Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Rootkits oder Trojaner im Computer?

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

 
Alt 16.11.2008, 11:03   #1
hfmei
 
Rootkits oder Trojaner im Computer? - Standard

Rootkits oder Trojaner im Computer?



Hallo,
Ich brauche Hilfe. In meinem LapTop ist Windows XP prof. (software und Tastatur in englisch) mit SP3 installiert.
Nach der installieren vom SP3 bzw. kurze Zeit spaeter wurde der Rechner immer langsamer. Darauf hin habe ich mit Gmer, Icesword, Rootkit Unhooker, Silent Runners und USEC Radix den Rechner gescant. Habe diverse Hooks in der SSDT gefunden die aber von Zonealarm (vsdatant.sys) und Rising Antivirus (hookhelp.sys) erstellt wurden.
Neu sind aber in der IAT diverse Code Hooks.
Drei neue [unknown_code_page] Code Hooks und diverse Codehooks durch die Datei: ShimEng.dll
Wenn ich die zwei letztgenannten Code Hooks alle mit Fixchecked zurueck setze, laeuft der Rechner wieder etwas besser.
Benutzt Microsoft Rootkit Techniken und fuer was sind die Code Hooks gut, wenn mein Rechner ohne diese besser laeuft.
Es ist natuerlich aeusserst umstaendlich nach jedem Bootvorgang diese Code Hooks zu beseitigen.
Habe dann mit Combofix einen Scan gemacht, werde aber dieses Programm nicht mehr verwenden, da trotz uninstall das Programm mir undokumentiert mindestens 10 *.exe dateien in das Verzeichnis C:\Windows gespeichert hat.
Das Programm Viruskeeper hat dieses festgestellt und sie wieder entfernt.
Hier nun die HJT log Datei
Code:
ATTFilter
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:19 AM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rising\Rav\CCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRAM FILES\RISING\RAV\ravmond.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRAM FILES\RISING\RAV\RavStub.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AxBx\VirusKeeper 2008 Pro\vk_service.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\RISING\RAV\RavMon.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\AxBx\VirusKeeper 2008 Pro\VirusKeeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Down\actual\New\Antispy\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 10
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [RavTask] "C:\Program Files\Rising\Rav\RavTask.exe" -system
O4 - HKLM\..\Run: [VirusKeeper] C:\Program Files\AxBx\VirusKeeper 2008 Pro\VirusKeeper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Rising Process Communication Center (RsCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCenter.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\PROGRAM FILES\RISING\RAV\Ravmond.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: VirusKeeper antivirus/antispyware (vkservice) - AxBx - C:\Program Files\AxBx\VirusKeeper 2008 Pro\vk_service.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4433 bytes
         
Als Ergaenzung noch Silent Runner log Datei
Code:
ATTFilter
 
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"00THotkey" = "C:\WINDOWS\system32\00THotkey.exe" ["TOSHIBA Corp."]
"Tpwrtray" = "TPWRTRAY.EXE" ["TOSHIBA Corporation"]
"TFncKy" = "TFncKy.exe /Type 10" ["Toshiba Corporation"]
"TosHKCW.exe" = "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" ["TOSHIBA CORPORATION"]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc.                    "]
"EPSON Stylus CX6400" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0L2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"" ["SEIKO EPSON CORPORATION"]
"RavTask" = ""C:\Program Files\Rising\Rav\RavTask.exe" -system" ["Beijing Rising Information Technology Co., Ltd."]
"VirusKeeper" = "C:\Program Files\AxBx\VirusKeeper 2008 Pro\VirusKeeper.exe" ["AxBx"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\(Default) = "ZoneAlarm Spy Blocker BHO"
  -> {HKLM...CLSID} = "ZoneAlarm Spy Blocker BHO"
                   \InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {HKLM...CLSID} = "WinZip"
                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{00000000-0001-0001-0000-000000000000}" = "shredderse"
  -> {HKLM...CLSID} = "shredderse"
                   \InProcServer32\(Default) = "c:\program files\steganos trace destructor 6.5\shredderse.dll" [null data]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\MSOffice\Office\OLKFSTUB.DLL" [MS]
"{46E22146-59C0-4136-9233-52E412E2B428}" = "EzCddax extension"
  -> {HKLM...CLSID} = "EzCddax Class"
                   \InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 7\ezcddax.dll" [null data]
"{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}" = "RISING"
  -> {HKLM...CLSID} = "MenuShlExt Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Shell Extension"
  -> {HKLM...CLSID} = "a-squared Free Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{32CD708B-60A7-4C00-9377-D73EAA495F0F}" = "Rising Execute File Exts hook"
  -> {HKLM...CLSID} = "ShlExecHack Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"bsmain" ["Beijing Rising Information Technology Co., Ltd."]| [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
EzCddax\(Default) = "{46E22146-59C0-4136-9233-52E412E2B428}"
  -> {HKLM...CLSID} = "EzCddax Class"
                   \InProcServer32\(Default) = "C:\Program Files\Easy CD-DA Extractor 7\ezcddax.dll" [null data]
RisingRavExt\(Default) = "{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}"
  -> {HKLM...CLSID} = "MenuShlExt Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
shredderse\(Default) = "{00000000-0001-0001-0000-000000000000}"
  -> {HKLM...CLSID} = "shredderse"
                   \InProcServer32\(Default) = "c:\program files\steganos trace destructor 6.5\shredderse.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
RisingRavExt\(Default) = "{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}"
  -> {HKLM...CLSID} = "MenuShlExt Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
shredderse\(Default) = "{00000000-0001-0001-0000-000000000000}"
  -> {HKLM...CLSID} = "shredderse"
                   \InProcServer32\(Default) = "c:\program files\steganos trace destructor 6.5\shredderse.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
  -> {HKLM...CLSID} = "a-squared Free Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
RisingRavExt\(Default) = "{1C7593CB-C1CC-4BA7-BE52-8EEA47F9CB1D}"
  -> {HKLM...CLSID} = "MenuShlExt Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\RavExt.dll" ["Beijing Rising Information Technology Co., Ltd."]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {HKLM...CLSID} = "WinZip"
                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
a-squared Free Shell Extension\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"
  -> {HKLM...CLSID} = "a-squared Free Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\a-squared Free\a2freecontmenu.dll" ["Emsi Software GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.scr\(Default) = "AutoCADScriptFile"
<<!>> HKLM\SOFTWARE\Classes\AutoCADScriptFile\shell\open\command\(Default) = "C:\WINDOWS\NOTEPAD.EXE "%1"" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"disableregistrytools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"disablecmd" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\hfmei\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

EZCDDAXAutoPlayAudioCD\
"Provider" = "Easy CD-DA Extractor 7"
"InvokeProgID" = "ezcddax.AutoPlay"
"InvokeVerb" = "AudioCD"
HKLM\SOFTWARE\Classes\ezcddax.AutoPlay\shell\AudioCD\command\(Default) = ""C:\Program Files\Easy CD-DA Extractor 7\ezcddax.exe" -nn" ["Jukka Poikolainen"]

EZCDDAXAutoPlayBlankCD\
"Provider" = "Easy CD-DA Extractor 7"
"InvokeProgID" = "ezcddax.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\ezcddax.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Program Files\Easy CD-DA Extractor 7\ezcddax.exe" -nn" ["Jukka Poikolainen"]

NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]

Rising.Rav.20\
"Provider" = "Rising Antivirus"
"InvokeProgID" = "Rising.Rav.20"
"InvokeVerb" = "Ravopen"
HKLM\SOFTWARE\Classes\Rising.Rav.20\shell\Ravopen\command\(Default) = "C:\Program Files\Rising\Rav\Rav.exe %1" ["Beijing Rising Information Technology Co., Ltd."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 12
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"
  -> {HKLM...CLSID} = "ZoneAlarm Spy Blocker"
                   \InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)
  -> {HKLM...CLSID} = "ZoneAlarm Spy Blocker"
                   \InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{916C1EF1-CA89-4F1B-AFDA-3CA85BD0F831}\(Default) = "ZoneAlarm PopBlocker"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Rising Process Communication Center, RsCCenter, ""C:\Program Files\Rising\Rav\CCenter.exe"" ["Beijing Rising Information Technology Co., Ltd."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
VirusKeeper antivirus/antispyware, vkservice, "C:\Program Files\AxBx\VirusKeeper 2008 Pro\vk_service.exe" ["AxBx"]


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "Lkbdflt2" ["Logitech"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
PDF-XChange\Driver = "pxc25pm.dll" ["Tracker Software"]


---------- (launch time: 2008-11-16 09:21:45)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 446 seconds, including 7 seconds for message boxes)
         
Gruesse
hfmei

Geändert von hfmei (16.11.2008 um 11:31 Uhr)

 

Themen zu Rootkits oder Trojaner im Computer?
7-zip, adobe, antivirus, application, bho, bootvorgang, browser, combofix, computer, desktop, down, finds, gpedit.msc, helper, hijack, hijackthis, internet, internet explorer, launch, log datei, malware, monitor, nero.exe, nodrives, notepad.exe, programm, registry, rootkit, saver, shortcut, shut down, software, system, tastatur, tracker, trojaner, usb, windows, windows xp, windows xp sp3, xp sp3




Ähnliche Themen: Rootkits oder Trojaner im Computer?


  1. Computer wird immer langsamer - Viren/Malware oder Trojaner?
    Plagegeister aller Art und deren Bekämpfung - 03.05.2015 (16)
  2. Befinden sich noch Trojaner (dropper.gen; win32.downloader.gen)auf meinem Computer oder nicht?
    Log-Analyse und Auswertung - 02.06.2014 (7)
  3. Trojaner - Achtung! Ihr Computer ist aus einem oder mehreren der unten aufgeführten Gründe gesperrt.
    Log-Analyse und Auswertung - 07.12.2013 (13)
  4. GVU Trojaner: Achtung! Ihr Computer ist aus einem oder mehreren der unten ausgeführten Gründen gesperrt.
    Log-Analyse und Auswertung - 17.08.2013 (7)
  5. Trojaner oder Virus blockiert Computer – und will Geld überweisen
    Plagegeister aller Art und deren Bekämpfung - 19.12.2012 (13)
  6. Virus oder Trojaner auf dem Computer führt zu Problemen, evtl. Conficker
    Plagegeister aller Art und deren Bekämpfung - 29.11.2012 (25)
  7. Laptop voller Trojaner! ATRAPS, Rootkits...
    Log-Analyse und Auswertung - 19.09.2012 (3)
  8. GVU Trojaner mit 100€ Zahlungsaufforderung "Ihr computer ist aus einem oder mehreren der unten aufgeführten Gründe gesperrt."
    Log-Analyse und Auswertung - 10.09.2012 (12)
  9. GVU-Trojaner: Ihr Computer wurde aus einem oder mehreren ... WIN XP
    Plagegeister aller Art und deren Bekämpfung - 06.09.2012 (10)
  10. (2x) GVU Trojaner mit 100€ Zahlungsaufforderung "Ihr computer ist aus einem oder mehreren der unten aufgeführten Gründe gesperrt."
    Mülltonne - 01.09.2012 (1)
  11. GVU Trojaner mit 100€ Zahlungsaufforderung "Ihr computer ist aus einem oder mehreren der unten aufgeführten Gründe gesperrt."
    Log-Analyse und Auswertung - 20.08.2012 (13)
  12. Trojaner TR/Atraps.gen2/TR, Crypt.ULPM.Gen, TR/Nedsym.G.400 und Rootkits
    Plagegeister aller Art und deren Bekämpfung - 06.08.2012 (44)
  13. Kann man Trojaner und Rootkits erst nach Wochen entdecken
    Alles rund um Windows - 05.07.2011 (4)
  14. Total verseucht: Rootkits, Trojaner und Viren auf Laptop, PC und ext. Festplatten
    Log-Analyse und Auswertung - 30.03.2009 (8)
  15. Downloader trojaner und rootkits!!!
    Plagegeister aller Art und deren Bekämpfung - 15.02.2009 (4)
  16. Trojaner, Rootkits,...bitte um Hilfe
    Log-Analyse und Auswertung - 02.02.2009 (2)
  17. Wieder Trojaner, Rootkits und anderes?
    Plagegeister aller Art und deren Bekämpfung - 16.09.2008 (6)

Zum Thema Rootkits oder Trojaner im Computer? - Hallo, Ich brauche Hilfe. In meinem LapTop ist Windows XP prof. (software und Tastatur in englisch) mit SP3 installiert. Nach der installieren vom SP3 bzw. kurze Zeit spaeter wurde der - Rootkits oder Trojaner im Computer?...
Archiv
Du betrachtest: Rootkits oder Trojaner im Computer? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.