|
Plagegeister aller Art und deren Bekämpfung: Google, yahoo-Suchen werden umgeleitetWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
25.01.2009, 21:19 | #1 |
| Google, yahoo-Suchen werden umgeleitet Guten Abend Board, meines Nachbarn Laptop (Win XP SP2) hat ein ähnliches Problem wie es nike64bvb und sundance gerade hatten (Google-Ergebnisse werden weitergeleitet, Seiten mit Downloads von Spybot oder MAM können nicht aufgerufen werden). etrust-Virenscanner findet nichts, Systemwiederherstellung geht nicht. Bei deaktiviertem Javascript (Firefox) findet die ungewollte Google-Weiterleitung übrigens nicht mehr statt. Morgen werd' ich mal sundance' walkthrough mit dem Paket von Chris4you probieren, zunächst hab ich zwei Fragen: - hat das Phänomen einen Namen? - und vll könnte sich aber noch jemand das HJT Logfile anschauen, ob sich da was findet: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 19:36:42, on 25.01.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLService.exe C:\Programme\CA\eTrust Antivirus\InoRpc.exe C:\Programme\CA\eTrust Antivirus\InoRT.exe C:\Programme\CA\eTrust Antivirus\InoTask.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\svchost.exe C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Programme\Launch Manager\LaunchAp.exe C:\Programme\Launch Manager\HotkeyApp.exe C:\Programme\Launch Manager\OSD.exe C:\Programme\Launch Manager\Wbutton.exe C:\Programme\Wistron\AVManager\AVManager.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\AGRSMMSG.exe C:\Programme\Synaptics\SynTP\SynTPLpr.exe C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\NCLAUNCH.EXe C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\CA\eTrust Antivirus\InocIT.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w*w.msn.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://w*w.msn.de/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w*w.msn.de/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {9EC7888B-7A90-4FC1-B7FA-4EDC5D276991} - C:\WINDOWS\system32\dsqueryd.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar4.dll O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [LaunchAp] C:\Programme\Launch Manager\LaunchAp.exe O4 - HKLM\..\Run: [HotkeyApp] C:\Programme\Launch Manager\HotkeyApp.exe O4 - HKLM\..\Run: [LMgrOSD] C:\Programme\Launch Manager\OSD.exe O4 - HKLM\..\Run: [Wbutton] "C:\Programme\Launch Manager\Wbutton.exe" O4 - HKLM\..\Run: [CtrlVol] C:\Programme\Launch Manager\CtrlVol.exe O4 - HKLM\..\Run: [AVManager] "C:\Programme\Wistron\AVManager\AVManager.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: BTTray.lnk = ? O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra button: MedionShop - {E18B757F-2F92-410D-8CBC-405F07B0606A} - http://w*w.medionshop.de/ (file missing) (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://w*w.arcor.de O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104261081168 O17 - HKLM\System\CCS\Services\Tcpip\..\{095BB3D5-8731-4C13-8463-C0D9C9FDD862}: NameServer = 192.168.2.1 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: TSMService - T-Systems Nova, Berkom - C:\Programme\T-DSL SpeedManager\tsmsvc.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe O24 - Desktop Component 0: (no name) - http://w*w.spiegel.de/img/0,1020,598646,00.jpg -- End of file - 8991 bytes Danke schonmal! |
26.01.2009, 08:06 | #2 |
| Google, yahoo-Suchen werden umgeleitet Hi,
__________________Bitte folgende Files prüfen: Dateien Online überprüfen lassen:
Code:
ATTFilter C:\WINDOWS\system32\dsqueryd.dll
Dann bitte noch ein Silentrunner-Log (es schein so zu sein, das RSIT und HJ manche Sachen nicht finden, daher mal der Silentrunner); SilentRunner: Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen. Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten. http://www.silentrunners.org/Silent%20Runners.zip Prüfe mal hiermit, ob es folgende Treiber gibt: Arbeitsplatz->rechte Maustaste-> Eigenschaften->Hardware-> Gerätemanager->Ansicht->ausgeblendete Geräte anzeigen->Nicht PnP-Treiber suche dann nach einem Treiber "TDSSserv.sys" oder aehnlich den deaktivieren und neu starten. Dann bitte erst das Vorgehen nach sundance ausprobieren ;o) chris
__________________ |
26.01.2009, 22:09 | #3 |
| Google, yahoo-Suchen werden umgeleitet Danke für die ersten Tipps..
__________________Leider lässt sich virustotal.com nicht aufrufen, wie andere Antivirus und -malware-Seiten auch. Wenn ich über anonymisier-Seiten dorthin surfe, lassen sich diese Seiten übrigens aufrufen. Aber dann lässt sich nicht hoch- oder runterladen. btw musste ich erst das Windos Script Hosting enablen, (aber das muss ja nicht unbedingt was mit dem Fall zu tun haben, oder?) ich operier' mal weiter, Danke schonmal zwischendurch Das Silent Runner log ergibt Folgendes: Code:
ATTFilter "Silent Runners.vbs", revision 59, http://w*w.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "AOLMIcon" = "C:\Programme\Gemeinsame Dateien\AOLSHARE\AOLMIcon.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS] "LaunchAp" = "C:\Programme\Launch Manager\LaunchAp.exe" [empty string] "HotkeyApp" = "C:\Programme\Launch Manager\HotkeyApp.exe" ["Wistron"] "LMgrOSD" = "C:\Programme\Launch Manager\OSD.exe" ["Wistron"] "Wbutton" = ""C:\Programme\Launch Manager\Wbutton.exe"" [empty string] "CtrlVol" = "C:\Programme\Launch Manager\CtrlVol.exe" ["Wistron"] "AVManager" = ""C:\Programme\Wistron\AVManager\AVManager.exe"" ["Wistron Corporation"] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "Realtime Monitor" = "C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s" ["Computer Associates International, Inc."] "IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS] "MSPY2002" = "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data] "PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS] "PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS] "ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" ["HP"] "NWEReboot" = "(empty string)" [file not found] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string] "TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS] >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] >{C534840A-E8D6-4BEC-A29F-5B8427F96912}\(Default) = "Browseranpassungen" \StubPath = "RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP" [MS] {2C7339CF-2B09-4501-B3F3-F3508C9228ED}\(Default) = "Themes Setup" \StubPath = "C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll" [MS] {44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6" \StubPath = ""C:\Programme\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install" [MS] {44BBA842-CC51-11CF-AAFA-00AA00B6015B}\(Default) = "NetMeeting 3.01" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT" [MS] {5945c046-1e7d-11d1-bc44-00c04fd912be}\(Default) = "Windows Messenger 4.7" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser" [MS] {6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub" [MS] {7790769C-0471-11d2-AF11-00C04FA35D02}\(Default) = "Adressbuch 6" \StubPath = ""C:\Programme\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install" [MS] {89820200-ECBD-11cf-8B85-00AA005B4340}\(Default) = "Windows Desktop-Update" \StubPath = "regsvr32.exe /s /n /i:U shell32.dll" [MS] {89820200-ECBD-11cf-8B85-00AA005B4383}\(Default) = "Internet Explorer 6" \StubPath = "C:\WINDOWS\system32\ie4uinit.exe" [MS] {89B4C1CD-B018-4511-B0A1-5476DBF70820}\(Default) = (no title provided) \StubPath = "C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install" [MS] {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax" \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided) -> {HKLM...CLSID} = "Windows Live Sign-in Helper" \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS] {9EC7888B-7A90-4FC1-B7FA-4EDC5D276991}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\dsqueryd.dll" [null data] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\programme\google\googletoolbar4.dll" ["Google Germany GmbH"] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Programme\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll" ["Google Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung" -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."] "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell" -> {HKLM...CLSID} = "InoShell" \InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places" -> {HKLM...CLSID} = "Bluetooth-Umgebung" \InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] "{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive" -> {HKLM...CLSID} = "VirtualCloneDrive Shell Extension" \InProcServer32\(Default) = "C:\Programme\Elaborate Bytes\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "Meine freigegebenen Ordner" \InProcServer32\(Default) = "C:\Programme\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" -> {HKLM...CLSID} = "InoShell" \InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}" -> {HKLM...CLSID} = "InoShell" \InProcServer32\(Default) = "C:\Programme\CA\eTrust Antivirus\InoShell.dll" ["Computer Associates International, Inc."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\MEDION 52.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Web\Wallpaper\MEDION 52.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ iTunesBurnCDOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.BurnCD" "InvokeVerb" = "burn" HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Computer, Inc."] iTunesImportSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ImportSongsOnCD" "InvokeVerb" = "import" HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Computer, Inc."] iTunesPlaySongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.PlaySongsOnCD" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Computer, Inc."] iTunesShowSongsOnArrival\ "Provider" = "iTunes" "InvokeProgID" = "iTunes.ShowSongsOnCD" "InvokeVerb" = "showsongs" HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Computer, Inc."] MMJBAutoplayBURNERPLUS\ "Provider" = "MUSICMATCH Burner Plus" "InvokeProgID" = "MMJB.BURN" "InvokeVerb" = "Burn" HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Programme\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" ["Musicmatch, Inc."] MMJBPlayCDAudioOnArrival\ "Provider" = "Musicmatch Jukebox" "InvokeProgID" = "MMJB.AUDIOCD" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\MMJB.AUDIOCD\shell\Play\command\(Default) = ""C:\Programme\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" /AudioCD "%1"" ["Musicmatch, Inc."] MMJBPlayMediaOnArrival\ "Provider" = "Musicmatch Jukebox" "InvokeProgID" = "MMJB.MMJB" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\MMJB.MMJB\shell\Play\command\(Default) = ""C:\Programme\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" "%1"" ["Musicmatch, Inc."] MSPictureIt10ViewOnArrival\ "Provider" = "Microsoft Foto Designer-Bibliothek - Import-Assistent" "InvokeProgID" = "Microsoft.Picture.It.10.AutoPlay" "InvokeVerb" = "AutoPlay" HKLM\SOFTWARE\Classes\Microsoft.Picture.It.10.AutoPlay\shell\AutoPlay\Command\(Default) = "C:\Programme\Picture It! Premium 10\imprtwiz.exe /invoke={D0551EC1-5A78-11cf-9DBE-00AA00A70BB5}" [MS] PCinemaDCameraArrival\ "Provider" = "PowerCinema" "InvokeProgID" = "Picture" "InvokeVerb" = "PlayWithPowerCinema" HKLM\SOFTWARE\Classes\Picture\shell\PlayWithPowerCinema\Command\(Default) = ""C:\Programme\Home Cinema\PowerCinema\PowerCinema.exe" AUTOPLAY DSC "%L"" ["CyberLink Corp."] PCinemaDVArrival\ "Provider" = "PowerCinema" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Programme\Home Cinema\PowerCinema\PowerCinema.exe" DV "%L"" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] PCinemaMusicFilesArrival\ "Provider" = "PowerCinema" "InvokeProgID" = "MusicFiles" "InvokeVerb" = "PlayWithPowerCinema" HKLM\SOFTWARE\Classes\MusicFiles\shell\PlayWithPowerCinema\Command\(Default) = ""C:\Programme\Home Cinema\PowerCinema\PowerCinema.exe" AUTOPLAY MUSIC "%L"" ["CyberLink Corp."] PCinemaPlayCDAudioOnArrival\ "Provider" = "PowerCinema" "InvokeProgID" = "AudioCD" "InvokeVerb" = "PlayWithPowerCinema" HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerCinema\Command\(Default) = ""C:\Programme\Home Cinema\PowerCinema\PowerCinema.exe" AUTOPLAY CD "%L"" ["CyberLink Corp."] PCinemaPlayDVDMovieOnArrival\ "Provider" = "PowerCinema" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerCinema" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerCinema\Command\(Default) = ""C:\Programme\Home Cinema\PowerCinema\PowerCinema.exe" AUTOPLAY MOVIE "%L"" ["CyberLink Corp."] PCinemaVideoFilesArrival\ "Provider" = "PowerCinema" "InvokeProgID" = "VideoFiles" "InvokeVerb" = "PlayWithPowerCinema" HKLM\SOFTWARE\Classes\VideoFiles\shell\PlayWithPowerCinema\Command\(Default) = ""C:\Programme\Home Cinema\PowerCinema\PowerCinema.exe" AUTOPLAY VIDEO "%L"" ["CyberLink Corp."] PCLEVideoCameraArrival\ "Provider" = "Pinnacle Studio" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "C:\Programme\Pinnacle\Studio 9\programs\studio.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] PDirDVArrival\ "Provider" = "PowerDirector" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Programme\Home Cinema\PowerDirector\PowerDirector.exe" /DV" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] PDVDPlayCDAudioOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "AudioCD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\Home Cinema\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."] PDVDPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\Home Cinema\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."] PDVDPlayVCDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "VCD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\Home Cinema\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] PPCDBurningOnArrival\ "Provider" = "PowerProducer" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerProducer" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Programme\Home Cinema\PowerProducer\Producer.exe"" ["CyberLink"] PPDCameraArrival\ "Provider" = "PowerProducer" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerProducer" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Programme\Home Cinema\PowerProducer\Producer.exe"" ["CyberLink"] PPDVArrival\ "Provider" = "PowerProducer" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Programme\Home Cinema\PowerProducer\Producer.exe"" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] RPCDBurningOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.CDBurn.6" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."] RPDeviceOnArrival\ "Provider" = "RealPlayer" "ProgID" = "RealPlayer.HWEventHandler" HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}" -> {HKLM...CLSID} = "RealNetworks Scheduler" \LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."] RPPlayCDAudioOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AudioCD.6" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."] RPPlayDVDMovieOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.DVD.6" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."] RPPlayMediaOnArrival\ "Provider" = "RealPlayer" "InvokeProgID" = "RealPlayer.AutoPlay.6" "InvokeVerb" = "open" HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."] Startup items in "Administrator" & "All Users" startup folders: --------------------------------------------------------------- C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart "BTTray" -> shortcut to: "C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 05, 08 - 27 %SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar4.dll" ["Google Germany GmbH"] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\programme\google\googletoolbar4.dll" ["Google Germany GmbH"] Extensions (Tools menu items, main toolbar menu buttons) HKCU\Software\Microsoft\Internet Explorer\Extensions\ {E18B757F-2F92-410D-8CBC-405F07B0606A}\ "ButtonText" = "MedionShop" "Exec" = "http://w*w.medionshop.de/" [file not found] HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Konsole" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" {B205A35E-1FC4-4CE3-818B-899DBBB3388C}\ {CCA281CA-C863-46EF-9331-5C8D4460577F}\ "ButtonText" = "@btrez.dll,-4015" "MenuText" = "@btrez.dll,-4017" "Script" = "C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://w*w.arcor.de Missing lines (compared with English-language version): [Strings]: 1 line |
26.01.2009, 22:11 | #4 |
| Google, yahoo-Suchen werden umgeleitet hier der Rest von Silent Runners... waren zu viele Zeichen für ein posting Code:
ATTFilter All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Anwendungsverwaltung, AppMgmt, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\appmgmts.dll" [file not found]} ASP.NET-Statusdienst, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS] Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Bluetooth Service, btwdins, "C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."] Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]} CyberLink Background Capture Service (CBCS), CLCapSvc, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe"" [empty string] CyberLink Media Library Service, CyberLink Media Library Service, ""C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe"" ["Cyberlink"] CyberLink Task Scheduler (CTS), CLSched, ""C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe"" [empty string] Dienst für Seriennummern der tragbaren Medien, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]} eTrust Antivirus Job Server, InoTask, ""C:\Programme\CA\eTrust Antivirus\InoTask.exe"" ["Computer Associates International, Inc."] eTrust Antivirus Realtime Server, InoRT, ""C:\Programme\CA\eTrust Antivirus\InoRT.exe"" ["Computer Associates International, Inc."] eTrust Antivirus RPC Server, InoRPC, ""C:\Programme\CA\eTrust Antivirus\InoRpc.exe"" ["Computer Associates International, Inc."] Fax, Fax, "C:\WINDOWS\system32\fxssvc.exe" [MS] Google Updater Service, gusvc, ""C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"] InstallDriver Table Manager, IDriverT, ""C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe"" ["Macrovision Corporation"] iPodService, iPodService, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe"" [MS] Messenger USN Journal Reader-Service für freigegebene Ordner, usnjsvc, ""C:\Programme\MSN Messenger\usnsvc.exe"" [MS] TSMService, TSMService, ""C:\Programme\T-DSL SpeedManager\tsmsvc.exe"" ["T-Systems Nova, Berkom"] Verwaltungsdienst für die Verwaltung logischer Datenträger, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"] Windows Media Connect (WMC), WmcCds, "c:\programme\windows media connect\mswmccds.exe" [MS] Windows Media Connect-Hilfsprogramm, WmcCdsLs, "C:\Programme\Windows Media Connect\mswmcls.exe" [MS] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS] X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Bluetooth-Druckeranschluss\Driver = "bthcrp.dll" ["Broadcom Corporation."] hpzlnt06\Driver = "hpzlnt06.dll" ["HP"] Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS] ---------- (launch time: 2009-01-26 21:55:39) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 47 seconds, including 18 seconds for message boxes) |
26.01.2009, 22:33 | #5 |
| Google, yahoo-Suchen werden umgeleitet der nächste Schritt hat funktioniert! TDSSserv.sys war als nicht-Pnp-Treiber gelistet, hab ihn deaktiviert und es findet jetzt keine Google-Weiterleitung, Anti-Malware-Blockung statt. Das Ergebnis von virustotal.com: Code:
ATTFilter Die Datei wurde bereits analysiert: MD5: a04922d1bddc0f9671ca9924cd908d78 First received: 2009.01.26 21:29:35 (CET) Datum 2009.01.26 21:31:44 (CET) [<1D] Ergebnisse 25/39 Permalink: analisis/512f5c8b01a643dac0e613609fb01e32 Code:
ATTFilter Datei dsqueryd.dll empfangen 2009.01.26 22:25:02 (CET) Ergebnis: 25/39 (64.11%) Antivirus Version letzte aktualisierung Ergebnis a-squared 4.0.0.73 2009.01.26 Trojan.Agent!IK AhnLab-V3 5.0.0.2 2009.01.26 - AntiVir 7.9.0.60 2009.01.26 ADSPY/Stud.L Authentium 5.1.0.4 2009.01.26 - Avast 4.8.1281.0 2009.01.26 Win32:Trojano-3384 AVG 8.0.0.229 2009.01.26 BHO.BNR BitDefender 7.2 2009.01.26 Adware.Generic.9107 CAT-QuickHeal 10.00 2009.01.24 - ClamAV 0.94.1 2009.01.26 AdWare.Stud Comodo 947 2009.01.26 - DrWeb 4.44.0.09170 2009.01.26 Adware.Stud.20 eSafe 7.0.17.0 2009.01.26 Suspicious File eTrust-Vet 31.6.6328 2009.01.26 - F-Prot 4.4.4.56 2009.01.26 - F-Secure 8.0.14470.0 2009.01.26 AdWare.Win32.Stud.l Fortinet 3.117.0.0 2009.01.25 - GData 19 2009.01.26 Adware.Generic.9107 Ikarus T3.1.1.45.0 2009.01.26 Trojan.Agent K7AntiVirus 7.10.606 2009.01.26 not-a-virus:AdWare.Win32.Stud.l Kaspersky 7.0.0.125 2009.01.26 not-a-virus:AdWare.Win32.Stud.l McAfee 5507 2009.01.26 - McAfee+Artemis 5507 2009.01.26 - Microsoft 1.4205 2009.01.26 Trojan:Win32/Webprefix NOD32 3801 2009.01.26 a variant of Win32/Adware.BHO.AA Norman 5.93.01 2009.01.26 W32/Stud.AT nProtect 2009.1.8.0 2009.01.26 Trojan-Clicker/W32.Stud.18040 Panda 9.5.1.2 2009.01.26 - PCTools 4.4.2.0 2009.01.26 Adware.Stud.Gen Prevx1 V2 2009.01.26 - Rising 21.13.42.00 2009.01.23 AdWare.Win32.Stud.l SecureWeb-Gateway 6.7.6 2009.01.26 Ad-Spyware.Stud.L Sophos 4.37.0 2009.01.26 - Sunbelt 3.2.1835.2 2009.01.16 - Symantec 10 2009.01.26 Adware.Webprefix TheHacker 6.3.1.5.229 2009.01.26 Adware/Stud.l TrendMicro 8.700.0.1004 2009.01.26 PAK_Generic.001 VBA32 3.12.8.11 2009.01.25 suspected of Trojan-Downloader.Agent.48 ViRobot 2009.1.23.1577 2009.01.26 - VirusBuster 4.5.11.0 2009.01.26 Adware.Stud.Gen weitere Informationen File size: 33716 bytes MD5...: a04922d1bddc0f9671ca9924cd908d78 SHA1..: 238202364bb3bbca9d5bc36c9341627124d1eb9c SHA256: 5cbf9d54b8922a9d58965be39cbf46486957ec4f6ff34aba22dd156f11703274 SHA512: 560292a1fd8509eba949999bbbb86eae999ac6da83a64d123c69c6bdf8681b22 0d5e8ae95ba226d2ffb9dd1f003bdacd5773c9d25b10a96c12ac5f1b91b4d727 ssdeep: 384:9YV4LfkVStp/2kVStp/XV4LfkVStp/XV4LfkVStp/:xL37M7KL37KL37 PEiD..: - TrID..: File type identification UPX compressed Win32 Executable (39.5%) Win32 EXE Yoda's Crypter (34.3%) Win32 Executable Generic (11.0%) Win32 Dynamic Link Library (generic) (9.8%) Generic Win/DOS Executable (2.5%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10008a90 timedatestamp.....: 0x46f65a87 (Sun Sep 23 12:22:31 2007) machinetype.......: 0x14c (I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x6000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x7000 0x2000 0x1e00 7.60 f10a99dc3a6903222ad6407af4a2dbdc UPX2 0x9000 0x1000 0x400 2.57 b0a2c526c0b609ab70d99e56c9f24454 ( 6 imports ) > KERNEL32.DLL: LoadLibraryA, GetProcAddress > ADVAPI32.dll: RegCloseKey > ole32.dll: CoCreateGuid > urlmon.dll: ObtainUserAgentString > USER32.dll: CharNextA > WININET.dll: InternetOpenA ( 4 exports ) DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer packers (Avast): UPX packers (Kaspersky): UPX packers (F-Prot): UPX |
26.01.2009, 23:02 | #6 |
| Google, yahoo-Suchen werden umgeleitet combofix ging auch, und war aktiv. ich poste mal das log-ergebnis Code:
ATTFilter ComboFix 09-01-21.04 - Administrator 2009-01-26 22:43:11.1 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.511.333 [GMT 1:00] ausgeführt von:: c:\dokumente und einstellungen\Administrator\Desktop\VTools\ComboFix.exe . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\IE4 Error Log.txt c:\windows\msacm32.drv c:\windows\rasqervy.dll c:\windows\sdfinacs.dll c:\windows\sdfixwcs.dll c:\windows\system32\c_526811.nls c:\windows\system32\Drivers\TDSSmhxt.sys c:\windows\system32\TDSScfum.dll c:\windows\system32\TDSSnrsr.dll c:\windows\system32\TDSSofxh.dll c:\windows\system32\TDSSosvd.dat c:\windows\system32\TDSSriqp.dll c:\windows\system32\TDSStkdv.log c:\windows\wuasirvy.dll . ((((((((((((((((((((((((((((((((((((((( Treiber/Dienste ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TDSSSERV.SYS -------\Service_TDSSserv.sys ((((((((((((((((((((((( Dateien erstellt von 2008-12-26 bis 2009-01-26 )))))))))))))))))))))))))))))) . 2009-01-26 21:39 . 2004-12-28 17:10 <DIR> d--h----- c:\dokumente und einstellungen\Administrator\Vorlagen 2009-01-26 21:39 . 2004-12-28 20:11 <DIR> d---s---- c:\dokumente und einstellungen\Administrator\UserData 2009-01-26 21:39 . 2004-12-28 17:06 <DIR> dr------- c:\dokumente und einstellungen\Administrator\Startmenü 2009-01-26 21:39 . 2004-12-28 17:06 <DIR> d--h----- c:\dokumente und einstellungen\Administrator\Netzwerkumgebung 2009-01-26 21:39 . 2004-12-28 17:06 <DIR> d--h----- c:\dokumente und einstellungen\Administrator\Lokale Einstellungen 2009-01-26 21:39 . 2005-01-18 11:06 <DIR> dr------- c:\dokumente und einstellungen\Administrator\Favoriten 2009-01-26 21:39 . 2005-01-18 11:06 <DIR> dr------- c:\dokumente und einstellungen\Administrator\Eigene Dateien 2009-01-26 21:39 . 2004-12-28 17:06 <DIR> d--h----- c:\dokumente und einstellungen\Administrator\Druckumgebung 2009-01-26 21:39 . 2005-01-09 11:50 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Bluetooth Software 2009-01-26 21:39 . 2005-01-02 09:17 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\You've Got Pictures Screensaver 2009-01-26 21:39 . 2005-01-18 12:12 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Intel 2009-01-26 21:39 . 2005-01-11 05:04 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\CyberLink 2009-01-26 21:39 . 2005-06-17 19:14 <DIR> d-------- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\AOL 2009-01-26 21:39 . 2005-01-18 11:06 <DIR> dr-h----- c:\dokumente und einstellungen\Administrator\Anwendungsdaten 2009-01-26 21:39 . 2009-01-26 21:39 <DIR> d-------- c:\dokumente und einstellungen\Administrator 2009-01-26 21:39 . 2005-01-10 16:21 0 --a------ c:\dokumente und einstellungen\Administrator\Anwendungsdaten\wklnhst.dat 2009-01-25 19:35 . 2009-01-25 19:35 <DIR> d-------- c:\programme\Trend Micro 2009-01-25 19:28 . 2009-01-25 19:28 18 --a------ c:\windows\system32\20526861 2009-01-25 19:28 . 2009-01-25 19:28 18 --a------ c:\windows\system32\20526841 2009-01-25 19:28 . 2009-01-25 19:28 18 --a------ c:\windows\system32\20526831 2009-01-20 23:52 . 2009-01-26 21:39 2,204 --a------ c:\windows\system32\TDSSlxwp.dll . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-26 11:14 --------- d-----w c:\dokumente und einstellungen\andreas\Anwendungsdaten\AdobeUM 2009-01-26 08:40 54,610 ----a-w c:\dokumente und einstellungen\andreas\Anwendungsdaten\wklnhst.dat 2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys 2008-11-29 14:15 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\SmartSound Software Inc 2008-09-25 20:20 90,720 ----a-w c:\dokumente und einstellungen\andreas\Anwendungsdaten\GDIPFONTCACHEV1.DAT 2006-02-02 12:28 9,993,376 ----a-w c:\programme\SkypeSetup.exe 2005-01-02 10:31 8 --sh--r c:\windows\system32\571AC95229.sys 2005-01-02 10:31 4,704 --sha-w c:\windows\system32\KGyGaAvL.sys . (((((((((((((((((((((((((((( Autostartpunkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . *Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9EC7888B-7A90-4FC1-B7FA-4EDC5D276991}] 2007-10-09 10:42 33716 --a------ c:\windows\system32\dsqueryd.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "NCLaunch"="c:\windows\NCLAUNCH.EXe" [2006-06-03 40960] "swg"="c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchAp"="c:\programme\Launch Manager\LaunchAp.exe" [2004-08-06 32768] "HotkeyApp"="c:\programme\Launch Manager\HotkeyApp.exe" [2004-11-11 49152] "LMgrOSD"="c:\programme\Launch Manager\OSD.exe" [2004-07-26 204800] "Wbutton"="c:\programme\Launch Manager\Wbutton.exe" [2004-11-23 73728] "CtrlVol"="c:\programme\Launch Manager\CtrlVol.exe" [2003-09-16 20480] "SynTPLpr"="c:\programme\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394] "SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218] "Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-06-26 504080] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "ATIPTA"="c:\programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-21 344064] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-08-03 188416] "PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016] "TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-01 180269] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 c:\windows\system32\bthprops.cpl] "SoundMan"="SOUNDMAN.EXE" [2004-12-01 c:\windows\SOUNDMAN.EXE] "AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 c:\windows\AGRSMMSG.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\ BTTray.lnk - c:\programme\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "wave1"= c_526811.nls "mixer1"= c_526811.nls "VIDC.MJPG"= Pvmjpg21.dll "VIDC.PIM1"= pclepim1.dll "20526842"= 33364542463035332d313642352d343043332d414433422d354536384132433343363536 "20526831"= 7a5bbe42cfb658dad038cb25cdf6fe3323b9a2d911ed511dac2ef23c288709af60830e4b6fcd15c8a83499b1f9386f552c20ca945f8f0038830dae613d133ceffb4e5f3aafe250635f2df44bd08cb9ce44a4c932413f1742b7bc5310b38a477476a43080c623caf3e483de28cbbdf272a8047b39fc6b52a134dde2ad093d879adb0674381975577c32cf76c3ac6a3a3084849d02dac089a7e8a9dc9b972bfb7fefef45142f71fd0605eb87983db3b9332846eccacfdc9aa582b29a24495d199da60856fcdb8b2c6af8c6459be75aba8f849df86caa08a7cc2df72fef03412f67782d77780ebb0bce6e889cf089ff8954a60fa01af7a7f68f6b10a92ddcb845afaf47e4e987a0a918d21965fe604fdbf7d59f5dc1422c9796b53d5ec755492d5a333a9032b526d37c511b815792aaf84e8e468a6ca501e88d1ea38d06e59f4d864f707f60dbe4296da29612569efc31dd2fc0865778a0435d11e52432ea5608201f2e776efa2f8804c7e037fbbd8c81f30a90cecd73ba8d698df48c6a75346d36920c1faf45d03bdb925b5d1b73521b0e00 "aux1"= c_526811.nls "wave2"= c_526811.nls "midi2"= c_526811.nls "mixer2"= c_526811.nls "midi1"= c_526811.nls "aux2"= c_526811.nls "20526861"= 333637633234333637633234333637633234 "20526841"= 333637636136333637636136333637636136 [HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk] path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2005-10-18 11:58 278528 c:\programme\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --------- 2004-10-13 17:24 1694208 c:\programme\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] --a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService] --a------ 2005-01-11 18:17 118926 c:\programme\Home Cinema\PowerCinema\PCMService.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2005-12-19 16:46 155648 c:\programme\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] --a------ 2004-11-02 20:24 32768 c:\programme\Home Cinema\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] --a------ 2007-08-01 20:58 68856 c:\programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2005-01-01 19:31 180269 c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive] --a------ 2006-04-29 14:21 94208 c:\programme\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] --a------ 2006-05-02 14:51 3334144 c:\programme\Yahoo!\Messenger\YahooMessenger.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%ProgramFiles%\\AOL 9.0\\AOL.exe"= "%ProgramFiles%\\AOL 9.0\\WAOL.exe"= "%CommonProgramFiles%\\AOL\\ACS\\AOLACSD.exe"= "%CommonProgramFiles%\\AOL\\ACS\\AOLDIAL.exe"= "%WinDir%\\system32\\fxsclnt.exe"= "%ProgramFiles%\\CA\\eTrust Antivirus\\InocIT.exe"= "%ProgramFiles%\\CA\\eTrust Antivirus\\Realmon.exe"= "%ProgramFiles%\\CA\\eTrust Antivirus\\InoRpc.exe"= "%ProgramFiles%\\WIDCOMM\\Bluetooth Software\\BTTray.exe"= "c:\\Programme\\Skype\\Phone\\Skype.exe"= "c:\\Programme\\Home Cinema\\PowerCinema\\PowerCinema.exe"= "c:\\Programme\\iTunes\\iTunes.exe"= "c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Programme\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Programme\\Messenger\\msmsgs.exe"= "c:\\Programme\\MSN Messenger\\msnmsgr.exe"= "c:\\Programme\\MSN Messenger\\livecall.exe"= R1 Hotkey;Hotkey;c:\windows\system32\drivers\HOTKEY.sys [2004-12-28 9867] S1 mailKmd;mailKmd; [x] S1 Wbutton;Wbutton;c:\windows\system32\drivers\Wbutton.sys --> c:\windows\system32\drivers\Wbutton.sys [?] S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2005-01-02 945152] S3 TNPacket;T-Systems Nova Packet Capture Driver;c:\programme\T-DSL SpeedManager\TNPACKET.SYS [2004-03-11 9696] . - - - - Entfernte verwaiste Registrierungseinträge - - - - HKLM-Run-NWEReboot - (no file) . ------- Zusätzlicher Suchlauf ------- . uStart Page = hxxp://www.msn.de/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.msn.de/ mWindow Title = Microsoft Internet Explorer uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: Senden an &Bluetooth - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm TCP: {095BB3D5-8731-4C13-8463-C0D9C9FDD862} = 192.168.2.1 FF - ProfilePath - c:\dokumente und einstellungen\andreas\Anwendungsdaten\Mozilla\Firefox\Profiles\ea15ieek.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://de.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:de:official FF - plugin: c:\programme\Java\j2re1.4.2_06\bin\NPJava11.dll FF - plugin: c:\programme\Java\j2re1.4.2_06\bin\NPJava12.dll FF - plugin: c:\programme\Java\j2re1.4.2_06\bin\NPJava13.dll FF - plugin: c:\programme\Java\j2re1.4.2_06\bin\NPJava14.dll FF - plugin: c:\programme\Java\j2re1.4.2_06\bin\NPJava32.dll FF - plugin: c:\programme\Java\j2re1.4.2_06\bin\NPJPI142_06.dll FF - plugin: c:\programme\Java\j2re1.4.2_06\bin\NPOJI610.dll FF - plugin: c:\programme\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-26 22:46:24 Windows 5.1.2600 Service Pack 2 NTFS Scanne versteckte Prozesse... c:\windows\explorer.exe [488] 0x82047440 Scanne versteckte Autostarteinträge... HKLM\Software\Microsoft\Windows\CurrentVersion\Run CtrlVol = c:\programme\Launch Manager\CtrlVol.exe?????P???X??????|x??|????q??|?j?wQj?w????????,??? ???????????????`??????|????????l?????@????????????????s???????s???sx??s@??????????????|h??sp??????????s?????????????????C?sc"?sx??s???????w??@?N'?s\???=5@?h?????????? Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- Gesperrte Registrierungsschluessel --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,f4,f2,92,4f,46, 5f,70,6d,e2,63,26,f1,3f,c8,ff,68,6b,5a,37,99,05,f3,02,3a,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,f8,cc,1f,58,1f, 09,25,14,6a,9c,d6,61,af,45,84,18,91,3c,e1,b6,94,64,f3,85,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,e3,02,2b,40,83, 6f,eb,da,ff,7c,85,e0,43,d4,0e,fe,91,2c,5b,57,85,b4,72,d5,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,44,83,7e,2b,92, 78,36,2d,86,8c,21,01,be,91,eb,e7,47,39,16,c0,ff,4c,c6,b9,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,d0,f4,14,22,d6, b3,35,7c,f5,1d,4d,73,a8,13,5c,05,be,01,10,11,31,b4,aa,d3,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,3e,f1,7f,50,de, 66,2b,a5,df,20,58,62,78,6b,cf,c8,af,73,11,11,4f,85,2c,fc,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,c8,c4,7c,83,36, 90,8c,b2,fb,a7,78,e6,12,2f,9a,ea,f8,bc,06,c6,76,87,61,26,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,e8,22,2b,e3,ef, 5a,a5,c8,01,3a,48,fc,e8,04,4a,f1,c7,4f,36,c3,5e,b7,2e,06,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,70,af,eb,2c,45, e3,7f,0d,f6,0f,4e,58,98,5b,89,c9,77,e0,e0,b6,a2,72,c3,a3,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,d0,c7,d6,9e,99, 3c,a4,11,3d,ce,ea,26,2d,45,aa,78,39,32,f4,97,fd,1a,a8,61,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,60,50,76,63,22, 54,ce,bc,2a,b7,cc,b5,b9,7f,41,e7,b5,d0,03,7c,fe,36,a3,e3,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:05,73,21,dd,54,d8,4a,c5,e1,b3,26,d0,35, 09,8f,b8,6c,43,2d,1e,aa,22,2f,9c,cd,a8,a6,b7,51,74,5f,f3,6c,43,2d,1e,aa,22,\ . --------------------- Durch laufende Prozesse gestartete DLLs --------------------- - - - - - - - > 'winlogon.exe'(620) c:\windows\system32\Ati2evxx.dll . ------------------------ Weitere laufende Prozesse ------------------------ . c:\windows\system32\ati2evxx.exe c:\programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe c:\programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe c:\programme\CyberLink\Shared Files\CLML_NTService\CLMLService.exe c:\programme\CA\eTrust Antivirus\InoRpc.exe c:\programme\CA\eTrust Antivirus\InoRT.exe c:\programme\CA\eTrust Antivirus\InoTask.exe c:\programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe c:\windows\system32\wdfmgr.exe c:\programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\rundll32.exe c:\windows\system32\wbem\wmiadap.exe . ************************************************************************** . Zeit der Fertigstellung: 2009-01-26 22:49:58 - PC wurde neu gestartet [andreas] ComboFix-quarantined-files.txt 2009-01-26 21:49:55 Vor Suchlauf: 11 Verzeichnis(se), 13.998.067.712 Bytes frei Nach Suchlauf: 11 Verzeichnis(se), 13,672,988,672 Bytes frei WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 296 --- E O F --- 2009-01-21 10:21:23 |
27.01.2009, 00:17 | #7 |
| Google, yahoo-Suchen werden umgeleitet So, MAM hat auch was gefunden. Nachdem ich schon so fleißig poste, auch hiervon das Ergebnis: Code:
ATTFilter Malwarebytes' Anti-Malware 1.33 Datenbank Version: 1696 Windows 5.1.2600 Service Pack 2 2009-01-26 23:09:57 mbam-log-2009-01-26 (23-09-57).txt Scan-Methode: Quick-Scan Durchsuchte Objekte: 54724 Laufzeit: 3 minute(s), 58 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 1 Infizierte Registrierungsschlüssel: 3 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 2 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: C:\WINDOWS\system32\dsqueryd.dll (Trojan.Vundo.H) -> Delete on reboot. Infizierte Registrierungsschlüssel: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ec7888b-7a90-4fc1-b7fa-4edc5d276991} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9ec7888b-7a90-4fc1-b7fa-4edc5d276991} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ec7888b-7a90-4fc1-b7fa-4edc5d276991} (Trojan.Vundo.H) -> Quarantined and deleted successfully. Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\WINDOWS\system32\dsqueryd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\TDSSlxwp.dll (Trojan.Agent) -> Quarantined and deleted successfully. |
27.01.2009, 00:27 | #8 |
| Google, yahoo-Suchen werden umgeleitet Bei 2 weiteren Durchläufen mit Combofix und MAM wurde nichts mehr gefunden, sieht so aus als hätten wir gewonnen! Zum Schluss hab ich aber noch eine Frage, und zwar ob aus dem HJT bzw Silentrunners noch ablesbar ist, ob dem Laptop noch was Gutes getan werden kann (etwa in Form einer Deinstallation der Google Task Bar). Soweit schonmal vielen Dank an Chris4You, sundance und Trojan.Vundo.H. |
27.01.2009, 07:40 | #9 |
| Google, yahoo-Suchen werden umgeleitet Hi, Kann man, muss man aber nicht (Goggletoolbar deinstallieren); Was mir mehr zunehmend mehr Sorgen bereitet, ist die zunehmende "Blindheit" unserer Tools, TDSS* war ein Schuß von mir ins Blaue, Angezeigt hat ihn weder HJ noch Silentrunner noch RSIT... Die Rootkitbauer werden immer besser, bald hilft nur noch von aussen mit einer Boot-CD scannen (oder ich schmeiss meine alte Mühle wieder an und bastele mir selber einen Scanner in C++ ;o)... Du solltest von Deinem Medion-Rechner den eTrust runterwerfen, der ist nicht gerade der beste Scanner und gegen z. B. Avira austauschen, zusätzlich vielleicht noch so was wie Threadfire Free (Behaviour scanner)... und die windowseigene FW aktivieren... chris
__________________ Don't bring me down Vor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden ) |
27.01.2009, 21:42 | #10 |
| Google, yahoo-Suchen werden umgeleitet Gut geschossen . Windows FW ist aktiv, Antivir hab ich installiert. Allerdings kann ich eTrust nicht entfernen. Interessanterweise gibt es im Programm-Ordner kein uninstall, setup oder ähnliches. Sogar in der Systemsteuerung->Software Liste wird es nicht aufgeführt. Ich hab zumindest den Eintrag im Autostart entfernen können. Wenn ich die Dateien im Programm-Verzeichnis von Hand lösche, und dann CCleaner über die Registry laufen lasse, ist mir dann geholfen? Gruß aus Freiburg. |
Themen zu Google, yahoo-Suchen werden umgeleitet |
adobe, antivirus, askbar, bho, computer, desktop, explorer, firefox, frage, google, hijack, hijackthis, hkus\s-1-5-18, home, internet, internet explorer, launch, logfile, monitor, mozilla, problem, rundll, scan, seiten, senden, software, windows, windows xp |