|
Plagegeister aller Art und deren Bekämpfung: Avira Antivir findet Trojaner a.batWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
24.11.2008, 17:27 | #1 |
| Avira Antivir findet Trojaner a.bat Hallo, Mein Antivir findet immer den Virus in der Datei a.bat. Durch nachlesen hab ich erfahren, dass es sich um einen Trojaner handelt. Kann ihn immer löschen oder Zugriff verweigern, doch beim Neustart kommt die Fehlermeldung sofort wieder. Jetzt auch noch 2 weitere Meldungen den Eigenen Datein. Bitte helft mir den Virus zu löschen. Bin dankbar über Programme dazu. Hijackthis sag folgendes dazu: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:19:26, on 24.11.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\FRITZ!DSL\IGDCTRL.EXE C:\WINDOWS\SYSTEM32\GEARSEC.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\slserv.exe c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programme\QuickTime\qttask.exe C:\Programme\HP\HP Software Update\HPWuSchd2.exe C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Skype\Phone\Skype.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\PROGRA~1\ICQ6\ICQ.exe C:\WINDOWS\system32\syx.exe C:\Programme\Nokia\Nokia PC Suite 6\PCSync2.exe C:\Programme\Nokia\Nokia PC Suite 6\PCSuite.exe C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe C:\Programme\PC Connectivity Solution\ServiceLayer.exe C:\Programme\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Programme\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Programme\PC Connectivity Solution\Transports\NclMSBTSrv.exe C:\Programme\Gemeinsame Dateien\Nokia\MPAPI\MPAPI3s.exe C:\Programme\Skype\Plugin Manager\SkypePM.exe C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\HP\Smart Web Printing\hpswp_clipbook.exe C:\DOKUME~1\SEBAST~1\LOKALE~1\Temp\Rar$EX00.578\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programme\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programme\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [myspacce] C:\WINDOWS\system32:myspacce.exe O4 - HKLM\..\Run: [System Updater Machine ] syx.exe O4 - HKLM\..\RunServices: [System Updater Machine ] syx.exe O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Programme\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programme\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.schueler.cc/uploader/ImageUploader5.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?978306409921 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - http://www.schueler.cc/uploader/ImageUploader5.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom.com/activex/zylomgamesplayer.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 9930 bytes |
24.11.2008, 17:43 | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Avira Antivir findet Trojaner a.bat Hallo und
__________________Acker diese Punkte für weitere Analysen ab: 1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\WINDOWS\system32\syx.exe C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll 3.) Führe dieses MBR-Tool aus und poste die Ausgabe 4.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten. Vor dem Ausführen von Malwarebytes den Wächter Deines Virenscanners abschalten!! 5.) Führe Silentrunners nach dieser Anleitung aus und poste das Logfile (mit Codetags umschlossen), falls es zu groß sein sollte kannst Du es (gezippt) bei file-upload.net hochladen und hier verlinken. 6.) ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code]
Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist. 8.) Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!
__________________ |
24.11.2008, 17:56 | #3 |
| Avira Antivir findet Trojaner a.bat [ danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:
__________________[CODE] C:\WINDOWS\system32\syx.exe Datei syx.exe empfangen 2008.11.24 17:50:14 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 6/37 (16.22%) Laden der Serverinformationen... Ihre Datei wartet momentan auf Position: 2. Geschätzte Startzeit is zwischen 46 und 66 Sekunden. Dieses Fenster bis zum Abschluss des Scans nicht schließen. Der Scanner, welcher momentan Ihre Datei bearbeitet ist momentan gestoppt. Wir warten einige Sekunden um Ihr Ergebnis zu erstellen. Falls Sie längern als fünf Minuten warten, versenden Sie bitte die Datei erneut. Ihre Datei wird momentan von VirusTotal überprüft, Ergebnisse werden sofort nach der Generierung angezeigt. Filter Drucken der Ergebnisse Datei existiert nicht oder dessen Lebensdauer wurde überschritten Dienst momentan gestoppt. Ihre Datei befindet sich in der Warteschlange (position: ). Diese wird abgearbeitet, wenn der Dienst wieder startet. SIe können auf einen automatischen reload der homepage warten, oder ihre email in das untere formular eintragen. Klicken Sie auf "Anfragen", damit das System sie benachrichtigt wenn die Überprüfung abgeschlossen ist. Email: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.11.24.3 2008.11.24 - AntiVir 7.9.0.35 2008.11.24 - Authentium 5.1.0.4 2008.11.24 - Avast 4.8.1281.0 2008.11.23 - AVG 8.0.0.199 2008.11.24 PSW.OnlineGames.BHOQ BitDefender 7.2 2008.11.24 - CAT-QuickHeal 10.00 2008.11.24 - ClamAV 0.94.1 2008.11.24 - DrWeb 4.44.0.09170 2008.11.24 - eSafe 7.0.17.0 2008.11.24 - eTrust-Vet 31.6.6225 2008.11.24 - Ewido 4.0 2008.11.24 - F-Prot 4.4.4.56 2008.11.24 - F-Secure 8.0.14332.0 2008.11.24 Trojan-GameThief.Win32.Steam.a Fortinet 3.117.0.0 2008.11.24 - GData 19 2008.11.24 - Ikarus T3.1.1.45.0 2008.11.24 Trojan-GameThief.Win32.Steam K7AntiVirus 7.10.532 2008.11.24 - Kaspersky 7.0.0.125 2008.11.24 Trojan-GameThief.Win32.Steam.a McAfee 5443 2008.11.23 - McAfee+Artemis 5443 2008.11.23 Generic!Artemis Microsoft 1.4104 2008.11.24 - NOD32 3636 2008.11.24 - Norman 5.80.02 2008.11.22 - Panda 9.0.0.4 2008.11.24 - PCTools 4.4.2.0 2008.11.24 - Prevx1 V2 2008.11.24 - Rising 21.05.02.00 2008.11.24 - SecureWeb-Gateway 6.7.6 2008.11.24 - Sophos 4.35.0 2008.11.24 - Sunbelt 3.1.1823.2 2008.11.22 - Symantec 10 2008.11.24 - TheHacker 6.3.1.1.161 2008.11.24 - TrendMicro 8.700.0.1004 2008.11.24 - VBA32 3.12.8.9 2008.11.23 - ViRobot 2008.11.24.1483 2008.11.24 Spyware.PSW.Steam.436224 VirusBuster 4.5.11.0 2008.11.24 - weitere Informationen File size: 436224 bytes MD5...: 75758e26f7e9bb7f08c17d2647106faf SHA1..: c180a88c620805f4f028a58e53518291ae2a0863 SHA256: 97bce4a45d9ebacdb827a1b9b4d189d10105df2ab448aca446bf858e81fb060e SHA512: 4b07cc1d4c5637f608ed9b4152f5b8629f5236fd45520a85ed5cdf8555badd4b 0aa5fc402782f27a8b55e978e179e2494a798219ad7415010732f48e77360a0f ssdeep: 12288:8tScgBUK6cSAjC063pcgBUK6cSAjC0639:5JZSAjChpJZSAjCh9 PEiD..: - TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x40157d timedatestamp.....: 0x490b872b (Fri Oct 31 22:31:07 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x4118 0x4200 6.56 5cf0331094d6b192740385f2e71daed1 .rdata 0x6000 0x12ee 0x1400 4.63 97ba66453be6ebfb984edd6924021678 .data 0x8000 0x858 0x400 2.14 90a9bb3cf9b1b42d9218fccf7a10887d .rsrc 0x9000 0x32498 0x32600 8.00 151d811c0f2fe386df06f849540a992a ( 1 imports ) > KERNEL32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA, LoadResource, SizeofResource, FindResourceA, CreateMutexA, OpenMutexA, GetModuleFileNameA, ExitProcess, GetStartupInfoA, GetCommandLineA, GetVersionExA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, WriteFile, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapDestroy, HeapCreate, VirtualFree, HeapFree, RtlUnwind, InterlockedExchange, VirtualQuery, GetACP, GetOEMCP, GetCPInfo, HeapAlloc, VirtualAlloc, HeapReAlloc, HeapSize, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, VirtualProtect, GetSystemInfo ( 0 exports ) ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=75758e26f7e9bb7f08c17d2647106faf |
24.11.2008, 17:58 | #4 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Avira Antivir findet Trojaner a.batCode:
ATTFilter Kaspersky 7.0.0.125 2008.11.24 Trojan-GameThief.Win32.Steam.a
__________________ Logfiles bitte immer in CODE-Tags posten |
24.11.2008, 18:01 | #5 |
| Avira Antivir findet Trojaner a.bat nein ich spiele garkeine spiele mit diesem computer...viel zu leistungsschwach |
24.11.2008, 18:02 | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Avira Antivir findet Trojaner a.bat Ok. Weil sonst hättest Du wohl ein Problem. Du hast da nämlich Malware drin, die Steam-Daten stiehlt... Acker bitte die Liste weiter ab.
__________________ --> Avira Antivir findet Trojaner a.bat |
24.11.2008, 18:02 | #7 |
| Avira Antivir findet Trojaner a.bat danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code: C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll Datei ShoppingReport.dll empfangen 2008.11.24 17:57:49 (CET) Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt Ergebnis: 24/37 (64.87%) Laden der Serverinformationen... Ihre Datei wartet momentan auf Position: 3. Geschätzte Startzeit is zwischen 54 und 77 Sekunden. Dieses Fenster bis zum Abschluss des Scans nicht schließen. Der Scanner, welcher momentan Ihre Datei bearbeitet ist momentan gestoppt. Wir warten einige Sekunden um Ihr Ergebnis zu erstellen. Falls Sie längern als fünf Minuten warten, versenden Sie bitte die Datei erneut. Ihre Datei wird momentan von VirusTotal überprüft, Ergebnisse werden sofort nach der Generierung angezeigt. Filter Drucken der Ergebnisse Datei existiert nicht oder dessen Lebensdauer wurde überschritten Dienst momentan gestoppt. Ihre Datei befindet sich in der Warteschlange (position: ). Diese wird abgearbeitet, wenn der Dienst wieder startet. SIe können auf einen automatischen reload der homepage warten, oder ihre email in das untere formular eintragen. Klicken Sie auf "Anfragen", damit das System sie benachrichtigt wenn die Überprüfung abgeschlossen ist. Email: Antivirus Version letzte aktualisierung Ergebnis AhnLab-V3 2008.11.24.3 2008.11.24 - AntiVir 7.9.0.35 2008.11.24 ADSPY/Shopper.V.1 Authentium 5.1.0.4 2008.11.24 W32/Adware.ABWN Avast 4.8.1281.0 2008.11.23 - AVG 8.0.0.199 2008.11.24 - BitDefender 7.2 2008.11.24 Adware.Generic.29279 CAT-QuickHeal 10.00 2008.11.24 - ClamAV 0.94.1 2008.11.24 - DrWeb 4.44.0.09170 2008.11.24 Adware.Shoper eSafe 7.0.17.0 2008.11.24 - eTrust-Vet 31.6.6225 2008.11.24 - Ewido 4.0 2008.11.24 Not-A-Virus.Adware.Shopper F-Prot 4.4.4.56 2008.11.24 W32/Adware.ABWN F-Secure 8.0.14332.0 2008.11.24 AdWare.Win32.Shopper.v Fortinet 3.117.0.0 2008.11.24 Adware/Shopper GData 19 2008.11.24 Adware.Generic.29279 Ikarus T3.1.1.45.0 2008.11.24 not-a-virus:AdWare.Win32.Shopper.v K7AntiVirus 7.10.532 2008.11.24 not-a-virus:AdWare.Win32.Shopper.v Kaspersky 7.0.0.125 2008.11.24 not-a-virus:AdWare.Win32.Shopper.v McAfee 5443 2008.11.23 potentially unwanted program SmartShopper McAfee+Artemis 5443 2008.11.23 potentially unwanted program SmartShopper Microsoft 1.4104 2008.11.24 Adware:Win32/ZangoShoppingreports NOD32 3636 2008.11.24 Win32/Adware.Toolbar.Shopper Norman 5.80.02 2008.11.22 W32/Shopper.AD Panda 9.0.0.4 2008.11.24 - PCTools 4.4.2.0 2008.11.24 - Prevx1 V2 2008.11.24 - Rising 21.05.02.00 2008.11.24 - SecureWeb-Gateway 6.7.6 2008.11.24 Ad-Spyware.Shopper.V.1 Sophos 4.35.0 2008.11.24 - Sunbelt 3.1.1823.2 2008.11.22 Hotbar.ShopperReports Symantec 10 2008.11.24 Adware.Hotbar TheHacker 6.3.1.1.161 2008.11.24 Adware/Shopper.v TrendMicro 8.700.0.1004 2008.11.24 - VBA32 3.12.8.9 2008.11.23 AdWare.Win32.Shopper.v ViRobot 2008.11.24.1483 2008.11.24 Adware.Shopper.1173024 VirusBuster 4.5.11.0 2008.11.24 Adware.Shopper.U weitere Informationen File size: 1173024 bytes MD5...: b1a636c93c714a4aac6ff70a6d675623 SHA1..: 6eab56beb946edcd6616c60a2ad639089aa6203f SHA256: 91937e15cc3498124ae6214311863d71ffd91110655b97f56d260b8d68707554 SHA512: 6c09e8371a87fe86d8a1265abd1b7214d8c9614c8c8a9e9efc5415ce38de2483 22296e4ed9244576040c96c29200db619b50f25f0bad8c30b089f3d9751db042 ssdeep: 24576:PaQykf7J/J4VkdRBg0MkUCHjF9PfFjp5kk:1DJ/J4LfMzPfFTkk PEiD..: - TrID..: File type identification Windows OCX File (71.0%) Win32 Executable MS Visual C++ (generic) (21.6%) Win32 Executable Generic (4.9%) Generic Win/DOS Executable (1.1%) DOS Executable Generic (1.1%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1009817c timedatestamp.....: 0x47a9a279 (Wed Feb 06 12:05:13 2008) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xba5ca 0xbb000 6.63 a84e4f59b0a8206941d3642307121605 .rdata 0xbc000 0x323b5 0x33000 4.90 367b1088e3324ef4cd3a40fdcb8b14c2 .data 0xef000 0x7c28 0x5000 4.54 1a8b202058798a2431e7d8904f32c3d7 .rsrc 0xf7000 0x1a8b0 0x1b000 5.34 390fea099f4b5f0132a0cab82ad2b1e9 .reloc 0x112000 0xdd9c 0xe000 6.54 619e6686c3c51e41c2381b2da2f277f8 ( 15 imports ) > KERNEL32.dll: CompareStringA, GetModuleHandleA, GetWindowsDirectoryA, GetSystemDirectoryA, SetLastError, GetCurrentProcessId, DeleteCriticalSection, InitializeCriticalSection, GetDriveTypeA, CreateDirectoryA, SetCurrentDirectoryA, GetCurrentDirectoryA, VirtualQuery, GetModuleFileNameA, LoadLibraryA, HeapReAlloc, lstrlenA, WaitForSingleObject, GetTickCount, LocalAlloc, LockResource, LoadResource, SizeofResource, FreeLibrary, InterlockedDecrement, InterlockedIncrement, GetLastError, SetEnvironmentVariableA, SetConsoleCtrlHandler, SetStdHandle, GetStringTypeA, IsValidLocale, EnumSystemLocalesA, GetUserDefaultLCID, IsBadCodePtr, IsBadReadPtr, GetOEMCP, GetTimeZoneInformation, GetDateFormatA, GetTimeFormatA, UnhandledExceptionFilter, GetEnvironmentStrings, FreeEnvironmentStringsA, GetStartupInfoA, RaiseException, GetCurrentThreadId, SetHandleCount, LCMapStringA, TerminateProcess, TlsGetValue, TlsSetValue, TlsFree, TlsAlloc, QueryPerformanceCounter, FatalAppExitA, VirtualFree, HeapCreate, GetLocalTime, GetCommandLineA, GetSystemInfo, VirtualAlloc, VirtualProtect, RtlUnwind, GetSystemTimeAsFileTime, ExitProcess, HeapSize, HeapDestroy, GetVersionExA, MoveFileExW, CreateFileA, DeleteFileA, GetSystemDefaultLangID, GlobalHandle, GlobalFree, PulseEvent, ReleaseSemaphore, WriteFile, ReadFile, FlushFileBuffers, SetFilePointer, GetFileSize, SetEndOfFile, CreateThread, TerminateThread, SetThreadPriority, ResumeThread, GetCurrentThread, IsBadWritePtr, SetUnhandledExceptionFilter, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, GetFileTime, SystemTimeToFileTime, SetFileTime, Sleep, FindClose, GetSystemTime, FileTimeToSystemTime, GetExitCodeProcess, WaitForMultipleObjects, MapViewOfFile, UnmapViewOfFile, ResetEvent, SetEvent, ReleaseMutex, CloseHandle, LocalFree, HeapAlloc, GetProcessHeap, HeapFree, GetCurrentProcess, FlushInstructionCache, LeaveCriticalSection, GetStdHandle, EnterCriticalSection, GetThreadLocale, GetLocaleInfoA, GetACP, GetFileType, InterlockedExchange, GetFullPathNameA > ADVAPI32.dll: RegCloseKey > USER32.dll: MapWindowPoints, BringWindowToTop, GetKeyState, ReplyMessage, GetTopWindow, UpdateWindow, MsgWaitForMultipleObjects, TranslateMessage, RedrawWindow, GetDlgItem, EnumChildWindows, IsChild, SetFocus, BeginPaint, KillTimer, DestroyWindow, OffsetRect, InflateRect, ShowWindow, IsWindow, GetParent, CopyRect, MoveWindow, EqualRect, EndPaint, GetWindowRect, IsIconic, IsWindowVisible, SetTimer, GetFocus, GetSysColor, GetDesktopWindow, SetWindowRgn, UnregisterClassA, EnumWindows, SetRectEmpty, GetSysColorBrush, InvalidateRgn, InvalidateRect, ReleaseDC, GetDC, SetWindowPos, SetWindowContextHelpId, MapDialogRect, GetWindow, DestroyAcceleratorTable, ReleaseCapture, SetCapture, FillRect, GetClientRect > GDI32.dll: DeleteObject, DeleteDC, CreateCompatibleBitmap, CreateCompatibleDC, GetStockObject, BitBlt, GetDeviceCaps, CreateSolidBrush, CreateRectRgn, CombineRgn, CreatePolygonRgn, CreateRoundRectRgn, OffsetRgn, FillRgn, SelectObject > SensApi.dll: IsNetworkAlive > VERSION.dll: GetFileVersionInfoW, GetFileVersionInfoSizeA, GetFileVersionInfoSizeW, VerQueryValueW, VerQueryValueA, GetFileVersionInfoA > iphlpapi.dll: GetAdaptersInfo > ole32.dll: CoTaskMemAlloc, CoTaskMemFree, CoTaskMemRealloc, StringFromGUID2, StringFromCLSID, CoCreateGuid, CoCreateInstance, ProgIDFromCLSID, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoGetClassObject, CLSIDFromProgID, CLSIDFromString, OleRun, CoUninitialize, CoInitialize, CoMarshalInterface, CoReleaseMarshalData, CoUnmarshalInterface, OleLockRunning > OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, - > SHLWAPI.dll: StrToIntW, StrRChrW, PathFileExistsW, PathFindExtensionW > urlmon.dll: CreateURLMoniker > WS2_32.dll: WSASocketW, -, -, WSACreateEvent, WSASetEvent, WSARecv, WSAResetEvent, WSASend, WSAGetOverlappedResult, WSAConnect, -, WSAEnumNetworkEvents, WSACloseEvent, -, GetAddrInfoW, FreeAddrInfoW, WSAEventSelect > COMCTL32.dll: ImageList_ReplaceIcon, _TrackMouseEvent, -, ImageList_GetImageCount > CRYPT32.dll: CryptMsgGetParam, CertGetNameStringW, CryptMsgClose, CertCloseStore, CertFreeCertificateContext, CryptQueryObject, CertFindCertificateInStore > SHELL32.dll: SHCreateDirectoryExW, SHGetSpecialFolderPathW ( 10 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllSendIdsRequestAbort, DllSendIdsRequestAlreadyInstalled, DllSendIdsRequestCancel, DllSendIdsRequestInstalledOnVista, DllSendIdsRequestOk, DllSendUninstallReport, DllUnregisterServer ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=b1a636c93c714a4aac6ff70a6d675623 CWSandbox info: http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=b1a636c93c714a4aac6ff70a6d675623 |
24.11.2008, 18:09 | #8 |
| Avira Antivir findet Trojaner a.bat unter Punkt 3 hab ich danach nur diese txt.datei bekommen Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK |
24.11.2008, 18:17 | #9 |
| Avira Antivir findet Trojaner a.bat Blacklight hat nichts gefunden!!! |
24.11.2008, 19:10 | #10 |
| Avira Antivir findet Trojaner a.bat So Malwarebytes sagt das hier und hat 33 Datein gelöscht! Malwarebytes' Anti-Malware 1.30 Datenbank Version: 1419 Windows 5.1.2600 Service Pack 3 24.11.2008 19:09:42 mbam-log-2008-11-24 (19-09-42).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 122160 Laufzeit: 47 minute(s), 43 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 1 Infizierte Registrierungsschlüssel: 32 Infizierte Registrierungswerte: 3 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 9 Infizierte Dateien: 10 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopper) -> Delete on reboot. Infizierte Registrierungsschlüssel: HKEY_CLASSES_ROOT\TypeLib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopper) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\myspacce (Rootkit.ADS) -> Quarantined and deleted successfully. Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: C:\Programme\ShoppingReport (Adware.Shopping.Report) -> Delete on reboot. C:\Programme\ShoppingReport\Bin (Adware.Shopping.Report) -> Delete on reboot. C:\Programme\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Delete on reboot. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully. Infizierte Dateien: C:\Programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopper) -> Delete on reboot. C:\Programme\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\Dokumente und Einstellungen\Sebastian\Anwendungsdaten\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully. C:\WINDOWS\system32:myspacce.exe (Rootkit.ADS) -> Delete on reboot. |
24.11.2008, 19:19 | #11 |
| Avira Antivir findet Trojaner a.batCode:
ATTFilter "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "swg" = "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."] "ICQ" = ""C:\PROGRA~1\ICQ6\ICQ.exe" silent" ["ICQ, Inc."] "Nokia.PCSync" = ""C:\Programme\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog" ["Time Information Services Ltd."] "PC Suite Tray" = ""C:\Programme\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray" ["Nokia"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Nero AG"] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "HP Software Update" = "C:\Programme\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "NVMixerTray" = ""C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"] "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS] "System Updater Machine " = "syx.exe" [null data] " Malwarebytes Anti-Malware (reboot)" = ""C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript" ["Malwarebytes Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "Malwarebytes' Anti-Malware" = "C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0347C33E-8762-4905-BF09-768834316C61}\(Default) = "HP Print Enhancer" -> {HKLM...CLSID} = "HP Print Enhancer" \InProcServer32\(Default) = "C:\Programme\HP\Smart Web Printing\hpswp_printenhancer.dll" ["Hewlett-Packard Co."] {053F9267-DC04-4294-A72C-58F732D338C0}\(Default) = (no title provided) -> {HKLM...CLSID} = "HP Print Clips" \InProcServer32\(Default) = "C:\Programme\HP\Smart Web Printing\hpswp_framework.dll" ["Hewlett-Packard Co."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)" -> {HKLM...CLSID} = "Skype add-on (mastermind)" \InProcServer32\(Default) = "C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll" ["Google Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] |
24.11.2008, 19:20 | #12 |
| Avira Antivir findet Trojaner a.bat So hier nochmal komplett: Code:
ATTFilter "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "swg" = "C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."] "ICQ" = ""C:\PROGRA~1\ICQ6\ICQ.exe" silent" ["ICQ, Inc."] "Nokia.PCSync" = ""C:\Programme\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog" ["Time Information Services Ltd."] "PC Suite Tray" = ""C:\Programme\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray" ["Nokia"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"] "Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Nero AG"] "QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "HP Software Update" = "C:\Programme\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "NVMixerTray" = ""C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"] "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS] "System Updater Machine " = "syx.exe" [null data] " Malwarebytes Anti-Malware (reboot)" = ""C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript" ["Malwarebytes Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "Malwarebytes' Anti-Malware" = "C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0347C33E-8762-4905-BF09-768834316C61}\(Default) = "HP Print Enhancer" -> {HKLM...CLSID} = "HP Print Enhancer" \InProcServer32\(Default) = "C:\Programme\HP\Smart Web Printing\hpswp_printenhancer.dll" ["Hewlett-Packard Co."] {053F9267-DC04-4294-A72C-58F732D338C0}\(Default) = (no title provided) -> {HKLM...CLSID} = "HP Print Clips" \InProcServer32\(Default) = "C:\Programme\HP\Smart Web Printing\hpswp_framework.dll" ["Hewlett-Packard Co."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)" -> {HKLM...CLSID} = "Skype add-on (mastermind)" \InProcServer32\(Default) = "C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll" ["Google Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {HKLM...CLSID} = "Bluetooth-Umgebung" \InProcServer32\(Default) = "C:\WINDOWS\system32\BTNEIG~1.DLL" ["WIDCOMM Inc."] "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" = "CopyToCD shell extension" -> {HKLM...CLSID} = "CopyToCD shell extension" \InProcServer32\(Default) = "C:\Programme\vso\copytodvd\CtcdShell.dll" ["VSO Software SARL"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser" -> {HKLM...CLSID} = "Nokia Phone Browser" \InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\phonebrowser.dll" ["Nokia"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\ <<!>> "Debugger" = "C:\Programme\Borland\Delphi6\Bin\bordbg60.exe -aeargs %ld %ld" ["Borland Software Corporation"] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" -> {HKLM...CLSID} = "CopyToCD shell extension" \InProcServer32\(Default) = "C:\Programme\vso\copytodvd\CtcdShell.dll" ["VSO Software SARL"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" -> {HKLM...CLSID} = "CopyToCD shell extension" \InProcServer32\(Default) = "C:\Programme\vso\copytodvd\CtcdShell.dll" ["VSO Software SARL"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found] QuickFinderMenu\(Default) = "{C0E10002-0028-0002-C0E1-C0E1C0E1C0E1}" -> {HKLM...CLSID} = "QuickFinder Shell Extension" \InProcServer32\(Default) = "C:\PROGRA~1\Corel\WORDPE~1\programs\pfse90.dll" ["Novell, Inc., c/o Corel Corporation Limited"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" -> {HKLM...CLSID} = "CopyToCD shell extension" \InProcServer32\(Default) = "C:\Programme\vso\copytodvd\CtcdShell.dll" ["VSO Software SARL"] MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Dokumente und Einstellungen\Sebastian\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ CopyToDVDAutoplay_741406\ "Provider" = "CopyToDVD" "InvokeProgID" = "CopyToDVDAutoplay" "InvokeVerb" = "CopyToDVDAutoplay_741406" HKLM\SOFTWARE\Classes\CopyToDVDAutoplay\shell\CopyToDVDAutoplay_741406\command\(Default) = "C:\Programme\VSO\vsostart.exe" ["VSO-Software"] HPAutoplayPSE\ "Provider" = "HP Photosmart Essential 2.01" "InvokeProgID" = "HpqPSApl.Autoplay" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\HpqPSApl.Autoplay\shell\Play\DropTarget\CLSID = "{A6873065-D632-4615-A3A9-C5F05EE109C1}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = "C:\Programme\HP\Digital Imaging\bin\HpqPsApl.exe" ["Hewlett-Packard"] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] NMMPlayCDAudioOnArrival\ "Provider" = "Nokia Music Manager" "InvokeProgID" = "NokiaMusicManager" "InvokeVerb" = "NMMPlayCD" HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD "%L"" ["Nokia"] NMMRipCDAudioOnArrival\ "Provider" = "Nokia Music Manager" "InvokeProgID" = "NokiaMusicManager" "InvokeVerb" = "NMMRipCD" HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD "%L"" ["Nokia"] OlyMasterAutoplay1\ "Provider" = "OLYMPUS Master" "InvokeProgID" = "OLY.OM_Autoplay1" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\OLY.OM_Autoplay1\shell\Play\DropTarget\CLSID = "{1AE163E7-0268-43ec-BB94-CDA6A2C8400A}" -> {HKLM...CLSID} = "OLYMPUS Master AutoPlay Class" \InProcServer32\(Default) = "C:\Programme\OLYMPUS\OLYMPUS Master\AutoPlay.dll" ["OLYMPUS IMAGING CORP."] VLCPlayCDAudioOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"] VLCPlayDVDMovieOnArrival\ "Provider" = "VideoLAN VLC media player" "InvokeProgID" = "VLC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"] Startup items in "Sebastian" & "All Users" startup folders: ----------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "HP Digital Imaging Monitor" -> shortcut to: "C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."] Enabled Scheduled Tasks: ------------------------ "1-Klick-Wartung" -> launches: "C:\Programme\TuneUp Utilities 2008\OneClick.exe /schedulestart" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "C:\Programme\FRITZ!DSL\sarah.dll" ["AVM Berlin"] 000000000005\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Programme\FRITZ!DSL\sarah.dll ["AVM Berlin"], 01 - 03, 09 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 58 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar1.dll" ["Google Germany GmbH"] "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {0E921E80-267A-42AA-AEE4-60B9A1222A44}\ "ButtonText" = "Klicke hier um das Projekt xp-AntiSpy zu unterstützen" "MenuText" = "Unterstützung für xp-AntiSpy" "Exec" = "C:\Programme\xp-AntiSpy\sponsoring\sponsor.html" [null data] HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {58ECB495-38F0-49CB-A538-10282ABF65E7}\ "ButtonText" = "HP Sammelmappe" "CLSIDExtension" = "{E763472E-A716-4CD9-89BD-DBDA6122F741}" -> {HKLM...CLSID} = "ClipBookBtn Class" \InProcServer32\(Default) = "C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll" ["Hewlett-Packard Co."] {700259D7-1666-479A-93B1-3250410481E8}\ "ButtonText" = "HP Intelligente Auswahl" "CLSIDExtension" = "{A93C41D8-01F8-4F8B-B14C-DE20B117E636}" -> {HKLM...CLSID} = "EnhSelectionBtn Class" \InProcServer32\(Default) = "C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll" ["Hewlett-Packard Co."] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ "ButtonText" = "Skype" "CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}" -> {HKLM...CLSID} = "Skype add-on (button)" \InProcServer32\(Default) = "C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "C:\Programme\ICQLite\ICQLite.exe" [file not found] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {E59EB121-F339-4851-A3BA-FE49C35617C2}\ "ButtonText" = "ICQ6" "MenuText" = "ICQ6" "Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ad-Aware 2007 Service, aawservice, ""C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"] AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"] AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"] AVM IGD CTRL Service, AVM IGD CTRL Service, "C:\Programme\FRITZ!DSL\IGDCTRL.EXE" ["AVM Berlin"] Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]} GEARSecurity, GEARSecurity, "SYSTEM32\GEARSEC.EXE" ["GEAR Software"] HP CUE DeviceDiscovery Service, hpqddsvc, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Programme\HP\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]} hpqcxs08, hpqcxs08, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"C:\Programme\HP\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]} IPv6-Hilfsdienst, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]} Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]} NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]} ServiceLayer, ServiceLayer, ""C:\Programme\PC Connectivity Solution\ServiceLayer.exe"" ["Nokia."] SmartLinkService, SLService, "slserv.exe" [" "] SQL Server (SQLEXPRESS), MSSQL$SQLEXPRESS, ""c:\Programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS" [MS] SQL Server VSS Writer, SQLWriter, ""c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ LIDIL hpzll5ha\Driver = "hpzll5ha.dll" ["Hewlett-Packard Company"] ---------- (launch time: 2008-11-24 19:18:22) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 94 seconds, including 4 seconds for message boxes) |
24.11.2008, 19:42 | #13 |
| Avira Antivir findet Trojaner a.bat So hier jetzt der ComboFix Bericht: Code:
ATTFilter ComboFix 08-11-23.02 - Sebastian 2008-11-24 19:26:54.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.172 [GMT 1:00] ausgeführt von:: c:\dokumente und einstellungen\Sebastian\Desktop\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !! . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\inst.exe c:\dokumente und einstellungen\Sebastian\Lokale Einstellungen\Temporary Internet Files\tpg.ico c:\programme\ShoppingReport c:\programme\ShoppingReport\Bin\2.5.0\ShoppingReport.dll c:\windows\system32\AutoRun.inf c:\windows\system32\Cfx32.lic c:\windows\system32\cfx32.ocx . ((((((((((((((((((((((( Dateien erstellt von 2008-10-24 bis 2008-11-24 )))))))))))))))))))))))))))))) . 2008-11-24 19:34 . 2008-11-24 19:34 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-24 19:34 . 2008-11-24 19:34 1,409 --a------ c:\windows\QTFont.for 2008-11-24 18:20 . 2008-11-24 18:20 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware 2008-11-24 18:20 . 2008-11-24 18:20 <DIR> d-------- c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\Malwarebytes 2008-11-24 18:20 . 2008-11-24 18:20 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes 2008-11-24 18:20 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-24 18:20 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-06 16:44 . 2008-11-06 20:06 2,793 --a------ c:\windows\system32\myspacce 2008-11-06 16:35 . 2008-11-06 16:35 72,192 --a------ c:\windows\system32\myspacce.exe 2008-11-04 17:33 . 2008-11-04 17:33 <DIR> d-------- c:\programme\Verimount 2008-10-27 16:41 . 2008-10-15 17:35 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-24 18:36 --------- d-----w c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\Skype 2008-11-24 15:15 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic 2008-11-06 15:46 --------- d-----w c:\programme\SlySoft 2008-11-04 17:46 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\SlySoft 2008-11-04 16:32 --------- d-----w c:\programme\VideoLAN 2008-10-23 14:33 --------- d-----w c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\PC Suite 2008-10-23 14:24 --------- d-----w c:\programme\Nokia 2008-10-23 14:24 --------- d-----w c:\programme\Gemeinsame Dateien\PCSuite 2008-10-23 14:24 --------- d-----w c:\programme\Gemeinsame Dateien\Nokia 2008-10-23 14:22 --------- d-----w c:\programme\PC Connectivity Solution 2008-10-23 14:20 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Installations 2008-10-21 17:48 --------- d-----w c:\programme\Blender Foundation 2008-10-21 17:48 --------- d-----w c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\Blender Foundation 2008-10-13 06:49 --------- d-----w c:\programme\Microsoft Silverlight 2008-10-12 15:26 --------- d-----w c:\programme\Microsoft SQL Server 2008-10-12 15:23 --------- d-----w c:\programme\MSXML 6.0 2008-10-12 15:22 --------- d-----w c:\programme\Microsoft.NET 2008-10-12 15:05 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help 2008-10-12 15:02 --------- d-----w c:\programme\Microsoft Visual Studio 9.0 2008-10-12 15:00 --------- d-----w c:\programme\Gemeinsame Dateien\Merge Modules 2008-10-12 14:56 --------- d-----w c:\programme\Microsoft SDKs 2008-10-12 14:48 --------- d-----w c:\programme\Reference Assemblies 2008-10-12 14:48 --------- d-----w c:\programme\MSBuild 2008-10-11 19:24 --------- d-----w c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\Vso 2008-10-11 19:24 --------- d-----w c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\CopyToDvd 2008-10-07 15:27 --------- d-----w c:\programme\3GP Player 2008-10-07 15:27 --------- d-----w c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\Nokia Multimedia Player 2008-10-01 18:40 --------- d-----w c:\programme\VS Revo Group 2008-09-29 18:48 --------- d-----w c:\programme\No23 Recorder 2001-01-01 03:54 102,682,793 ----a-w c:\programme\upi12_tbyb__g_.exe 2000-12-31 23:22 47,360 ----a-w c:\dokumente und einstellungen\Sebastian\Anwendungsdaten\pcouffin.sys 2000-12-31 23:07 24,192 ----a-w c:\dokumente und einstellungen\Sebastian\usbsermptxp.sys 2000-12-31 23:07 22,768 ----a-w c:\dokumente und einstellungen\Sebastian\usbsermpt.sys 2008-04-14 02:22 436,224 --sh--r c:\windows\system32\syx.exe . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Skype"="c:\programme\Skype\Phone\Skype.exe" [2007-09-13 22880040] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2001-01-01 68856] "ICQ"="c:\progra~1\ICQ6\ICQ.exe" [2008-09-01 173304] "Nokia.PCSync"="c:\programme\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 1232896] "PC Suite Tray"="c:\programme\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 1079808] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avgnt"="c:\programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-20 266497] "Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648] "QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2001-01-01 77824] "HP Software Update"="c:\programme\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016] "NVMixerTray"="c:\programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 131072] "nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl] "System Updater Machine "="syx.exe" [2008-04-14 c:\windows\system32\syx.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "System Updater Machine "="syx.exe" [2008-04-14 c:\windows\system32\syx.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\ HP Digital Imaging Monitor.lnk - c:\programme\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 210520] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3acm"= c:\windows\system32\l3codecp.acm "VIDC.MJPG"= pvmjpg21.dll "vidc.XVID"= xvid.dll "msacm.l3codec"= c:\windows\system32\l3codecp.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Programme\\ICQ6\\ICQ.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Programme\\Skype\\Phone\\Skype.exe"= "c:\\WINDOWS\\system32\\syx.exe"= R3 uscsc108;uscsc108;c:\windows\system32\DRIVERS\uscsc108.sys [2003-03-09 102336] S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;c:\windows\system32\Drivers\ousbehci.sys [2001-01-01 30976] S3 AVMUNET;AVM FRITZ!Box;c:\windows\system32\DRIVERS\avmunet.sys [2001-01-01 15104] S3 bcbthub;Bluetooth Device Firmware Downloader;c:\windows\system32\DRIVERS\bcbthub.sys [2002-08-15 148794] S3 PRISM_USB;D-Link Air DWL-122 Wireless USB Adapter Driver;c:\windows\system32\DRIVERS\PRISMUSB.sys [2001-01-01 636502] S3 V90drv;v90drv;c:\windows\system32\DRIVERS\v90drv.sys [] S4 hpt3xx;hpt3xx; [] S4 MSSQLServerADHelper100;SQL Server Hilfsdienst für Active Directory;"c:\programme\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [2008-07-11 47128] S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712] S4 SQLAgent$SQLEXPRESS;SQL Server-Agent (SQLEXPRESS);"c:\programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [2008-07-11 369688] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3c947dd6-df71-11d4-a9e1-0010dc517be0}] \Shell\AutoRun\command - F:\preinst.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4db03da2-df71-11d4-a9e0-0010dc517be0}] \Shell\AutoRun\command - F:\preinst.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{644A4322-7128-E694-771C-CF236241FED9}] c:\windows\system32:myspacce.exe . Inhalt des "geplante Tasks" Ordners 2008-10-31 c:\windows\Tasks\1-Klick-Wartung.job - c:\programme\TuneUp Utilities 2008\OneClick.exe [] . . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.google.de/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = fritz.box uSearchURL,(Default) = hxxp://www.google.com/search?q=%s LSP: c:\programme\FRITZ!DSL\sarah.dll c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx O16 -: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} hxxp://www.schueler.cc/uploader/ImageUploader5.cab c:\windows\Downloaded Program Files\ImageUploader5.inf c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx O16 -: {BA162249-F2C5-4851-8ADC-FC58CB424243} hxxp://www.schueler.cc/uploader/ImageUploader5.cab c:\windows\Downloaded Program Files\ImageUploader5.inf c:\windows\Downloaded Program Files\zylomgamesplayer.dll - O16 -: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} hxxp://game08.zylom.com/activex/zylomgamesplayer.cab c:\windows\Downloaded Program Files\ZylomGamesPlayer.inf . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-24 19:33:13 Windows 5.1.2600 Service Pack 3 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostarteinträge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'winlogon.exe'(964) c:\windows\system32\WgaLogon.dll - - - - - - - > 'lsass.exe'(1020) c:\programme\FRITZ!DSL\sarah.dll c:\programme\FRITZ!DSL\block.dll c:\programme\FRITZ!DSL\avmcsock.dll c:\programme\FRITZ!DSL\avmufc.dll . ------------------------ Weitere laufende Prozesse ------------------------ . c:\programme\Lavasoft\Ad-Aware 2007\aawservice.exe c:\programme\AntiVir PersonalEdition Classic\sched.exe c:\programme\AntiVir PersonalEdition Classic\avguard.exe c:\programme\FRITZ!DSL\IGDCTRL.EXE c:\windows\system32\GEARSEC.EXE c:\programme\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe c:\windows\system32\nvsvc32.exe c:\programme\Microsoft SQL Server\90\Shared\sqlwriter.exe c:\windows\system32\rundll32.exe c:\programme\PC Connectivity Solution\ServiceLayer.exe c:\programme\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\programme\PC Connectivity Solution\Transports\NclRSSrv.exe c:\programme\PC Connectivity Solution\Transports\NclMSBTSrv.exe c:\programme\Gemeinsame Dateien\Nokia\MPAPI\MPAPI3s.exe . ************************************************************************** . Zeit der Fertigstellung: 2008-11-24 19:40:47 - PC wurde neu gestartet ComboFix-quarantined-files.txt 2008-11-24 18:39:52 Vor Suchlauf: 22 Verzeichnis(se), 40.257.269.760 Bytes frei Nach Suchlauf: 22 Verzeichnis(se), 40,478,412,800 Bytes frei 197 --- E O F --- 2008-10-28 15:46:49 |
24.11.2008, 19:46 | #14 |
| Avira Antivir findet Trojaner a.bat So hier nun der Link zum Punkt 7: http://www.file-upload.net/download-1274521/listing.txt.html |
24.11.2008, 19:49 | #15 |
| Avira Antivir findet Trojaner a.bat So und jetzt hier der letzte Punkt, die neue HijackThis Datei. Ich hoffe nach all der Zeit ist der Virus jetzt weg und ich hoffe ihr wisst jetzt nicht so viel über mich ^^ Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:48:50, on 24.11.2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\FRITZ!DSL\IGDCTRL.EXE C:\WINDOWS\SYSTEM32\GEARSEC.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe C:\WINDOWS\System32\svchost.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\syx.exe C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe C:\Programme\PC Connectivity Solution\ServiceLayer.exe C:\Programme\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Programme\PC Connectivity Solution\Transports\NclRSSrv.exe C:\Programme\PC Connectivity Solution\Transports\NclMSBTSrv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Programme\Internet Explorer\iexplore.exe C:\Programme\HP\Smart Web Printing\hpswp_clipbook.exe C:\Dokumente und Einstellungen\Sebastian\Lokale Einstellungen\Temporary Internet Files\Content.IE5\UCMHCSN4\qlketzd[1].com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = fritz.box O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Programme\HP\Smart Web Printing\hpswp_printenhancer.dll O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Programme\HP\Smart Web Printing\hpswp_framework.dll O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [System Updater Machine ] syx.exe O4 - HKLM\..\RunServices: [System Updater Machine ] syx.exe O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Programme\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog O4 - HKCU\..\Run: [PC Suite Tray] "C:\Programme\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe O9 - Extra button: HP Sammelmappe - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: HP Intelligente Auswahl - {700259D7-1666-479a-93B1-3250410481E8} - C:\Programme\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: Klicke hier um das Projekt xp-AntiSpy zu unterstützen - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O9 - Extra 'Tools' menuitem: Unterstützung für xp-AntiSpy - {0e921e80-267a-42aa-aee4-60b9a1222a44} - C:\Programme\xp-AntiSpy\sponsoring\sponsor.html (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://www.schueler.cc/uploader/ImageUploader5.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?978306409921 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - http://www.schueler.cc/uploader/ImageUploader5.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game08.zylom.com/activex/zylomgamesplayer.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 8812 bytes |
Themen zu Avira Antivir findet Trojaner a.bat |
0 bytes, ad-aware, add-on, adobe, antivir, avira, bho, compare, dll, dsl, explorer, fehlermeldung, google, handel, hkus\s-1-5-18, internet, internet explorer, neustart, nvidia, object, pdf, rundll, server, software, solution, system, temp, toolbars, trojaner, virus, windows, windows xp, windows xp sp3, xp sp3 |