ Oder hilft da nur eine Formatierung? An der Hardware vom Router usw. kann es eigentlich nicht liegen denke ich, da der Download auch voll funktioniert. MfG |
|
02.08.2008, 14:51
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   |  Upload nahezu nicht vorhanden, Surfen eine Plage Hallo
__________________Wo wurde der shark gefunden? Der shark ist ein Backdoor, d.h. wenn tatsächtlich ein solcher Befall vorliegt ist ein Neuaufsetzen angesagt. Code:
ATTFilter [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F90F0706-E0C0-EF53-B7E4-CD62C00106D0}]
C:\WINDOWS\system32\winupdt.exe
Laß bitte auch mal zusätzlich dieses MBR-Tool durchlaufen und poste die Ausgabe.
__________________ |
|
02.08.2008, 15:08
| #3 |
| | Upload nahezu nicht vorhanden, Surfen eine Plage Hallo root24
__________________Leider hat Spybot das nicht angezeigt wo er den gefunden hat. Daher keine Ahnung. Hab die Datei gesucht, gibts aber nicht mehr im system32 Ordner. Und das Tool liefert dies: Code:
ATTFilter Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Das hab ich im Spybot Bericht gefunden: Code:
ATTFilter Win32.Shark.af: [SBI $C9E79D2E] Benutzereinstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-507921405-1644491937-725345543-1003\Software\VB and VBA Program Settings\Windows Update
Geändert von habla2k (02.08.2008 um 15:15 Uhr) |
|
02.08.2008, 15:14
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Upload nahezu nicht vorhanden, Surfen eine Plage Ok. Da müssen wir weiter in Deinem System stöbern. Dein MBR ist anscheinend ok. Mach mal bitte Durchläufe mit 1.) Blacklight 2.) Silentrunners 3.) Combofix (Anleitung unten, genau beachten!!!) 4.) Malwarebytes Und poste die Logfile wieder mit Codetags umschlossen. Anleitung ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
02.08.2008, 15:21
| #5 |
| | Upload nahezu nicht vorhanden, Surfen eine Plage Blacklight habe ich schon benutzt, hat nichts gefunden. Silentrunners hab ich nicht zum Laufen bekommen weil das nur ne .vbs Datei war. Malwarebytes hab ich auch schon gemacht hat 2 Sachen gefunden aber nicht den Shark. Die 2 anderen kleineren Sachen wurden auch behoben. Combofix mach ich dann jetzt mal. |
|
02.08.2008, 15:26
| #6 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Upload nahezu nicht vorhanden, Surfen eine PlageZitat:
 Wenn das nicht funktioniert solltest Du zumindest die Fehlermeldung posten, sonst kann ich Dir nicht helfen.
__________________ --> Upload nahezu nicht vorhanden, Surfen eine Plage |
|
02.08.2008, 15:43
| #7 |
| | Upload nahezu nicht vorhanden, Surfen eine Plage Ja lief jetzt auch, Problem vorher war, dass Firefox die vbs Datei geöffnet hat anstatt runterzuladen. Hier also die Ergebnisse: Silentrunner: Code:
ATTFilter "Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"AWMON" = ""D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"" ["Lavasoft Sweden"]
"TuneUp MemOptimizer" = ""D:\TuneUp Utilities 2007\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]
"StartCCC" = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [file not found]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Logitech Hardware Abstraction Layer" = ""C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE"" ["Logitech Inc."]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"NeroFilterCheck" = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"FreePDF Assistant" = "C:\Programme\FreePDF_XP\fpassist.exe" [null data]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "Eigene Logitech-Bilder"
-> {HKLM...CLSID} = "Eigene Logitech-Bilder"
\InProcServer32\(Default) = "C:\Programme\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "KbLogiExt Class"
\InProcServer32\(Default) = "C:\Programme\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
-> {HKLM...CLSID} = "LogiExt Class"
\InProcServer32\(Default) = "C:\Programme\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "C:\Programme\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Meine freigegebenen Ordner"
\InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "D:\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "C:\Programme\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
DaemonShellExtImage\(Default) = "{40966797-8FFE-46C8-9EF8-7003F33CCF0F}"
-> {HKLM...CLSID} = "DaemonShellExtImage Class"
\InProcServer32\(Default) = "D:\DAEMON Tools Pro\imgshl32.dll" ["DT Soft Ltd."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG8 Shell Extension Class"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "D:\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "D:\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Default executables:
--------------------
HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoCDBurning" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoSMBalloonTip" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\a\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
ImgBurnCDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOBUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnCDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOWRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOBUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOWRITE /DEST "%1"" ["LIGHTNING UK!"]
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
LogitechQuickSync\
"Provider" = "Logitech QuickSync"
"InvokeProgID" = "Applications\QSync.exe"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Applications\QSync.exe\shell\open\command\(Default) = "C:\Programme\Logitech\Video\QSync.exe" ["Logitech Inc."]
MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
NeroAutoPlay7AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]
NeroAutoPlay7CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe -w /New:AudioCD" ["Nero AG"]
NeroAutoPlay7CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]
NeroAutoPlay7DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "DataDisc_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe -w /New:ISODisc" ["Nero AG"]
NeroAutoPlay7LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]
NeroAutoPlay7PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]
NeroAutoPlay7PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]
NeroAutoPlay7RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]
NeroAutoPlay7TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]
NeroAutoPlay7VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Programme\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
NeroAutoPlay7ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]
RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]
RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]
RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."]
RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."]
RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]
VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]
VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]
WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
Startup items in "Ryan" & "All Users" startup folders:
------------------------------------------------------
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Logitech SetPoint" -> shortcut to: "C:\Programme\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
Enabled Scheduled Tasks:
------------------------
"1-Klick-Wartung" -> launches: "D:\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
|
|
02.08.2008, 15:45
| #8 |
| | Upload nahezu nicht vorhanden, Surfen eine Plage Sorry wegen Doppelpost aber die Logs sind zu groß und passen nicht in einen Beitrag: Teil 2: Code:
ATTFilter Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\
"ButtonText" = "PartyPoker.com"
"MenuText" = "PartyPoker.com"
"Exec" = "D:\PartyGaming\PartyPoker\RunApp.exe" [empty string]
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" [file not found]
{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]
{F4430FE8-2638-42E5-B849-800749B94EED}\
"ButtonText" = "PartyPoker.net"
"MenuText" = "PartyPoker.net"
"Exec" = "D:\PartyGaming.Net\PartyPokerNet\RunPF.exe" [file not found]
Miscellaneous IE Hijack Points
------------------------------
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Capture Device Service, Capture Device Service, ""C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe"" ["InterVideo Inc."]
Messenger USN Journal Reader-Service für freigegebene Ordner, usnjsvc, ""C:\Programme\Windows Live\Messenger\usnsvc.exe"" [MS]
NMIndexingService, NMIndexingService, ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]
O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Programme\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Redirected Port\Driver = "redmonnt.dll" [null data]
---------- (launch time: 2008-08-02 16:24:19)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 35 seconds, including 11 seconds for message boxes)
Code:
ATTFilter ComboFix 08-08-01.04 - Ryan 2008-08-02 16:32:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1356 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\a\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Dokumente und Einstellungen\a\new.txt
.
((((((((((((((((((((((( Dateien erstellt von 2008-07-02 bis 2008-08-02 ))))))))))))))))))))))))))))))
.
2008-08-02 14:08 . 2008-08-02 14:08 250 --a------ C:\WINDOWS\gmer.ini
2008-08-02 04:56 . 2008-08-02 04:56 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-02 04:56 . 2008-08-02 04:56 <DIR> d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Malwarebytes
2008-08-02 04:56 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 04:56 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 04:47 . 2008-08-02 04:47 <DIR> d-------- C:\Deckard
2008-08-01 11:31 . 2008-08-02 02:12 23,552 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-07-21 20:20 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-07-21 20:20 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-07-21 20:20 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-07-21 20:20 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-07-21 20:20 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-07-21 20:20 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-07-21 20:20 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-07-21 20:20 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-07-21 20:20 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-07-21 20:20 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-07-02 11:24 . 2008-07-02 11:24 <DIR> d-------- C:\Programme\TiffSplitter
2008-07-02 11:21 . 2008-07-02 11:21 <DIR> d-------- C:\Programme\MainMedia
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 14:29 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-08-02 02:06 --------- d-----w C:\Programme\DivX
2008-08-02 02:06 --------- d-----w C:\Programme\bfgclient
2008-08-02 02:06 --------- d-----w C:\Programme\Avanquest update
2008-08-02 01:22 --------- d-----w C:\Dokumente und Einstellungen\a\Anwendungsdaten\Skype
2008-07-26 14:35 --------- d-----w C:\Programme\Wisdom-soft AutoScreenRecorder Free
2008-07-26 09:39 --------- d-----w C:\Dokumente und Einstellungen\a\Anwendungsdaten\uTorrent
2008-07-18 17:20 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-07-06 14:33 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-07-04 07:09 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 07:09 10,520 ----a-w C:\WINDOWS\system32\avgrsstx.dll
2008-07-01 16:47 --------- d-----w C:\Programme\ICQ6
2008-07-01 16:47 --------- d-----w C:\Dokumente und Einstellungen\a\Anwendungsdaten\ICQ
2008-06-21 00:08 --------- d-----w C:\Programme\AIM6
2008-06-20 17:39 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:57 273,024 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 20:00 --------- d-----w C:\Programme\Gemeinsame Dateien\PlayOnline
2008-06-06 19:45 --------- d-----w C:\Programme\PlayOnline
2008-06-06 16:45 --------- d-----w C:\Programme\Gemeinsame Dateien\buhl data service
2008-06-06 15:44 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-06 15:18 --------- d-----w C:\Programme\Gemeinsame Dateien\BioWare
2008-06-05 18:45 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL OCP
2008-06-05 18:43 --------- d-----w C:\Programme\Viewpoint
2008-06-05 18:43 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Viewpoint
2008-05-07 05:14 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]
"AWMON"="D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 12:12 517632]
"TuneUp MemOptimizer"="D:\TuneUp Utilities 2007\MemOptimizer.exe" [2007-04-26 20:08 313352]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"Logitech Hardware Abstraction Layer"="C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 13:03 94208]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-04-25 21:05 311296]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 13:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"AtiPTA"="atiptaxx.exe" [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]
C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Logitech SetPoint.lnk - C:\Programme\Logitech\SetPoint\SetPoint.exe [2007-01-06 19:10:51 671744]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^a^Startmenü^Programme^Autostart^Adobe Gamma.lnk]
path=C:\Dokumente und Einstellungen\a\Startmenü\Programme\Autostart\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 15:44 196608 C:\Programme\Logitech\Video\ManifestEngine.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 16:24 458752 C:\Programme\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 16:14 217088 C:\Programme\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Programme\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 14:03 36975 C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-11-15 12:20 77824 C:\WINDOWS\SOUNDMAN.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Programme\Gemeinsame Dateien\AOL\1159212728\ee\AOLSoftware.exe
"IPHSend"=C:\Programme\Gemeinsame Dateien\AOL\IPHSend\IPHSend.exe
"MessengerPlus3"="C:\Programme\MessengerPlus! 3\MsgPlus.exe"
"iTunesHelper"="D:\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"NeroFilterCheck"=C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
"FreePDF Assistant"=C:\Programme\FreePDF_XP\fpassist.exe
"AtiPTA"=atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\NetMeeting\\conf.exe"=
"D:\\Steam\\SteamApps\\son-goku@cs-maddogs.de\\counter-strike\\hl.exe"=
"D:\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Programme\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Programme\\Gemeinsame Dateien\\AOL\\Loader\\aolload.exe"=
"C:\\Programme\\Gemeinsame Dateien\\AOL\\1159212728\\ee\\aolsoftware.exe"=
"C:\\Programme\\Gemeinsame Dateien\\AOL\\1159212728\\ee\\aim6.exe"=
"D:\\mIRC\\mirc.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Programme\\Gemeinsame Dateien\\Ahead\\Nero Web\\SetupX.exe"=
"D:\\downloads\\utorrent.exe"=
"D:\\iTunes\\iTunes.exe"=
"C:\\Programme\\Motorola\\Software Update\\msu.exe"=
"D:\\eMule\\emule.exe"=
"D:\\Codemasters\\Der Herr der Ringe Online\\lotroclient.exe"=
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programme\\AVG\\AVG8\\avgupd.exe"=
"D:\\Mass Effect\\Binaries\\MassEffect.exe"=
"D:\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Programme\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"D:\\Skype\\Phone\\Skype.exe"=
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 09:09]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 09:09]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 13:32]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-03-11 13:58]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2002-12-31 14:00]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2004-11-14 13:01]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Programme\Viewpoint\Common\ViewpointService.exe [2007-01-04 23:38]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys []
S3 npkycryp;npkycryp;D:\RO\npkycryp.sys []
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 18:34]
S3 scramby_out;Scramby Output;C:\WINDOWS\system32\drivers\scramby_out.sys [2007-08-08 09:31]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
S3 xlink;XLINK Driver (xlink.sys);C:\WINDOWS\system32\Drivers\xlink.sys [2003-01-31 19:41]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bdb6542-a1ab-11da-b414-806d6172696f}]
\Shell\AutoRun\command - E:\ASUSACPI.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ce8efa-c862-11da-b1ec-0015f23c72ef}]
\Shell\AutoRun\command - F:\BSAutoRun.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
*Newly Created Service* - MBR
*Newly Created Service* - PROCEXP90
*Newly Created Service* - RKREVEAL150
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F90F0706-E0C0-EF53-B7E4-CD62C00106D0}]
C:\WINDOWS\system32\winupdt.exe
.
Inhalt des "geplante Tasks" Ordners
2008-08-01 C:\WINDOWS\Tasks\1-Klick-Wartung.job
- D:\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-26 20:08]
2008-05-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2007-07-25 13:15]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
HKCU-Run-StartCCC - C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
HKLM-Run-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
HKU-Default-Run-TuneUp MemOptimizer - C:\Programme\TuneUp Utilities 2004\MemOptimizer.exe
MSConfigStartUp-DAEMON Tools - C:\Programme\DAEMON Tools\daemon.exe
MSConfigStartUp-ICQ Lite - C:\Programme\ICQLite\ICQLite.exe
MSConfigStartUp-iTunesHelper - C:\Programme\iTunes\iTunesHelper.exe
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\a\Anwendungsdaten\Mozilla\Firefox\Profiles\0by4rerz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/ig?hl=de
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Programme\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Programme\Yahoo!\Shared\npYState.dll
FF -: plugin - D:\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - D:\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - D:\DivX\DivX Web Player\npdivx32.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 16:34:00
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostart Einträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-02 16:34:45
ComboFix-quarantined-files.txt 2008-08-02 14:34:30
Pre-Run: 5,237,829,632 Bytes frei
Post-Run: 5,225,406,464 Bytes frei
234 --- E O F --- 2008-07-18 17:20:31
|
|
02.08.2008, 18:10
| #9 | |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Upload nahezu nicht vorhanden, Surfen eine PlageCode:
ATTFilter C:\WINDOWS\system32\SVKP.sys
D:\RO\npkycryp.sys
C:\WINDOWS\system32\drivers\scramby_out.sys
C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
|
02.08.2008, 19:23
| #10 |
| | Upload nahezu nicht vorhanden, Surfen eine Plage ok also hier die dateien: SVKP.sys: Code:
ATTFilter AhnLab-V3 2008.7.29.1 2008.08.02 -
AntiVir 7.8.1.15 2008.08.01 -
Authentium 5.1.0.4 2008.08.01 -
Avast 4.8.1195.0 2008.08.02 -
AVG 8.0.0.156 2008.08.01 -
BitDefender 7.2 2008.08.02 -
CAT-QuickHeal 9.50 2008.08.02 TrojanSpy.Joiner.av
ClamAV 0.93.1 2008.08.02 -
DrWeb 4.44.0.09170 2008.08.02 -
eSafe 7.0.17.0 2008.07.29 -
eTrust-Vet 31.6.6002 2008.08.02 -
Ewido 4.0 2008.08.02 -
F-Prot 4.4.4.56 2008.08.01 -
F-Secure 7.60.13501.0 2008.08.02 -
Fortinet 3.14.0.0 2008.08.02 -
GData 2.0.7306.1023 2008.08.02 -
Ikarus T3.1.1.34.0 2008.08.02 -
K7AntiVirus 7.10.402 2008.08.02 Backdoor.Win32.Hupigon.cvky
Kaspersky 7.0.0.125 2008.08.02 -
McAfee 5352 2008.08.01 -
Microsoft 1.3807 2008.08.02 -
NOD32v2 3318 2008.08.01 -
Norman 5.80.02 2008.08.01 -
Panda 9.0.0.4 2008.08.02 -
PCTools 4.4.2.0 2008.08.02 -
Prevx1 V2 2008.08.02 -
Rising 20.55.42.00 2008.08.02 -
Sophos 4.31.0 2008.08.02 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.02 -
TheHacker 6.2.96.391 2008.07.31 -
TrendMicro 8.700.0.1004 2008.08.01 -
VBA32 3.12.8.2 2008.08.02 -
ViRobot 2008.8.1.1321 2008.08.01 Trojan.Win32.Joiner.2368
VirusBuster 4.5.11.0 2008.08.02 -
Webwasher-Gateway 6.6.2 2008.08.02 -
weitere Informationen
File size: 2368 bytes
MD5...: f05028b163b92c302a74409d683ac9b0
SHA1..: 74a943b9f3bf63f8de5c3175f96366b24a661067
SHA256: c43a744c18d12b8214e75f67c557974564f24ec318807bbe796b26619fce7154
SHA512: 6b03105a7ea5ae7ddd88ec83a4fbd12e495bbc21ab90484cfadf178583771ee9
a059823500b3d2c485600d0bc3b2455144ef5ffc651b44566c7f1b737a5d2cb5
PEiD..: -
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x1043c
timedatestamp.....: 0x3e6cafde (Mon Mar 10 15:31:42 2003)
machinetype.......: 0x14c (I386)
( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2a0 0x110 0x120 5.12 7dad7d6ca221d6725388d90f719d0c20
.data 0x3c0 0x28 0x40 1.74 e741cf2e01e1bea59fcfd4a89d4358ad
INIT 0x400 0x18a 0x1a0 5.03 7b36305b5ff4cad3eeaca307bbb0fd60
.rsrc 0x5a0 0x350 0x360 3.18 46fab0e7c9b34889fdfead1c6e17eae8
.reloc 0x900 0x34 0x40 3.39 a963ac053cb6e23a9fbf797befe868bb
( 1 imports )
> ntoskrnl.exe: IoCreateDevice, IoCreateSymbolicLink, IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, IoCompleteRequest
( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=f05028b163b92c302a74409d683ac9b0
gibts nicht oder nichtmehr scramby_out.sys: nichts gefunden File size: 23840 bytes MD5...: ccb29acf557f7172367647b30fd21dbe SHA1..: 854494bfdef1e64fd9182a0cf71e561d91f147b8 SHA256: af06d24a6908f9933597f436b743bbccce63618e2c715a4df4c054039f1c0341 SHA512: cfde7bf5cff79b04a4973c2b947058f3bc283e8510737ec75ca41b26e0ca67e1 a3c75da81399da9f00b5abbe791a45a84057928c97baa9a34e7afdc0d9c093f1 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x137c7 timedatestamp.....: 0x46b87f8f (Tue Aug 07 14:19:59 2007) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x480 0xd98 0xe00 5.79 8b5a25e9311cf8ed17e99c89812b5367 .rdata 0x1280 0x627 0x680 5.59 a1369f461d679fdacf7001a2bdeeea39 .data 0x1900 0x670 0x680 2.64 cf11092ac8b0651f9af4ed4d17b8d53e PAGE 0x1f80 0x17d6 0x1800 6.24 8ae4b2ef80a88a88b674626578980c3c INIT 0x3780 0x3ea 0x400 5.37 7d646d5a3301861fbee0a90c94660690 .rsrc 0x3b80 0x440 0x480 3.16 11831da9775e0c0756548e339c96f4d9 .reloc 0x4000 0x2dc 0x300 5.79 35bd7704bcb40b3f98225fe69d5002a7 ( 2 imports ) > ntoskrnl.exe: ExFreePool, IofCompleteRequest, ExAllocatePoolWithTag, KeQueryInterruptTime, KeInitializeMutex, _purecall, KeCancelTimer, _alldiv, _allmul, KeSetTimerEx, KeInitializeTimerEx, KeInitializeDpc, KeReleaseMutex, KeWaitForSingleObject, IoDeleteSymbolicLink, IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IoDeleteDevice, KeTickCount, RtlAssert, InterlockedIncrement, InterlockedDecrement > portcls.sys: PcRegisterPhysicalConnection, PcRegisterAdapterPowerManagement, PcDispatchIrp, PcAddAdapterDevice, PcInitializeAdapterDriver, PcNewServiceGroup, PcNewMiniport, PcRegisterSubdevice, PcNewPort ( 0 exports ) ScreamingBAudio.sys: gibts nicht oder nichtmehr das mit der JRE wird erledigt |
|
02.08.2008, 19:29
| #11 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Upload nahezu nicht vorhanden, Surfen eine Plage Löschen wir die beiden Objekte mit dem Avenger. Sind die wirklich nicht vorhanden wird der Avenger das protokollieren: Anleitung Avenger (by swandog46) Lade dir das Tool Avenger und speichere es auf dem Desktop:
Code:
ATTFilter files to delete:
C:\WINDOWS\system32\SVKP.sys
D:\RO\npkycryp.sys
folders to delete:
D:\RO
__________________ Logfiles bitte immer in CODE-Tags posten |
|
02.08.2008, 19:48
| #12 |
| | Upload nahezu nicht vorhanden, Surfen eine Plage ok ergebnis: Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
File "C:\WINDOWS\system32\SVKP.sys" deleted successfully.
Error: file "D:\RO\npkycryp.sys" not found!
Deletion of file "D:\RO\npkycryp.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Folder "D:\RO" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Bei speedtests, kein oder nahezu kein Upload. Mir ist eben nach dem Reboot aufgefallen dass kurz das Auto-Update von Windows an war zumindest das Symbol da war aber direkt wieder weg und hat nichts getan. Ist das Normal? Und eben hat der Rechner angefangen zu rattern da hab ich mir dir Prozesse angesehen und eine cmd.exe sowie einezip.exe gesehen. Diese Prozesse sind nun aber auch schonwieder weg und scheinbar auch nirgends zu finden. |
|
02.08.2008, 19:57
| #13 | |||
| /// Winkelfunktion /// TB-Süch-Tiger™ | Upload nahezu nicht vorhanden, Surfen eine PlageZitat:
Zitat:
Zitat:
__________________ Logfiles bitte immer in CODE-Tags posten |
|
03.08.2008, 01:30
| #14 |
| | Upload nahezu nicht vorhanden, Surfen eine Plage Nein wenn ich nichts tue, werden weder Pakete gesendet im Verbindungsstatus, noch blinkt der Router oder das Modem. Alles sehr seltsam, vielleicht doch ein Verbdinungsporblem? Ich werde morgen die Upload speedtests mal vom anderen Rechner aus versuchen und mal sehen ob das Rechner abhängig ist das Problem. |
|
03.08.2008, 09:32
| #15 |
| | Upload nahezu nicht vorhanden, Surfen eine Plage So neue Erkenntnisse, scheinbar liegt es am Router, habe nämlich eben mal den Rechner direkt am Modem angeschlossen und da läuft alles super. |
|
| Themen zu Upload nahezu nicht vorhanden, Surfen eine Plage |
| ad-aware, adobe, avg, bho, components, desktop, dll, einstellungen, excel, explorer, extrem langsam, hijack, hijackthis, hkus\s-1-5-18, installation, internet, internet explorer, konvertieren, langsam, neustart, nicht vorhanden, pdf-datei, programme, registry, rundll, scan, schannel.dll, software, surfen, system, urlsearchhook, windows, windows xp, winupd |
Linear-Darstellung
