| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Trojan.AgentWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
25.08.2008, 18:23
| #1 |
| |  Trojan.Agent Hallo Trojaner-Kundige, ich habe einen USB-Stick genutzt, der – wie sich später rausstellte – von einem Nutzer stammte, dessen PC mit Trojanern verseucht ist. Der Besitzer des USB-Sticks hat mit einem Vundo.Gen, einem Agent.VB.H.1 sowie einem Crypt.XPack.Gen zu kämpfen. Ich habe nach der Nutzung des Sticks meinen PC (Windows XP Service Pack 3 + Windows Firewall) mit Avira AntiVir und Malwarebytes’ Anti-Malware durchsuchen lassen. Nur das letztere Programm hat etwas gefunden: Code:
ATTFilter
Infizierte Dateien:
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
In einem anderen Thread habe ich gelesen, dass ein AVZ-Report nützlich sein könnte. Unter dem folgenden Link habe ich eine solche (laut Anweisung von „undoreal“) erstellte Report-Datei hochgeladen: http://rapidshare.com/files/140035589/avz_sysinfo.zip Zur weiteren Auswertung füge ich außerdem einen HijackThis Report an: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:00:14, on 25.08.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Intel\Wireless\Bin\EvtEng.exe C:\Programme\Intel\Wireless\Bin\S24EvMon.exe C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Acer\eManager\anbmServ.exe C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\Acer\ePM\EPM-DM.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programme\Launch Manager\QtZgAcer.EXE C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe C:\Programme\Intel\Wireless\Bin\EOUWiz.exe C:\Programme\Microsoft IntelliPoint\point32.exe C:\Programme\MozyHome\mozybackup.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\LVComSX.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\FreePDF_XP\fpassist.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe C:\Programme\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\GMX\GMX Upload-Manager\DAVSRV.EXE C:\Programme\MSI\ArcSoft\TotalMedia\TMMonitor.exe C:\Programme\MozyHome\mozystat.exe C:\Programme\CDBurnerXP\NMSAccessU.exe C:\Programme\Intel\Wireless\Bin\OProtSvc.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UStorSrv.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Programme\Opera\opera.exe C:\Programme\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\Programme\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uni-greifswald.de:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Asz.Citavi.IEPicker.IEPickerButton - {609D670F-B735-4da7-AC6D-F3BD358E325E} - C:\WINDOWS\system32\mscoree.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot O4 - HKLM\..\Run: [LManager] C:\Programme\Launch Manager\QtZgAcer.EXE O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [ISUSPM] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [GMX_GMX Upload-Manager] "C:\Programme\GMX\GMX Upload-Manager\DAVSRV.EXE" /hide O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: AutorunsDisabled O4 - Global Startup: VPN Client.lnk = ? O4 - Global Startup: TMMonitor.lnk = C:\Programme\MSI\ArcSoft\TotalMedia\TMMonitor.exe O4 - Global Startup: MozyHome Status.lnk = C:\Programme\MozyHome\mozystat.exe O8 - Extra context menu item: &Citavi Picker... - file://C:\Programme\Internet Explorer\PLUGINS\Citavi Picker\ShowContextMenu.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Citavi Picker - {619D670F-B735-4da7-AC6D-F3BD358E325E} - C:\WINDOWS\system32\mscoree.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167490157540 O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - h**p://www.arcor.de/vod/dmd/WMDownload.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - h**p://game12.zylom.com/activex/zylomgamesplayer.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LVSrvLauncher - Labtec Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Programme\MozyHome\mozybackup.exe O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe -- End of file - 10624 bytes Pulpit |
|
26.08.2008, 18:01
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   |  Trojan.Agent Hallo und
__________________ Waren auf dem Stick ausführbare Dateien, also irgendwelche Programme oder Setups die Du auch ausgeführt hast? Das HijackThis Logfile sieht okay aus, das mit AVZ dafür bräuchte ich länger um Aussagen zu machen.
__________________ |
|
27.08.2008, 08:36
| #3 |
| | Nur .jpg-Dateien Hallo root24,
__________________nein, auf dem USB-Stick befanden sich lediglich .jpg-Dateien, die ich in meinen Bilder-Ordner geladen habe. Dabei hat mein AntiVir nicht angeschlagen. Erst nachdem ich erfahren habe, dass der Besitzer des USB-Sticks Probleme mit Trojanern hat, habe ich besagte Anti-Virensoftware suchen lassen. Vielen Dank für deine Hilfe. Bin ja mal gespannt, ob du in der AVZ-Reportdatei was bemerkenswertes findest... Viele Grüße, Pulpit |
|
27.08.2008, 16:25
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Trojan.Agent Die von MBAM gefundenen Dateien müssen nicht unbedingt aus dem USB-Stick kommen, vllt hattest Du sie auch schon vorher drin. Acker diese Punkte für weitere Analysen ab: A.) Führe dieses MBR-Tool aus und poste die Ausgabe B.) Blacklight ausführen und Logfiles posten C.) ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste die Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code]
Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
27.08.2008, 17:26
| #5 |
| | Trojan.Agent Hallo root24, nachfolgend alle gewünschten Informationen… MBR-Tool: Code:
ATTFilter Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Code:
ATTFilter 08/27/08 17:54:15 [Info]: BlackLight Engine 1.0.70 initialized
08/27/08 17:54:15 [Info]: OS: 5.1 build 2600 (Service Pack 3)
08/27/08 17:54:15 [Note]: 7019 4
08/27/08 17:54:15 [Note]: 7005 0
08/27/08 17:54:18 [Note]: 7006 0
08/27/08 17:54:18 [Note]: 7011 3212
08/27/08 17:54:18 [Note]: 7035 0
08/27/08 17:54:18 [Note]: 7026 0
08/27/08 17:54:18 [Note]: 7026 0
08/27/08 17:54:20 [Note]: FSRAW library version 1.7.1024
08/27/08 17:55:03 [Note]: 2000 1012
08/27/08 17:55:03 [Note]: 2000 1012
08/27/08 17:55:36 [Note]: 7007 0
ComboFix: Code:
ATTFilter ComboFix 08-08-26.03 - Mustermann 2008-08-27 18:09:38.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.605 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Mustermann\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\rtl60.bpl
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_IPRIP
-------\Service_6to4
-------\Service_Iprip
((((((((((((((((((((((( Dateien erstellt von 2008-07-27 bis 2008-08-27 ))))))))))))))))))))))))))))))
.
2008-11-05 18:11 . 2008-11-05 18:11 <DIR> d-------- C:\Programme\Avira
2008-08-27 13:34 . 2008-08-27 13:34 <DIR> d-------- C:\Dokumente und Einstellungen\Mustermann\Anwendungsdaten\UpdateStar
2008-08-27 13:22 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-27 13:21 . 2008-08-27 13:21 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Java
2008-08-27 12:22 . 2008-08-27 12:22 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-08-27 12:22 . 2008-08-27 12:22 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-08-25 18:59 . 2008-08-25 19:00 <DIR> d-------- C:\Programme\Trend Micro
2008-08-25 17:52 . 2008-08-25 17:52 <DIR> d-------- C:\Programme\CCleaner
2008-08-25 12:32 . 2008-08-25 12:32 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-08-25 12:32 . 2008-08-25 12:32 <DIR> d-------- C:\Dokumente und Einstellungen\Mustermann\Anwendungsdaten\Malwarebytes
2008-08-25 12:32 . 2008-08-25 12:32 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-25 12:32 . 2008-04-11 21:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-25 12:32 . 2008-05-01 16:34 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-25 12:32 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-25 12:32 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-29 08:43 7,680 ----a-w C:\WINDOWS\system32\uigxnp.dll
2008-07-29 08:43 149,120 ----a-w C:\WINDOWS\system32\drivers\uigxrdr.SYS
2008-07-14 15:25 53,752 ----a-w C:\WINDOWS\system32\drivers\mozy.sys
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-05 17:49 --------- d-----w C:\Programme\Diablo II Shareware
2008-06-24 16:42 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:42 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 08:14 3,592,192 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 247,296 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 247,296 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 17:32 273,024 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 16:23 720,896 ----a-w C:\WINDOWS\iun6002.exe
2008-04-28 07:43 0 ----a-w C:\Programme\Citavi.txt
2007-12-18 14:51 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2006-03-30 09:10 42,928 ----a-w C:\Dokumente und Einstellungen\Mustermann\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-04-29 17:06 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008042920080430\index.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4A9D-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-07-14 17:26 2405680 --a------ C:\Programme\MozyHome\mozyshell1.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-07-14 17:26 2405680 --a------ C:\Programme\MozyHome\mozyshell1.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 07:52 15360]
"GMX_GMX Upload-Manager"="C:\Programme\GMX\GMX Upload-Manager\DAVSRV.EXE" [2008-07-29 10:44 909312]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2004-05-20 19:57 98304]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2004-05-20 19:57 532480]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 05:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 05:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 05:00 455168]
"EPM-DM"="C:\Acer\ePM\EPM-DM.exe" [2004-11-03 18:11 163840]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2004-11-03 17:45 2883584]
"LManager"="C:\Programme\Launch Manager\QtZgAcer.EXE" [2004-07-30 04:30 319488]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2004-08-06 16:48 385024]
"EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2004-08-06 16:52 356352]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50 204800]
"LVCOMSX"="C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\LVComSX.exe" [2007-03-06 17:51 252704]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 19:45 266497]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-06-26 20:27 312320]
"ISUSPM"="C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" [2006-03-20 17:34 213936]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AppleSyncNotifier"="C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 20:42 116040]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 07:53 110592 C:\WINDOWS\system32\bthprops.cpl]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 07:52 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-08-06 16:48 110592 C:\Programme\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\World of Warcraft\\Launcher.exe"=
"C:\\Programme\\Zattoo\\zattood.exe"=
"C:\\Programme\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Programme\\Zattoo\\Zattoo.exe"=
"D:\\SpieleZeugs\\Civilization 4\\GameDateien\\Civilization4.exe"=
"D:\\SpieleZeugs\\Civilization 4\\GameDateien\\Warlords\\Civ4Warlords.exe"=
"D:\\SpieleZeugs\\Civilization 4\\GameDateien\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Programme\\Teamspeak\\TeamSpeak.exe"=
"C:\\Programme\\MozyHome\\mozystat.exe"=
"C:\\Programme\\MozyHome\\mozyconf.exe"=
"C:\\Programme\\Zattoo\\Zattoo1.exe"=
"C:\\Programme\\Zattoo\\Zattoo2.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows-Peer-zu-Peer-Gruppierung
"3540:UDP"= 3540:UDP:Peer Name Resolution-Protokoll (PNRP)
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 mozyFilter;mozyFilter;C:\WINDOWS\system32\DRIVERS\mozy.sys [2008-07-14 17:25]
R1 SMBHC;Microsoft SM Bus-Hostcontrollertreiber;C:\WINDOWS\system32\DRIVERS\SMBHC.sys [2001-08-17 13:57]
R1 SSHDRV76;SSHDRV76;C:\WINDOWS\system32\drivers\SSHDRV76.sys [2007-05-04 18:23]
R1 uigxrdr;uigxrdr;C:\WINDOWS\system32\DRIVERS\uigxrdr.sys [2008-07-29 10:43]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2004-09-02 17:27]
R2 NMSAccessU;NMSAccessU;C:\Programme\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2004-06-01 11:50]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2004-06-01 11:50]
R3 SMBBATT;Microsoft Smart Battery-Treiber;C:\WINDOWS\system32\DRIVERS\SMBBATT.sys [2008-04-14 00:06]
S3 AF15BDA;AF9015 BDA Filter;C:\WINDOWS\system32\Drivers\AF15BDA.sys [2006-09-28 11:47]
S3 DMSKSSRh;DMSKSSRh;C:\DOKUME~1\SEBAST~1\LOKALE~1\Temp\DMSKSSRh.sys []
S3 MACNDIS5;MACNDIS5 NDIS Protocol Driver;C:\PROGRA~1\GEMEIN~1\MARMIK~1\MACNDIS5.SYS []
S3 p2pgasvc;Peernetzwerk-Gruppenauthentifizierung;C:\WINDOWS\system32\svchost.exe [2008-04-14 07:53]
S3 p2pimsvc;Peernetzwerkidentitäts-Manager;C:\WINDOWS\system32\svchost.exe [2008-04-14 07:53]
S3 p2psvc;Peernetzwerk;C:\WINDOWS\system32\svchost.exe [2008-04-14 07:53]
S3 PLCMPR5;PLCMPR5 NDIS Protocol Driver;C:\WINDOWS\system32\PLCMPR5.SYS []
S3 PNRPSvc;Peer Name Resolution-Protokoll;C:\WINDOWS\system32\svchost.exe [2008-04-14 07:53]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{33bc64e0-70e6-11dd-b6bd-000e3582b57f}]
\Shell\AutoRun\command - F:\2.cmd
\Shell\explore\Command - F:\2.cmd
\Shell\open\Command - F:\2.cmd
.
Inhalt des "geplante Tasks" Ordners
2008-08-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Zus„tzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Mustermann\Anwendungsdaten\Mozilla\Firefox\Profiles\7nln0oxh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\np_gp.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npExentCtl.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\NPinfotl.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - C:\Programme\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 18:15:35
Windows 5.1.2600 Service Pack 3 FAT NTAPI
Scanne versteckte Prozesse...
Scanne versteckte Autostart Eintr„ge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\PROGRAMME\INTEL\WIRELESS\BIN\EVTENG.EXE
C:\PROGRAMME\INTEL\WIRELESS\BIN\S24EVMON.EXE
C:\PROGRAMME\LAVASOFT\AD-AWARE 2007\AAWSERVICE.EXE
C:\PROGRAMME\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE
C:\PROGRAMME\INTEL\WIRELESS\BIN\ZCFGSVC.EXE
C:\PROGRAMME\INTEL\WIRELESS\BIN\1XCONFIG.EXE
C:\ACER\EMANAGER\ANBMSERV.EXE
C:\PROGRAMME\AVIRA\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
C:\PROGRAMME\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAMME\MOZYHOME\MOZYBACKUP.EXE
C:\PROGRAMME\INTEL\WIRELESS\BIN\OPROTSVC.EXE
C:\PROGRAMME\INTEL\WIRELESS\BIN\REGSRVC.EXE
C:\WINDOWS\SYSTEM32\TCPSVCS.EXE
C:\WINDOWS\SYSTEM32\SNMP.EXE
C:\WINDOWS\SYSTEM32\USTORSRV.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\PROGRAMME\MSI\ARCSOFT\TOTALMEDIA\TMMONITOR.EXE
C:\PROGRAMME\MOZYHOME\MOZYSTAT.EXE
C:\Programme\iPod\bin\iPodService.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-27 18:17:21 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-08-27 16:17:20
Pre-Run: 4,440,031,232 Bytes frei
Post-Run: 4,423,008,256 Bytes frei
219 --- E O F --- 2008-08-25 10:42:08
http://rapidshare.com/files/140565110/listing.txt So, das dürfte dann erstmal alles gewesen sein. Vielen Dank noch mal für deine Hilfe, root24! Bin ja mal gespannt, ob du etwas findest... Viele Grüße, Pulpit |
|
27.08.2008, 17:48
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Trojan.Agent Werte schonmal ein paar Dateien aus, stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\WINDOWS\system32\drivers\uigxrdr.SYS
C:\WINDOWS\system32\drivers\mozy.sys
C:\Programme\Zattoo\zattood.exe
C:\Programme\Zattoo\zattoo.exe
C:\Programme\Zattoo\zattoo1.exe
C:\Programme\Zattoo\zattoo2.exe
__________________ --> Trojan.Agent |
|
27.08.2008, 18:38
| #7 |
| | Trojan.Agent Hallo root24, ich habe alle Dateien bei Virustotal hochgeladen. Nachfolgend die Ergebnisse: uigxrdr.sys Code:
ATTFilter
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
F-Secure 7.60.13501.0 2008.08.27 -
Fortinet 3.14.0.0 2008.08.26 -
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3393 2008.08.27 -
Norman 5.80.02 2008.08.27 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.27 -
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.27 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -
weitere Informationen
File size: 149120 bytes
MD5...: 94bacec4da5e3df44d9ba9c29da5f45e
SHA1..: 300479dc5fbbcebd6fdeabb2111b746242ba9f6a
SHA256: 514660ce6cc20f500736fab40177dbca49bee169e95883108fc23f8101ce624e
SHA512: 30015aee9e7da3bfc2c293568909dfc19b32ec1c52296fc06f87ba7ae3b08102
09ca4ba224b65940874b76437ca70df560a62897bc4fb6ccd16ea48e8abc4c49
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (58.4%)
Clipper DOS Executable (13.8%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.7%)
VXD Driver (0.2%)
Code:
ATTFilter
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 AdWare.WSearch.cf (Not a Virus)
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6050 2008.08.26 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
F-Secure 7.60.13501.0 2008.08.27 -
Fortinet 3.14.0.0 2008.08.26 -
GData 2.0.7306.1023 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 not-a-virus:AdWare.Win32.WSearch.cn
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3393 2008.08.27 -
Norman 5.80.02 2008.08.27 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.27 -
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.27 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -
weitere Informationen
File size: 53752 bytes
MD5...: e7c89c1a714cc146bcbeccc41c902553
SHA1..: 45f0521452ddf75d1dd7bafea0d82578639cafab
SHA256: 30f58195612e43c8a6ef864ba2836c04906ebca0274090e671b7067c6e6e6aa9
SHA512: 1c82ff97057df27e54ea646e9f26c66f3a4b603ab22bb311859b34f48315a69b
cfbbc7d6740ab37b102f2bf7cf642e7c32c96605a5a1c794e6c1a3c814c670ba
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (95.5%)
Generic Win/DOS Executable (2.2%)
DOS Executable Generic (2.2%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
Code:
ATTFilter
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
Fortinet 3.14.0.0 2008.08.26 -
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3393 2008.08.27 -
Norman 5.80.02 2008.08.27 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.27 Suspicious
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.27 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -
weitere Informationen
File size: 933888 bytes
MD5...: 37a7ae466a73120b459e22ba45de4a56
SHA1..: e874c4badb97a7f6ee9d4781be1d06024a0c1cf4
SHA256: ce6dfee60a74f9e9355d937aa500b3ce6baa05d8a670db71237c754c8126608e
SHA512: fdf521127591d61b2c00474144b3f9c713d8aa3a188463eed91b3ac5438d92ce
4da952d7d4ab533dc845257645a68d44530ca73ff105cbd6710fc6f200c488be
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
Code:
ATTFilter
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
F-Secure 7.60.13501.0 2008.08.27 -
Fortinet 3.14.0.0 2008.08.26 -
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3393 2008.08.27 -
Norman 5.80.02 2008.08.27 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.27 -
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.27 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -
weitere Informationen
File size: 53248 bytes
MD5...: d079aadecab98ba6371e6f68615254c5
SHA1..: 68552cf3b0fb5c5de98a95fc1f590ce57634bb34
SHA256: 41ca2a22796f82a896d1182224aef753bae1b7efa058a27e375f98894e24061c
SHA512: d746a5cfac1d1948cec46eab20da8fdd6e23a4bb0bbe88ea732ca18ed0fa41bb
0c980a57cba95d139f67eae426501744db15e37767ff83db62ecc9c5e1666085
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
Code:
ATTFilter
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
F-Secure 7.60.13501.0 2008.08.27 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.08.26 -
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3393 2008.08.27 -
Norman 5.80.02 2008.08.27 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.27 -
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.27 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 Virus.Win32.FileInfector.gen!80 (suspicious)
weitere Informationen
File size: 13873152 bytes
MD5...: 20704fb55a5b6f934e4e36a9487424a7
SHA1..: 24547f7e3db1c4c51f743ee81e92fa918c242968
SHA256: 88544f8734a58038fc2bd71805b7ed842bfe82585c16f3fca0d75c98c852dd7e
SHA512: 713a671e87adfc1c2381c8e48d632d02c7d156796617a606222f8dc467cf2ba2
8b3212b6604a946d1842893d07aa3112e9523342c34883048011973d4530fbec
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.1%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
Code:
ATTFilter
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.27.1 2008.08.27 -
AntiVir 7.8.1.23 2008.08.27 -
Authentium 5.1.0.4 2008.08.27 -
Avast 4.8.1195.0 2008.08.27 -
AVG 8.0.0.161 2008.08.27 -
BitDefender 7.2 2008.08.27 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.27 -
DrWeb 4.44.0.09170 2008.08.27 -
eSafe 7.0.17.0 2008.08.26 -
eTrust-Vet 31.6.6052 2008.08.27 -
Ewido 4.0 2008.08.27 -
F-Prot 4.4.4.56 2008.08.27 -
Fortinet 3.14.0.0 2008.08.26 -
GData 19 2008.08.27 -
Ikarus T3.1.1.34.0 2008.08.27 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.27 -
McAfee 5370 2008.08.26 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3393 2008.08.27 -
Norman 5.80.02 2008.08.27 -
Panda 9.0.0.4 2008.08.26 -
PCTools 4.4.2.0 2008.08.27 -
Prevx1 V2 2008.08.27 -
Rising 20.59.21.00 2008.08.27 -
Sophos 4.33.0 2008.08.27 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.27 -
TheHacker 6.3.0.6.060 2008.08.23 -
TrendMicro 8.700.0.1004 2008.08.27 -
VBA32 3.12.8.4 2008.08.27 -
ViRobot 2008.8.27.1352 2008.08.27 -
VirusBuster 4.5.11.0 2008.08.27 -
Webwasher-Gateway 6.6.2 2008.08.27 -
weitere Informationen
File size: 5095424 bytes
MD5...: 6da78b1e350b633d83d4459b6d9987ce
SHA1..: 728a8af04fff69c9b297b4228b45a2dcb61578d1
SHA256: d1f3f26d978ea98fca82bf5fe0cf05cec80f1170b194fabed54509ab8b46188b
SHA512: c26dc5fae0b6f3832254f2f5b03c1289cabb99f97fafa93956ea449565c13f36
30122d05a6f29cf1852821bec955fdfb471178ee49189b6eb54e70c719300f9d
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.1%)
Win16/32 Executable Delphi generic (9.3%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
Was sagst du denn zu den oben aufgeführten Funden bei virustotal? Sind diese ernst zu nehmen? Zattoo und Mozy sind eigentlich seriöse Programme (dachte ich jedenfalls bisher)… Viele Grüße, Pulpit |
|
28.08.2008, 14:27
| #8 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan.Agent Zur 2.cmd hab ich einen verdächtigen Autostarteintrag gefunden, schau mal auf Deinem USB-Stick nach, ob die darauf existiert. Wenn die zwei Programme legitim sind, dann isses okay. Mir waren die beiden Programme unbekannt.
__________________ Logfiles bitte immer in CODE-Tags posten |
|
29.08.2008, 08:30
| #9 |
| | Trojan.Agent Hallo root24, Die 2.cmd gibt es auch nicht auf meinem USB-Stick, da ich diesen mittlerweile formatiert habe. Wie kann ich diesen Autostart-Eintrag also löschen? Gibt es sonst noch Auffälligkeiten? Oder kann ich nun davon ausgehen, das mein PC "gereinigt" ist? Vielen Dank & beste Grüße, Pulpit |
|
29.08.2008, 15:26
| #10 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Trojan.Agent Dein PC ist "bereinigt", garantierte Malwarefreiheit gibt es aber nur nach Formatieren und neuinstallieren. Mach mal bitte ein neues Hijackthis-Logfile und eins von silentrunners (siehe Signatur). Nimm für HijackThis diese umbenannte hijackthis.exe
__________________ Logfiles bitte immer in CODE-Tags posten |
|
29.08.2008, 15:56
| #11 |
| | Trojan.Agent Hallo root24, nachfolgend die gewünschten Logfiles: HijackThis: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:45:37, on 29.08.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Intel\Wireless\Bin\EvtEng.exe C:\Programme\Intel\Wireless\Bin\S24EvMon.exe C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Intel\Wireless\Bin\ZcfgSvc.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\WINDOWS\Explorer.EXE C:\Acer\eManager\anbmServ.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\Acer\ePM\EPM-DM.exe C:\Programme\Launch Manager\QtZgAcer.EXE C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe C:\Programme\Intel\Wireless\Bin\EOUWiz.exe C:\Programme\Microsoft IntelliPoint\point32.exe C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\LVComSX.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\FreePDF_XP\fpassist.exe C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\GMX\GMX Upload-Manager\DAVSRV.EXE C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\MSI\ArcSoft\TotalMedia\TMMonitor.exe C:\Programme\MozyHome\mozystat.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Programme\MozyHome\mozybackup.exe C:\Programme\CDBurnerXP\NMSAccessU.exe C:\Programme\Intel\Wireless\Bin\OProtSvc.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\UStorSrv.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Programme\Opera\opera.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE C:\Programme\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\agent.exe C:\Dokumente und Einstellungen\Mustermann\Desktop\qlketzd.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uni-greifswald.de:8080 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Asz.Citavi.IEPicker.IEPickerButton - {609D670F-B735-4da7-AC6D-F3BD358E325E} - C:\WINDOWS\system32\mscoree.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [EPM-DM] C:\Acer\ePM\EPM-DM.exe O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot O4 - HKLM\..\Run: [LManager] C:\Programme\Launch Manager\QtZgAcer.EXE O4 - HKLM\..\Run: [IntelWireless] C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [EOUApp] C:\Programme\Intel\Wireless\Bin\EOUWiz.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [LVCOMSX] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\LVComSX.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe O4 - HKLM\..\Run: [ISUSPM] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [GMX_GMX Upload-Manager] "C:\Programme\GMX\GMX Upload-Manager\DAVSRV.EXE" /hide O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: AutorunsDisabled O4 - Global Startup: VPN Client.lnk = ? O4 - Global Startup: TMMonitor.lnk = C:\Programme\MSI\ArcSoft\TotalMedia\TMMonitor.exe O4 - Global Startup: MozyHome Status.lnk = C:\Programme\MozyHome\mozystat.exe O8 - Extra context menu item: &Citavi Picker... - file://C:\Programme\Internet Explorer\PLUGINS\Citavi Picker\ShowContextMenu.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Citavi Picker - {619D670F-B735-4da7-AC6D-F3BD358E325E} - C:\WINDOWS\system32\mscoree.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - h**p://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://www.bitdefender.de/scan_de/scan8/oscan8.cab O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167490157540 O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - h**p://www.arcor.de/vod/dmd/WMDownload.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - h**p://game12.zylom.com/activex/zylomgamesplayer.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: EvtEng - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LVSrvLauncher - Labtec Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Programme\MozyHome\mozybackup.exe O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe O23 - Service: OwnershipProtocol - Intel Corporation - C:\Programme\Intel\Wireless\Bin\OProtSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe -- End of file - 10446 bytes |
|
29.08.2008, 15:57
| #12 |
| | Trojan.Agent Und schließlich noch Silentrunners: Code:
ATTFilter "Silent Runners.vbs", revision 58, h**p://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"GMX_GMX Upload-Manager" = ""C:\Programme\GMX\GMX Upload-Manager\DAVSRV.EXE" /hide" ["GMX GmbH"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LaunchApp" = "Alaunch" ["Acer Inc."]
"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"EPM-DM" = "C:\Acer\ePM\EPM-DM.exe" ["Acer Inc"]
"ePowerManagement" = "C:\Acer\ePM\ePM.exe boot" ["Acer Value Labs, Taiwan"]
"LManager" = "C:\Programme\Launch Manager\QtZgAcer.EXE" ["Dritek System Inc."]
"IntelWireless" = "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless" ["Intel Corporation"]
"EOUApp" = "C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" ["Intel Corporation"]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\point32.exe"" [MS]
"LVCOMSX" = ""C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\LVComSX.exe"" ["Labtec Inc."]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"FreePDF Assistant" = "C:\Programme\FreePDF_XP\fpassist.exe" [null data]
"ISUSPM" = ""C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -scheduler" ["Macrovision Corporation"]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"AppleSyncNotifier" = "C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" ["Apple Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{609D670F-B735-4da7-AC6D-F3BD358E325E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Asz.Citavi.IEPicker.IEPickerButton"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Schnurlose Eigenschaften"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Scrollrad-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Aktivitäten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Tasten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
-> {HKLM...CLSID} = "IZArc DragDrop Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
\InProcServer32\(Default) = "epm-po.dll" ["Acer Labs USA"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universelle Plug & Play-Geräte"
-> {HKLM...CLSID} = "Universelle Plug & Play-Geräte"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{D6613619-EDAA-451e-AA0C-671737CF6022}" = "ShellContextMenuHandler extension"
-> {HKLM...CLSID} = "ShellContextMenuHandler Class"
\InProcServer32\(Default) = "C:\Programme\GMX\GMX Upload-Manager\SHNDLERS.DLL" ["GMX GmbH"]
"{B32A6748-F273-4546-B60A-3C5ADC239DE5}" = "MozyHome Remote Backup Shell Extensions"
-> {HKLM...CLSID} = "MozyHome Remote Backup Shell Extensions"
\InProcServer32\(Default) = "C:\Programme\MozyHome\mozyshell1.dll" ["Mozy, Inc."]
"{747E722C-CB46-4A9D-BDFE-192AAD5099B1}" = "MozyHome Remote Backup Shell Extensions Icon Overlay 2"
-> {HKLM...CLSID} = "MozyHome Remote Backup Shell Extensions Icon Overlay 2"
\InProcServer32\(Default) = "C:\Programme\MozyHome\mozyshell1.dll" ["Mozy, Inc."]
"{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}" = "MozyHome Remote Backup Shell Extensions Icon Overlay 3"
-> {HKLM...CLSID} = "MozyHome Remote Backup Shell Extensions Icon Overlay 3"
\InProcServer32\(Default) = "C:\Programme\MozyHome\mozyshell1.dll" ["Mozy, Inc."]
"{B6B69199-ACA1-4CC4-A7E3-3DC9AEC7B947}" = "MozyHome Remote Backup Shell Extensions NSE"
-> {HKLM...CLSID} = "MozyHome Remote Backup"
\InProcServer32\(Default) = "C:\Programme\MozyHome\mozyshell1.dll" ["Mozy, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("msapsspc.dllschannel.dlldigest.dllmsnsspc.dll" [file not found]) "SecurityProviders" = "msapsspc.dllschannel.dlldigest.dllmsnsspc.dll"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]
<<!>> IntelWireless\DLLName = "C:\Programme\Intel\Wireless\Bin\LgNotify.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
mozy\(Default) = "{B32A6748-F273-4546-B60A-3C5ADC239DE5}"
-> {HKLM...CLSID} = "MozyHome Remote Backup Shell Extensions"
\InProcServer32\(Default) = "C:\Programme\MozyHome\mozyshell1.dll" ["Mozy, Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
mozy\(Default) = "{B32A6748-F273-4546-B60A-3C5ADC239DE5}"
-> {HKLM...CLSID} = "MozyHome Remote Backup Shell Extensions"
\InProcServer32\(Default) = "C:\Programme\MozyHome\mozyshell1.dll" ["Mozy, Inc."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
GMX MediaCenter\(Default) = "{D6613619-EDAA-451e-AA0C-671737CF6022}"
-> {HKLM...CLSID} = "ShellContextMenuHandler Class"
\InProcServer32\(Default) = "C:\Programme\GMX\GMX Upload-Manager\SHNDLERS.DLL" ["GMX GmbH"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
mozy\(Default) = "{B32A6748-F273-4546-B60A-3C5ADC239DE5}"
-> {HKLM...CLSID} = "MozyHome Remote Backup Shell Extensions"
\InProcServer32\(Default) = "C:\Programme\MozyHome\mozyshell1.dll" ["Mozy, Inc."]
Default executables:
--------------------
<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
ArcSoftTMPictureArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpen\shell\open\command\(Default) = "C:\Programme\MSI\ArcSoft\TotalMedia\TotalMedia.exe -r %L" ["ArcSoft, Inc."]
ArcSoftTMVideoArrival\
"Provider" = "ArcSoft TotalMedia 3"
"InvokeProgID" = "TotalMediaOpenVideo"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TotalMediaOpenVideo\shell\open\command\(Default) = "C:\Programme\MSI\ArcSoft\TotalMedia\TotalMedia.exe -v %L" ["ArcSoft, Inc."]
ArcSoftTMVideoCameraArrival\
"Provider" = "ArcSoft TotalMedia 3"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\PROGRA~1\MSI\ArcSoft\TOTALM~1\TOTALM~1.EXE -c"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
CDBurnerXP\
"Provider" = "CDBurnerXP"
"InvokeProgID" = "CDBurnerXPOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CDBurnerXPOpen\shell\open\command\(Default) = ""C:\Programme\CDBurnerXP\cdbxpp.exe"" [null data]
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."]
Startup items in "Mustermann" & "All Users" startup folders:
-----------------------------------------------------------
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"VPN Client" -> shortcut to: "C:\WINDOWS\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico -user_logon" [null data]
"TMMonitor" -> shortcut to: "C:\Programme\MSI\ArcSoft\TotalMedia\TMMonitor.exe" ["ArcSoft, Inc."]
"MozyHome Status" -> shortcut to: "C:\Programme\MozyHome\mozystat.exe" ["Mozy, Inc."]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "C:\WINDOWS\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 42
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{9455301C-CF6B-11D3-A266-00C04F689C50}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Encarta &Recherche-Assistent"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll" [MS]
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]
{619D670F-B735-4DA7-AC6D-F3BD358E325E}\
"ButtonText" = "Citavi Picker"
"CLSIDExtension" = "{609D670F-B735-4da7-AC6D-F3BD358E325E}"
-> {HKLM...CLSID} = "Asz.Citavi.IEPicker.IEPickerButton"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.dll" [MS]
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"
{9455301C-CF6B-11D3-A266-00C04F689C50}\
"ButtonText" = "Recherche-Assistent"
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ad-Aware 2007 Service, aawservice, ""C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"]
AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
Einfache TCP/IP-Dienste, SimpTcp, "C:\WINDOWS\system32\tcpsvcs.exe" [MS]
EvtEng, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
MozyHome Backup Service, mozybackup, ""C:\Programme\MozyHome\mozybackup.exe"" ["Mozy, Inc."]
NMSAccessU, NMSAccessU, "C:\Programme\CDBurnerXP\NMSAccessU.exe" [null data]
Notebook Manager Service, anbmService, "C:\Acer\eManager\anbmServ.exe" ["OSA Technologies Inc."]
OwnershipProtocol, OwnershipProtocol, "C:\Programme\Intel\Wireless\Bin\OProtSvc.exe" ["Intel Corporation"]
RegSrvc, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
UStorage Server Service, UStorage Server Service, "C:\WINDOWS\system32\UStorSrv.exe /Service" ["OTi"]
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor PIXMA iP1500\Driver = "CNMLM5y.DLL" ["CANON INC."]
EPSON Stylus D68 Series 2KMonitor5E\Driver = "E_FLMAAE.DLL" ["SEIKO EPSON CORPORATION"]
LPR Port\Driver = "lprmon.dll" [MS]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
Redirected Port\Driver = "redmonnt.dll" [null data]
---------- (launch time: 2008-08-29 16:47:39)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 41 seconds)
Pulpit |
|
| Themen zu Trojan.Agent |
| .dll, ad-aware, adobe, antivir, avira, besitzer, bho, bonjour, cdburnerxp, crypt.xpack.gen, excel, explorer, firewall, hijack, hijackthis, hkus\s-1-5-18, internet, internet explorer, launch, malwarebytes' anti-malware, opera, programm, programme, quara, rundll, software, system, usb-stick, vundo.gen, windows, windows xp, windows xp sp3, xp sp3 |
Linear-Darstellung
