| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: "Trojan-Downloader.Win32.Small.eqn"Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
| |
29.09.2008, 09:20
| #1 |
 |  "Trojan-Downloader.Win32.Small.eqn" Hallo zusammen! Es fing damit an, das ich winubg32.dll im System entdeckte un d dadurch auf diese Community gestossen bin. Mittlerweile bin ich ihn los dank killbox und diverser Tipps hier, aber irgendwas hab ich noch....dazu mal ein HJT Log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 09:58:06, on 29.09.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Creative\Shared Files\CTAudSvc.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\avmclient\avmbtservice.exe C:\Programme\avmclient\AvmObexService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\programme\gemeinsame dateien\mcafee\mna\mcnasvc.exe c:\PROGRA~1\GEMEIN~1\mcafee\mcproxy\mcproxy.exe C:\Programme\McAfee\VirusScan\McShield.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE D:\Programme\Nero 8\Nero BackItUp\NBService.exe C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe D:\Programme\Raxco\PerfectDisk\PD91Agent.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Programme\Cyberlink\Shared files\RichVideo.exe d:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\PROGRA~1\McAfee.com\Agent\mcagent.exe C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe C:\WINDOWS\system32\Wacom_Tablet.exe C:\WINDOWS\Explorer.EXE C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\Programme\avmclient\bluefritz.exe C:\Programme\avmclient\AvmObex.exe D:\Programme\CyberLink\PowerDVD\PDVDServ.exe D:\Programme\Musicmatch Jukebox\mmtask.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe C:\Programme\avmclient\AvmObex.exe C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe C:\Programme\VistaDriveIcon\DrvIcon.exe C:\WINDOWS\C0100Mon.exe C:\Programme\Java\jre1.6.0_07\bin\jusched.exe D:\Programme\Razer\Lachesis\razerhid.exe D:\Programme\Razer\Lachesis\OSD.exe C:\WINDOWS\system32\CTHELPER.EXE D:\Programme\Razer\Tarantula\razerhid.exe C:\WINDOWS\system32\CTXFIHLP.EXE D:\Programme\Razer\Lachesis\razertra.exe D:\Programme\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe D:\Programme\Razer\Lachesis\razerofa.exe D:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe D:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe D:\Programme\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe D:\Programme\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe C:\Programme\VisualTaskTips\VisualTaskTips.exe D:\Programme\Razer\Tarantula\razertra.exe D:\Programme\DAEMON Tools Lite\daemon.exe D:\Programme\Lavalys\everestultimate460\everest.exe D:\Programme\Mozilla Firefox\firefox.exe D:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE D:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE C:\WINDOWS\system32\NOTEPAD.EXE E:\Downloads\TOOLS\HiJackThis_v2\HiJackThis_v2.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ***/news/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = ***fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = ***/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ****/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Programme\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Programme\McAfee\VirusScan\scriptsn.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Programme\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Programme\styler\TB\StylerTB.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programme\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll" O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [AVMBlueClient] C:\Programme\avmclient\bluefritz.exe O4 - HKLM\..\Run: [AVMBLUEOBEX] C:\Programme\avmclient\AvmObex.exe -pushclient -ftpclient O4 - HKLM\..\Run: [RemoteControl] d:\Programme\CyberLink\PowerDVD\PDVDServ.exe O4 - HKLM\..\Run: [LanguageShortcut] d:\Programme\CyberLink\PowerDVD\Language\Language.exe O4 - HKLM\..\Run: [mmtask] D:\Programme\Musicmatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\GEMEIN~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE O4 - HKLM\..\Run: [mcagent_exe] C:\Programme\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [IAAnotif] C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [DrvIcon] C:\Programme\VistaDriveIcon\DrvIcon.exe O4 - HKLM\..\Run: [C0100Mon.exe] C:\WINDOWS\C0100Mon.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [NBKeyScan] "D:\Programme\Nero 8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [Lachesis] d:\Programme\Razer\Lachesis\razerhid.exe O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Tarantula] d:\Programme\Razer\Tarantula\razerhid.exe O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "D:\Programme\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Programme\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [VolPanel] "d:\Programme\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Creative Live! Cam Manager] "D:\Programme\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe" O4 - HKCU\..\Run: [AlcoholAutomount] "d:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" /automount O4 - HKCU\..\Run: [VisualTaskTips] "C:\Programme\VisualTaskTips\VisualTaskTips.exe" noTrayIcon O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Programme\NVIDIA Corporation\nTune\nTuneCmd.exe" clear O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Programme\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [ALTCTRLDELETE] <NonRun> O4 - HKCU\..\Run: [EVEREST AutoStart] D:\Programme\Lavalys\everestultimate460\everest.exe O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "D:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "D:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user') O8 - Extra context menu item: An vorhandene PDF-Datei anfügen - res://C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Linkziel an vorhandene PDF-Datei anhängen - res://C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Linkziel in Adobe PDF konvertieren - res://C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - d:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - d:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189217592256 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194620578188 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2/ocx/15106/CTPID.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: acaptuser32.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: Adobe Version Cue CS3 {de_DE} (Adobe Version Cue CS3) - Adobe Systems Incorporated - C:\Programme\Gemeinsame Dateien\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: AVM BT Connection Service - AVM Berlin - C:\Programme\avmclient\avmbtservice.exe O23 - Service: AVM BT OBEX Service (AvmObexService) - AVM Berlin - C:\Programme\avmclient\AvmObexService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Programme\Gemeinsame Dateien\Creative Labs Shared\Service\CTAELicensing.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Programme\Creative\Shared Files\CTAudSvc.exe O23 - Service: FinePrint Dispatcher v5 - FinePrint Software, LLC - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\programme\gemeinsame dateien\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\GEMEIN~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Programme\McAfee\VirusScan\McShield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Programme\Nero 8\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PD91Agent - Raxco Software, Inc. - D:\Programme\Raxco\PerfectDisk\PD91Agent.exe O23 - Service: PD91Engine - Raxco Software, Inc. - D:\Programme\Raxco\PerfectDisk\PD91Engine.exe O23 - Service: PD91VMDefrag - Raxco Software, Inc. - D:\Programme\Raxco\PerfectDisk\PD91VMDefrag.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\Cyberlink\Shared files\RichVideo.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Programme\WinPcap\rpcapd.exe O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - d:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe O24 - Desktop Component 0: (no name) - (no file) -- End of file - 16630 bytes So und nun noch ein escan log: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Header ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ find.bat Version 2008.03.07 Microsoft Windows XP [Version 5.1.2600] Bootmodus: Normal eScan Version: 10.0.8 Sprache: German C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\MWAV.LOG ~~~~~~~~~~~ Dateien ~~~~~~~~~~~ ~~~~ Infected files ~~~~~~~~~~~ Datei E:\System Volume Information\_restore{0EB98AED-D24D-4988-B752-96554455566A}\RP1128\A0371665.exe/wr.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX infiziert durch den Virus "Trojan-Downloader.Win32.Small.eqn"! Maßnahme ergriffen: Keine Maßnahme ergriffen. Datei C:\AUTORUN.INF infiziert durch den Virus "Fujack"! Maßnahme ergriffen: No Action Taken. ~~~~~~~~~~~ ~~~~ Tagged files ~~~~~~~~~~~ ~~~~~~~~~~~ ~~~~ Offending files ~~~~~~~~~~~ Offending file found: E:\Eigene Dateien\tomtom\home\backups\s60v3\backup02\storage\system\data\mg2\db\e\1.dat Offending file found: E:\Eigene Dateien\tomtom\home\backups\s60v3\backup02\storage\system\data\mg2\db\e\2.dat Offending file found: E:\Eigene Dateien\tomtom\home\backups\s60v3\backup02\storage\system\data\mg2\db\e\3.dat Offending file found: C:\Programme\winpcap\install.log Offending file found: C:\autorun.inf Offending file found: C:\Programme\winpcap\daemon_mgm.exe Offending file found: C:\Programme\winpcap\npf_mgm.exe ~~~~~~~~~~~ ~~~~ Spyware (Vorsicht: Oft Fehlalarm!) ~~~~~~~~~~~ eScan AntiVirus und Antispyware Toolkit. Antiviren- und Antispywaredatenbanken werden heruntergeladen... eScan AntiVirus und Antispyware Toolkit. Scannen Spyware: Aktiviert ***** Registrierungsdatenbank und Dateisystem werden auf Schnüffelprogramme (Spyware) und werbefinanzierte Software (Adware) überprüft ***** Loading Spyware Signatures from new External Database [Name: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\spydb.avs, Size: 855856]... Indexed Spyware Databases Successfully Created... Objekt "grokster Spyware/Adware" im Dateisystem gefunden! Maßnahme ergriffen: Keine Maßnahme ergriffen. Objekt "grokster Spyware/Adware" im Dateisystem gefunden! Maßnahme ergriffen: Keine Maßnahme ergriffen. Objekt "softomate toolbar Spyware/Adware" im Dateisystem gefunden! Maßnahme ergriffen: Keine Maßnahme ergriffen. System found infected with wareout Adware (1.dat)! Action taken: Keine Maßnahme ergriffen. System found infected with wareout Adware (2.dat)! Action taken: Keine Maßnahme ergriffen. System found infected with wareout Adware (3.dat)! Action taken: Keine Maßnahme ergriffen. System found infected with combo Spyware/Adware (hklm\software\starfinanz)! Action taken: Keine Maßnahme ergriffen. System found infected with spyware.tupinsight Spyware/Adware (C:\Programme\winpcap\install.log)! Action taken: Keine Maßnahme ergriffen. System found infected with combo Spyware/Adware (C:\autorun.inf)! Action taken: Keine Maßnahme ergriffen. System found infected with spyware.tupinsight Spyware/Adware (C:\Programme\winpcap\daemon_mgm.exe)! Action taken: Keine Maßnahme ergriffen. System found infected with spyware.tupinsight Spyware/Adware (C:\Programme\winpcap\npf_mgm.exe)! Action taken: Keine Maßnahme ergriffen. System found infected with backdoor (ircbot) trojans Spyware/Adware (hklm\software\microsoft\mssmgr)! Action taken: Keine Maßnahme ergriffen. ~~~~~~~~~~~ Ordner ~~~~~~~~~~~ Offending Folder found: C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\winamp toolbar\ietoolbar ~~~~~~~~~~~ Registry ~~~~~~~~~~~ Offending Key found: HKLM\Software\magnet !!! Offending Key found: HKCR\magnet !!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Diverses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~ laufende Prozesse - commandline ~~~~~~~~~~~~~~~~~~~~~~ System Idle Process - System - smss.exe - \SystemRoot\System32\smss.exe csrss.exe - winlogon.exe - winlogon.exe services.exe - C:\WINDOWS\system32\services.exe lsass.exe - C:\WINDOWS\system32\lsass.exe svchost.exe - C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe - svchost.exe - C:\WINDOWS\system32\svchost.exe -k netsvcs svchost.exe - svchost.exe - mcmscsvc.exe - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe explorer.exe - C:\WINDOWS\Explorer.EXE mcagent.exe - C:\PROGRA~1\McAfee.com\Agent\mcagent.exe -Embedding mcuimgr.exe - "c:\PROGRA~1\mcafee\msc\mcuimgr.exe" -Embedding cmd.exe - cmd /c ""E:\Downloads\find.bat" " cscript.exe - cscript C:\escan\prclst.vbs //nologo wmiprvse.exe - ~~~~~~~~~~~~~~~~~~~~~~ Scanfehler ~~~~~~~~~~~~~~~~~~~~~~ ERROR!!! Invalid Entry System32\Drivers\Diag69xp.sys in SYSTEM\CurrentControlSet\Services\Diag69xp. Action Taken: No Action Taken. Result: ERROR!!! File C:\WINDOWS\system32\drivers\emupia2k.sys is Not Scanned ERROR!!! Invalid Entry \??\C:\WINDOWS\system32\PLCMPR5.SYS in SYSTEM\CurrentControlSet\Services\PLCMPR5. Action Taken: No Action Taken. ERROR!!! Invalid Entry System32\Drivers\sptd.sys in SYSTEM\CurrentControlSet\Services\sptd. Action Taken: No Action Taken. ERROR!!! ScanFile fails for E:\DOWNLO~1\VIDEOS~1\DVD\DICKUN~1.NRG ERROR!!! ScanFile fails for E:\EIGENE~1\ALCOHO~1\BF2DVD~1.MDF ERROR!!! ScanFile fails for E:\EIGENE~1\***\NOKIAS~1\N73\208DD2~1.NBU ERROR!!! ScanFile fails for E:\EIGENE~1\***\NOKIAS~1\N73\20CDD1~1.NBU ERROR!!! ScanFile fails for E:\EIGENE~1\***\NOKIAS~1\N73\20BD12~1.NBU ERROR!!! ScanFile fails for E:\SYSTEM~1\_RESTO~1\RP1127\A0371172.exe ERROR!!! ScanFile fails for E:\SYSTEM~1\_RESTO~1\RP1134\A0373448.exe ~~~~~~~~~~~~~~~~~~~~~~ Hosts-Datei ~~~~~~~~~~~~~~~~~~~~~~ DataBasePath: %SystemRoot%\System32\drivers\etc Zeilen die nicht dem Standard entsprechen: C:\WINDOWS\System32\drivers\etc\hosts: C:\WINDOWS\System32\drivers\etc\hosts:127.0.0.1 localhost ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Statistiken: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Zahl der gescannten Objekte: 80233 Zahl der kritischen Objekte: 11 Zahl der desinfizierten Objekte: 0 Zahl der umbenannten Dateien: 0 Zahl der gelöschten Objekte: 0 Zahl der Fehler: 26 Zeit verstrichen: 00:16:34 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan-Optionen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Speicherüberprüfung: Aktiviert Registrierungsdatenbank-Überprüfung: Aktiviert Überprüfung des Startordners: Aktiviert Überprüfung des Systemordners: Aktiviert Überprüfung der Dienste: Aktiviert Überprüfung der Laufwerke: Aktiviert Überprüfung aller Laufwerke  eaktiviert Überprüfung der Ordner: Deaktiviert Batchstart: 17:24:55,85 Batchende: 17:24:59,20 ----- Habe es nur noch über ein laufwerk suchen lassen, da ich da im restore immer einen Fund angezeigt bekomme und das obwohl ich die Systemwiederherstellung ausgeschaltet und dann im abgesicherten Modus gebootet habe und dann mcAfee drüber laufen lies...hat nix gebracht, der Eintrag ist immernoch da und dabei handelt es sich um den im Topic genannten. Was ist zu tun? Danke im Voraus für Eure Unterstützung!!! ach ja...falls von wichtigkeit...ich habe noch ein SilentRunners log-kommt im 2ten Post da der hier sonst zu lang wird  System ist XP Prof SP3, McAfee das ganze hinter nem Router mit Firewall. Vielen Dank für Eure Hilfe! MfG Schmitzejung |
|
29.09.2008, 09:31
| #2 |
| | "Trojan-Downloader.Win32.Small.eqn" so, hier noch der Silent Runners Log in 2 Teilen da er immernoch zu lang ist
__________________Teil1: "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "Creative Live! Cam Manager" = ""D:\Programme\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"" ["Creative Technology Ltd."] "AlcoholAutomount" = ""d:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" /automount" ["Alcohol Soft Development Team"] "VisualTaskTips" = ""C:\Programme\VisualTaskTips\VisualTaskTips.exe" noTrayIcon" "NVIDIA nTune" = ""C:\Programme\NVIDIA Corporation\nTune\nTuneCmd.exe" clear" ["NVIDIA"] "DAEMON Tools Lite" = ""D:\Programme\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"] "ALTCTRLDELETE" = "<NonRun>" [file not found] "EVEREST AutoStart" = "D:\Programme\Lavalys\everestultimate460\everest.exe" ["Lavalys, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."] "AudioDrvEmulator" = ""C:\Programme\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Programme\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"" ["Creative Technology Ltd."] "UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."] "Easy-PrintToolBox" = "C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."] "AVMBlueClient" = "C:\Programme\avmclient\bluefritz.exe" ["AVM Berlin"] "AVMBLUEOBEX" = "C:\Programme\avmclient\AvmObex.exe -pushclient -ftpclient" ["AVM Berlin"] "RemoteControl" = "d:\Programme\CyberLink\PowerDVD\PDVDServ.exe" ["Cyberlink Corp."] "LanguageShortcut" = "d:\Programme\CyberLink\PowerDVD\Language\Language.exe" [null data] "mmtask" = "D:\Programme\Musicmatch Jukebox\mmtask.exe" ["Musicmatch Inc."] "FinePrint Dispatcher v5" = ""C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM" ["FinePrint Software, LLC"] "Adobe_ID0EYTHM" = "C:\PROGRA~1\GEMEIN~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" ["Adobe Systems Incorporated"] "mcagent_exe" = "C:\Programme\McAfee.com\Agent\mcagent.exe /runkey" ["McAfee, Inc."] "IAAnotif" = "C:\Programme\Intel\Intel Matrix Storage Manager\iaanotif.exe" ["Intel Corporation"] "DrvIcon" = "C:\Programme\VistaDriveIcon\DrvIcon.exe" ["artArmin"] "C0100Mon.exe" = "C:\WINDOWS\C0100Mon.exe" ["Creative Technology Ltd."] "SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."] "NBKeyScan" = ""D:\Programme\Nero 8\Nero BackItUp\NBKeyScan.exe"" ["Nero AG"] "Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."] "Lachesis" = "d:\Programme\Razer\Lachesis\razerhid.exe" [empty string] "OSSelectorReinstall" = "C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe" [null data] "CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"] "Tarantula" = "d:\Programme\Razer\Tarantula\razerhid.exe" ["Razer USA Ltd."] "CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"] "NeroFilterCheck" = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" ["Nero AG"] "Adobe Acrobat Speed Launcher" = ""D:\Programme\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"" ["Adobe Systems Incorporated"] "(Default)" = "(empty string)" [file not found] "Acrobat Assistant 8.0" = ""D:\Programme\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"" ["Adobe Systems Inc."] "TrueImageMonitor.exe" = "D:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe" ["Acronis"] "AcronisTimounterMonitor" = "D:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe" ["Acronis"] "Acronis Scheduler2 Service" = ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"" ["Acronis"] "VolPanel" = ""d:\Programme\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r" ["Creative Technology Ltd"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {074C1DC5-9320-4A9A-947D-C042949C6216}\(Default) = (no title provided) -> {HKLM...CLSID} = "ContributeBHO Class" \InProcServer32\(Default) = "D:\Programme\Adobe\/Adobe Contribute CS3/contributeieplugin.dll" ["Adobe Systems Incorporated."] {18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub" -> {HKLM...CLSID} = "Adobe PDF Link Helper" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"] {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar BHO" -> {HKLM...CLSID} = "Winamp Toolbar BHO" \InProcServer32\(Default) = "C:\Programme\Winamp Toolbar\winamptb.dll" ["AOL LLC"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] {7DB2D5A0-7241-4E79-B68D-6309F01C5231}\(Default) = "scriptproxy" -> {HKLM...CLSID} = "scriptproxy" \InProcServer32\(Default) = "C:\Programme\McAfee\VirusScan\scriptsn.dll" ["McAfee, Inc."] {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided) -> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS] {AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] {F4971EE7-DAA0-4053-9964-665D8EE6A077}\(Default) = "SmartSelect" -> {HKLM...CLSID} = "SmartSelect Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Programme\WinRAR\rarext.dll" [null data] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "Meine freigegebenen Ordner" \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS] "{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser" -> {HKLM...CLSID} = "Nokia Phone Browser" \InProcServer32\(Default) = "D:\Programme\Nokia\Nokia PC Suite 6\phonebrowser.dll" ["Nokia"] "{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler" -> {HKLM...CLSID} = "NeroDigitalIconHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"] "{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler" -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons" -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class" \InProcServer32\(Default) = "D:\Programme\Nero 8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"] "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "D:\Programme\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] "{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension" -> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension" \InProcServer32\(Default) = "D:\Programme\Acronis\TrueImageHome\tishell.dll" ["Acronis"] "{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension" -> {HKLM...CLSID} = "Acronis True Image Shell Extension" \InProcServer32\(Default) = "D:\Programme\Acronis\TrueImageHome\tishell.dll" ["Acronis"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ <<!>> "Authentication Packages" = "msv1_0"|"relog_ap" HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."]|"autocheck autochk *" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler" -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "D:\Programme\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}" -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class" \InProcServer32\(Default) = "D:\Programme\Nero 8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"] McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}" -> {HKLM...CLSID} = "CtxMenu Class" \InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" -> {HKLM...CLSID} = "Acrobat Elements Context Menu" \InProcServer32\(Default) = "D:\Programme\Adobe\Acrobat 9.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."] FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}" -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler" \InProcServer32\(Default) = "D:\Programme\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"] McCtxMenu\(Default) = "{01576F39-90DE-4D6E-A068-5B20C22BAAEE}" -> {HKLM...CLSID} = "CtxMenu Class" \InProcServer32\(Default) = "c:\PROGRA~1\mcafee\VIRUSS~1\mcctxmnu.dll" ["McAfee, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Programme\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "ClearRecentDocsOnExit" = (REG_BINARY) hex:01 00 00 00 00 00 00 00 {unrecognized setting} "NoSaveSettings" = (REG_BINARY) hex:00 00 00 00 {User Configuration|Administrative Templates|Desktop| Don't save settings at exit} "NoRecentDocsMenu" = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} "NoRecentDocsHistory" = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} "NoRecentDocsNetHood" = (REG_BINARY) hex:01 00 00 00 {unrecognized setting} "NoSMMyDocs" = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Documents menu from Start Menu} "NoSMMyPictures" = (REG_BINARY) hex:01 00 00 00 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove My Pictures icon from Start Menu} "NoBandCustomize" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars| Disable customizing browser toolbars} "NoMovingBands" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoCloseDragDropBands" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "NoSetTaskbar" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Start Menu and Taskbar| Prevent changes to Taskbar and Start Menu Settings} "NoToolbarsOnTaskbar" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "ClassicShell" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} "NoActiveDesktop" = (REG_BINARY) hex:00 00 00 00 {User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop| Disable Active Desktop} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} |
|
29.09.2008, 09:32
| #3 |
| | "Trojan-Downloader.Win32.Small.eqn" Teil2:
__________________Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Egoist\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ ACDSee90AcquirePicturesOnArrival\ "Provider" = "ACDSee 9.0" "InvokeProgID" = "ACDSee 9.0.AutoPlayHandlerAcquire" "InvokeVerb" = "Acquire" HKLM\SOFTWARE\Classes\ACDSee 9.0.AutoPlayHandlerAcquire\shell\Acquire\command\(Default) = ""D:\Programme\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" /detect:%1" ["ACD Systems Ltd."] ACDSee90AcquireVideoFilesOnArrival\ "Provider" = "ACDSee 9.0" "InvokeProgID" = "ACDSee 9.0.AutoPlayHandlerAcquire" "InvokeVerb" = "Acquire" HKLM\SOFTWARE\Classes\ACDSee 9.0.AutoPlayHandlerAcquire\shell\Acquire\command\(Default) = ""D:\Programme\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" /detect:%1" ["ACD Systems Ltd."] ACDSee90PlayVideoFilesOnArrival\ "Provider" = "ACDSee 9.0" "InvokeProgID" = "ACDSee 9.0.AutoPlayHandler" "InvokeVerb" = "Open" HKLM\SOFTWARE\Classes\ACDSee 9.0.AutoPlayHandler\shell\Open\command\(Default) = ""D:\Programme\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" "%1"" ["ACD Systems Ltd."] ACDSee90ShowPicturesOnArrival\ "Provider" = "ACDSee 9.0" "InvokeProgID" = "ACDSee 9.0.AutoPlayHandler" "InvokeVerb" = "Open" HKLM\SOFTWARE\Classes\ACDSee 9.0.AutoPlayHandler\shell\Open\command\(Default) = ""D:\Programme\ACD Systems\ACDSee\9.0\ACDSeeQV.exe" "%1"" ["ACD Systems Ltd."] AdobePremiereProCS3CameraArrival\ "Provider" = "Adobe Premiere Pro" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""D:\Programme\Adobe\Adobe Premiere Pro CS3\Adobe Premiere Pro.exe"" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] AlcoholAutoPlayV2.BurnDisc\ "Provider" = "Alcohol 120%" "InvokeProgID" = "AlcoholAutoPlayV2" "InvokeVerb" = "BurnDisc" HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""D:\Programme\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"] AlcoholAutoPlayV2.ReadDisc\ "Provider" = "Alcohol 120%" "InvokeProgID" = "AlcoholAutoPlayV2" "InvokeVerb" = "BurnDisc" HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""D:\Programme\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"] BridgeCS3ImportMediaOnArrival\ "Provider" = "Adobe Bridge CS3" "InvokeProgID" = "Adobe.adobebridge" "InvokeVerb" = "launch" HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "D:\Programme\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."] CTImportWizard\ "Provider" = "@d:\Programme\Creative\Photo Manager\CTImport.crl,-11" "InvokeProgID" = "CTImportWizard.1" "InvokeVerb" = "Open" HKLM\SOFTWARE\Classes\CTImportWizard.1\shell\Open\command\(Default) = "d:\Programme\Creative\Photo Manager\CTImport.exe %1" ["Creative Technology Ltd"] CTPlayAudioOnArrivalu\ "Provider" = "Creative MediaSource 5 Player" "InvokeProgID" = "CTAutoPLu.AudioCDPlayer.1" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CTAutoPLu.AudioCDPlayer.1\shell\open\command\(Default) = ""d:\Programme\Creative\MediaSource5\CTCMSu.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"] CTPlayMusicFilesOnArrivalu\ "Provider" = "Creative MediaSource 5 Player" "InvokeProgID" = "CTAutoPLu.MusicFilesPlayer.1" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\CTAutoPLu.MusicFilesPlayer.1\shell\open\command\(Default) = ""d:\Programme\Creative\MediaSource5\CTCMSu.exe" /PlayNow "%L"" ["Creative Technology Ltd"] MMJBAutoplayBURNERPLUS\ "Provider" = "MUSICMATCH Burner Plus" "InvokeProgID" = "MMJB.BURN" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""D:\Programme\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" ["Musicmatch, Inc."] MMJBPlayCDAudioOnArrival\ "Provider" = "Musicmatch Jukebox" "InvokeProgID" = "MMJB.AUDIOCD" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\MMJB.AUDIOCD\shell\Play\command\(Default) = ""D:\Programme\Musicmatch Jukebox\mmjblaunch.exe" /AudioCD "%1"" ["Musicmatch, Inc."] MMJBPlayMediaOnArrival\ "Provider" = "Musicmatch Jukebox" "InvokeProgID" = "MMJB.MMJB" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\MMJB.MMJB\shell\Play\command\(Default) = ""D:\Programme\Musicmatch Jukebox\mmjblaunch.exe" "%1"" ["Musicmatch, Inc."] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] muveeNowCameraArrival\ "Provider" = "muveeNow 2.0" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""d:\Programme\muvee Technologies\muveeNow 2.0 - Creative\muveeapp.exe" /Camera" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] NeroAutoPlay7VideoCapture\ "Provider" = "Nero Vision" "ProgID" = "Shell.HWEventHandlerShellExecute" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] NeroAutoPlay8AudioToNeroDigital\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"] NeroAutoPlay8CDAudio\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "CDAudio_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"] NeroAutoPlay8CopyCD\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero Burning Rom\nero.exe /Dialog iscCopy %L" ["Nero AG"]NeroAutoPlay8DataDisc_CD\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"] NeroAutoPlay8DataDisc_DVD\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media VD %L" ["Nero AG"]NeroAutoPlay8LaunchNeroStartSmart\ "Provider" = "Nero StartSmart" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"] NeroAutoPlay8PlayAudioCD\ "Provider" = "Nero ShowTime" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"] NeroAutoPlay8PlayDVD\ "Provider" = "Nero ShowTime" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"] NeroAutoPlay8RipCD\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "RipCD_PlayCDAudioOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"] NeroAutoPlay8TranscodeVideo\ "Provider" = "Nero Recode" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"] NeroAutoPlay8VideoCapture\ "Provider" = "Nero Vision" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""D:\Programme\Nero 8\Nero Vision\NeroVision.exe" /New:VideoCapture" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] NeroAutoPlay8ViewPhotos\ "Provider" = "Nero PhotoSnap Viewer" "InvokeProgID" = "Nero.AutoPlay8" "InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "D:\Programme\Nero 8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"] NMMPlayCDAudioOnArrival\ "Provider" = "Nokia Music Manager" "InvokeProgID" = "NokiaMusicManager" "InvokeVerb" = "NMMPlayCD" HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "D:\Programme\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD "%L"" ["Nokia"] NMMRipCDAudioOnArrival\ "Provider" = "Nokia Music Manager" "InvokeProgID" = "NokiaMusicManager" "InvokeVerb" = "NMMRipCD" HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "D:\Programme\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD "%L"" ["Nokia"] PDirDVArrival\ "Provider" = "PowerDirector" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "d:\Programme\Cyberlink\PowerDirector\PDR.exe /DV" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] PDVDPlayCDAudioOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "AudioCD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD\Command\(Default) = ""D:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."] PDVDPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""d:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] PDVDPlayVCDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "VCD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD\Command\(Default) = ""d:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] VLCPlayCDAudioOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"] VLCPlayDVDMovieOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "d:\Programme\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""d:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""d:\Programme\Winamp\winamp.exe"" ["Nullsoft"] Enabled Scheduled Tasks: ------------------------ "McQcTask" -> launches: "c:\programme\mcafee\mqc\QcConsol.exe 4158 0" ["McAfee, Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] "{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" -> {HKLM...CLSID} = "Winamp Toolbar" \InProcServer32\(Default) = "C:\Programme\Winamp Toolbar\winamptb.dll" ["AOL LLC"] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}" = (no title provided) -> {HKLM...CLSID} = "Contribute Toolbar" \InProcServer32\(Default) = "D:\Programme\Adobe\/Adobe Contribute CS3/contributeieplugin.dll" ["Adobe Systems Incorporated."] "{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar" -> {HKLM...CLSID} = "Winamp Toolbar" \InProcServer32\(Default) = "C:\Programme\Winamp Toolbar\winamptb.dll" ["AOL LLC"] "{D2F8F919-690B-4EA2-9FA7-A203D1E04F75}" = (no title provided) -> {HKLM...CLSID} = "StylerToolBar" \InProcServer32\(Default) = "C:\Programme\styler\TB\StylerTB.dll" ["StyleFantasist"] "{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided) -> {HKLM...CLSID} = "Adobe PDF" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll" ["Adobe Systems Incorporated"] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07" \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Recherchieren" {E59EB121-F339-4851-A3BA-FE49C35617C2}\ "ButtonText" = "ICQ6" "MenuText" = "ICQ6" "Exec" = "d:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Computer, Inc."] Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"] Acronis Try And Decide Service, TryAndDecideService, ""C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe"" [null data] AVM BT Connection Service, AVM BT Connection Service, "C:\Programme\avmclient\avmbtservice.exe" ["AVM Berlin"] AVM BT OBEX Service, AvmObexService, "C:\Programme\avmclient\AvmObexService.exe" ["AVM Berlin"] Creative Audio Service, CTAudSvcService, "C:\Programme\Creative\Shared Files\CTAudSvc.exe" ["Creative Technology Ltd"] Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"] Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Programme\Cyberlink\Shared files\RichVideo.exe"" [empty string] FinePrint Dispatcher v5, FinePrint Dispatcher v5, ""C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /service" ["FinePrint Software, LLC"] Intel(R) Matrix Storage Event Monitor, IAANTMON, "C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] McAfee Network Agent, McNASvc, ""c:\programme\gemeinsame dateien\mcafee\mna\mcnasvc.exe"" ["McAfee, Inc."] McAfee Proxy Service, McProxy, "c:\PROGRA~1\GEMEIN~1\mcafee\mcproxy\mcproxy.exe" ["McAfee, Inc."] McAfee Real-time Scanner, McShield, "C:\Programme\McAfee\VirusScan\McShield.exe" ["McAfee, Inc."] McAfee Services, mcmscsvc, "C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe" ["McAfee, Inc."] McAfee SystemGuards, McSysmon, "C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe" ["McAfee, Inc."] Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "D:\Programme\Nero 8\Nero BackItUp\NBService.exe" ["Nero AG"] nTune Service, nTuneService, "C:\Programme\NVIDIA Corporation\nTune\nTuneService.exe /StartService" ["NVIDIA"] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] PD91Agent, PD91Agent, "D:\Programme\Raxco\PerfectDisk\PD91Agent.exe" ["Raxco Software, Inc."] PLFlash DeviceIoControl Service, PLFlash DeviceIoControl Service, "C:\WINDOWS\system32\IoctlSvc.exe" ["Prolific Technology Inc."] PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data] StarWind AE Service, StarWindServiceAE, "d:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"] TabletServiceWacom, TabletServiceWacom, "C:\WINDOWS\system32\Wacom_Tablet.exe" ["Wacom Technology, Corp."] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Adobe PDF Port Monitor\Driver = "AdobePDF.dll" ["Adobe Systems Inc"] Canon BJ Language Monitor PIXMA iP5000\Driver = "CNMLM6d.DLL" ["CANON INC."] FPR5:\Driver = "fpmon5.dll" ["FinePrint Software, LLC"] FRITZ!fax Color Port Monitor\Driver = "FritzColorPort.dll" ["AVM Berlin GmbH"] FRITZ!fax Port Monitor\Driver = "FritzPort.dll" ["AVM Berlin GmbH"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- (launch time: 2008-09-29 09:42:37) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 34 seconds, including 5 seconds for message boxes) Noch zu erwähnen wäre, das ich keinerlei Probleme feststellen kann...alles läuft scheinbar reibungslos. Ich würde die gefundenen Dinge dennoch gerne los. DANKE! |
|
29.09.2008, 22:14
| #4 |
| | "Trojan-Downloader.Win32.Small.eqn" Jemand, der mir was zu meinen Logs usw sagen kann? Wäre sehr dankbar  |
|
30.09.2008, 12:00
| #5 |
| | "Trojan-Downloader.Win32.Small.eqn" Wie werde ich den im Titel genannten Trojaner los? Systemwiederherstellung ausschalten hat nichts gebracht.... Danke für Eure Hilfe! |
|
01.10.2008, 00:34
| #6 |
| /// TB-Ausbilder     | "Trojan-Downloader.Win32.Small.eqn" Hi, erstelle bitte ein log mit der aktuellen HijackThis version. Du nutzt eine Beta. Arbeite bitte auch folgendes ab: ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat! Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. lg myrtille
__________________ --> "Trojan-Downloader.Win32.Small.eqn" |
|
02.10.2008, 14:04
| #7 |
| | "Trojan-Downloader.Win32.Small.eqn" So, hier der Bericht von Drweb nach einem neuen Scan: ComboFix.exe\32788R22FWJFW\C.bat;C:\Dokumente und Einstellungen\Egoist\Desktop\ComboFix.exe;Wahrscheinlich BATCH.Virus;; ComboFix.exe\32788R22FWJFW\List-C.bat;C:\Dokumente und Einstellungen\Egoist\Desktop\ComboFix.exe;Wahrscheinlich BATCH.Virus;; ComboFix.exe\32788R22FWJFW\psexec.cfexe;C:\Dokumente und Einstellungen\Egoist\Desktop\ComboFix.exe;Program.PsExec.171;; ComboFix.exe;C:\Dokumente und Einstellungen\Egoist\Desktop;Archiv enthält infizierte Objekte;Verschoben.; A0000015.bat;C:\System Volume Information\_restore{8C2A3581-F3B6-4CCE-9173-A90F7D928B25}\RP2;Wahrscheinlich BATCH.Virus;; A0000035.EXE;C:\System Volume Information\_restore{8C2A3581-F3B6-4CCE-9173-A90F7D928B25}\RP2;Program.PsExec.170;; A0000039.bat;C:\System Volume Information\_restore{8C2A3581-F3B6-4CCE-9173-A90F7D928B25}\RP2;Wahrscheinlich BATCH.Virus;; A0001810.exe\32788R22FWJFW\C.bat;C:\System Volume Information\_restore{8C2A3581-F3B6-4CCE-9173-A90F7D928B25}\RP2\A0001810.exe;Wahrscheinlich BATCH.Virus;; A0001810.exe\32788R22FWJFW\List-C.bat;C:\System Volume Information\_restore{8C2A3581-F3B6-4CCE-9173-A90F7D928B25}\RP2\A0001810.exe;Wahrscheinlich BATCH.Virus;; A0001810.exe\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{8C2A3581-F3B6-4CCE-9173-A90F7D928B25}\RP2\A0001810.exe;Program.PsExec.171;; A0001810.exe;C:\System Volume Information\_restore{8C2A3581-F3B6-4CCE-9173-A90F7D928B25}\RP2;Archiv enthält infizierte Objekte;Verschoben.; Der hat wohl Combofix als Virus erkannt Sonst wohl nichts mehr gefunden.... |
|
02.10.2008, 17:55
| #8 | |
| /// TB-Ausbilder | "Trojan-Downloader.Win32.Small.eqn" Hi, ja das ist offenscihtlich Combofix.  Mich hätte interessiert wqelche Dateien entfernt wurden, daher hätte cih den Bericht gerne gesehen. Das er jetzt nichts mehr findet, bringt mir daher nicht viel. eScan ist eine Maschine zum Fehlalarm produzieren. Eventuell diese Datei: C:\autorun.inf löschen... alles andere dürfte nicht schädlcih sein. Den Eintrag kannst du noch fixen: Zitat:
lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
|
02.10.2008, 18:01
| #9 |
| | "Trojan-Downloader.Win32.Small.eqn" Verzeihung...da war ich zu schnell Eintrag ist gefixed. autorun.inf ist von combofix gelöscht worden... wie deinstalliere ich denn nun am besten combofix, escan und drweb? Soweit ich gesehen habe gibt es keine uninstall Einträge... und überhaupt, bin ich wieder clean? Wenn ja riesen großes DANKEEEEEE! |
|
02.10.2008, 18:46
| #10 |
| /// TB-Ausbilder | "Trojan-Downloader.Win32.Small.eqn" Hi, zumindest sieht man in deinen Logs keine bösartigen Einträge mehr. Deinstalliere bitte Combofix in dem du unter Start->Ausführen-> "%userprofile%\Desktop\Combofix.exe" /u eingibst. eScan liegt komplett im Temp-Ordner, da brauchst du nur deine temporären Dateien löschen und weg ist es. lg myrtille
__________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Wer nach 24 Stunden keine weitere Antwort von mir bekommen hat, schickt bitte eine PM Spelling mistakes? Never, but keybaord malfunctions constantly! |
|
02.10.2008, 19:09
| #11 |
| | "Trojan-Downloader.Win32.Small.eqn" Dankeeeee!!!! |
|
| Themen zu "Trojan-Downloader.Win32.Small.eqn" |
| abgesicherten modus, antivirus, backdoor, banke, banken, bho, bonjour, browseui preloader, canon, computer, dateisystem, desktop, disk director, drivers, excel, fehlalarm, fehler, firefox, handel, hijack, hijackthis, hkus\s-1-5-18, hängen, internet, internet explorer, konvertieren, maßnahme, mozilla, pdf-datei, prozesse, registrierungsdatenbank, rundll, server, software, solution, sptd.sys, spyware, system, windows, windows xp, windows xp sp3, windows\system32\drivers, xp prof sp3, xp sp3, zu lang |
Hybrid-Darstellung
