| |
| |||||||
Log-Analyse und Auswertung: Auswertung der Log-FileWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
 |
03.05.2009, 14:47
| #1 |
 |  Auswertung der Log-File Hallo, AntiVir hat mir vor ein paar Tagen einige Trojaner gemeldet und daher bitte ich euch über mein Log-File zu schauen und mir zu berichten, ob ich etwas zu befürchten habe. Die einzelnen Trojaner waren: 'TR/Crypt.CFI.Gen' 'TR/Crypt.MWPM.Gen' 'TR/Vundo.Gen' 'TR/Downloader.Gen' 'TR/Dropper.Gen' Da ich nicht wusste, was man in so einer Situation macht, habe ich alle gelöscht. Mein PC läuft auch noch ohne Probleme, nur beim Hochfahren ist AntiVir immer ausgeschaltet, sodass ich es manuell einschalten muss. Trotzdem würde ich gerne einmal jemanden über das File schauen lassen, der sich damit auskennt: #Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:08:48, on 03.05.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe C:\Programme\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe C:\WINDOWS\system32\IPSSVC.EXE C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe C:\Programme\Intel\Wireless\Bin\EvtEng.exe C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe C:\Programme\Intel\Wireless\Bin\RegSrvc.exe c:\programme\lenovo\system update\suservice.exe C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe C:\WINDOWS\System32\TPHDEXLG.exe C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe C:\Programme\Gemeinsame Dateien\Lenovo\Logger\logmon.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\Programme\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Programme\Lenovo\NPDIRECT\TPFNF7SP.exe C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe C:\Programme\Apoint2K\Apoint.exe C:\WINDOWS\system32\TpShocks.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe C:\Programme\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe C:\Programme\Lenovo\AwayTask\AwaySch.EXE C:\Programme\Lenovo\HOTKEY\TPONSCR.exe C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe C:\Programme\ThinkVantage\AMSG\Amsg.exe C:\Programme\Lenovo\Zoom\TpScrex.exe C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe C:\Programme\Apoint2K\ApMsgFwd.exe C:\Programme\Lenovo\Client Security Solution\cssauth.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Intel\Wireless\Bin\Dot1XCfg.exe C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe C:\Programme\Apoint2K\Apntex.exe C:\Programme\Digital Line Detect\DLG.exe C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe C:\Programme\Lenovo\Client Security Solution\tvtpwm_tray.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Programme\Winamp\winamp.exe C:\Dokumente und Einstellungen\***\Desktop\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://lenovo.live.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://lenovo.live.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O2 - BHO: ThinkVantage Password Manager - {F040E541-A427-4CF7-85D8-75E3E0F476C5} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [TPFNF7] C:\Programme\Lenovo\NPDIRECT\TPFNF7SP.exe /r O4 - HKLM\..\Run: [TPHOTKEY] C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [AwaySch] C:\Programme\Lenovo\AwayTask\AwaySch.EXE O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe O4 - HKLM\..\Run: [AMSG] C:\Programme\ThinkVantage\AMSG\Amsg.exe /startup O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [ACTray] C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe O4 - HKLM\..\Run: [ACWLIcon] C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe O4 - HKLM\..\Run: [cssauth] "C:\Programme\Lenovo\Client Security Solution\cssauth.exe" silent O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = C:\Programme\Digital Line Detect\DLG.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Senden an &Bluetooth-Gerät... - C:\Programme\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll O9 - Extra 'Tools' menuitem: ThinkVantage Password Manager... - {0045D4BC-5189-4b67-969C-83BB1906C421} - C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing) O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: IPS-Basisservice (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE O23 - Service: IviRegMgr - InterVideo - C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\programme\lenovo\system update\suservice.exe O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe O23 - Service: tvtnetwk - Unknown owner - C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe -- End of file - 11592 bytes # Vielen Dank schon einmal! |
|
03.05.2009, 19:55
| #2 |
  | Auswertung der Log-File Hi,
__________________lass bitte mal MAM laufen.. Malwarebytes Antimalware (MAM). Anleitung&Download hier: http://www.trojaner-board.de/51187-malwarebytes-anti-malware.html Fullscan und alles bereinigen lassen! Log posten. Alternativer Download: http://filepony.de/download-malwarebytes_anti_malware/, http://www.gt500.org/malwarebytes/mbam.jsp Zusätzlich: SilentRunner: Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen. Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten. http://www.silentrunners.org/Silent%20Runners.zip chris
__________________ |
|
04.05.2009, 20:27
| #3 |
| | Auswertung der Log-File Hi chris,
__________________vielen Dank für die schnelle Antwort, habe die beiden Sachen ausgeführt, hier die files: Von Malwarebytes' Anti-Malware: Code:
ATTFilter Malwarebytes' Anti-Malware 1.36
Datenbank Version: 2074
Windows 5.1.2600 Service Pack 2
04.05.2009 20:52:34
mbam-log-2009-05-04 (20-52-34).txt
Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 169054
Laufzeit: 33 minute(s), 20 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
|
|
04.05.2009, 20:31
| #4 |
| | Auswertung der Log-File Hier der 1. Teil von Silent Runner (ist zu groß um es in einem zu posten): Code:
ATTFilter "Silent Runners.vbs", revision 59, h**p://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PWRMGRTR" = "rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor" [MS]
"BLOG" = "rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog" [MS]
"TPFNF7" = "C:\Programme\Lenovo\NPDIRECT\TPFNF7SP.exe /r" ["Lenovo Group Limited"]
"TPHOTKEY" = "C:\Programme\Lenovo\HOTKEY\TPOSDSVC.exe" ["Lenovo Group Limited"]
"Apoint" = "C:\Programme\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"(Default)" = "(empty string)" [file not found]
"TpShocks" = "TpShocks.exe" ["Lenovo."]
"EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["Lenovo Group Ltd."]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"TVT Scheduler Proxy" = "C:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\scheduler_proxy.exe" ["Lenovo Group Limited"]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"DLA" = "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" ["Sonic Solutions"]
"ISUSPM Startup" = "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"AwaySch" = "C:\Programme\Lenovo\AwayTask\AwaySch.EXE" ["Lenovo Group Limited"]
"LPManager" = "C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe" ["Lenovo Group Limited"]
"AMSG" = "C:\Programme\ThinkVantage\AMSG\Amsg.exe /startup" ["LENOVO"]
"DiskeeperSystray" = ""C:\Programme\Diskeeper Corporation\Diskeeper\DkIcon.exe"" ["Diskeeper Corporation"]
"ACTray" = "C:\Programme\ThinkPad\ConnectUtilities\ACTray.exe" ["Lenovo "]
"ACWLIcon" = "C:\Programme\ThinkPad\ConnectUtilities\ACWLIcon.exe" ["Lenovo "]
"cssauth" = ""C:\Programme\Lenovo\Client Security Solution\cssauth.exe" silent" ["Lenovo Group Limited"]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Malwarebytes' Anti-Malware" = "C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Programme\Windows Live Toolbar\msntb.dll" [MS]
{C451C08A-EC37-45DF-AAAD-18B51AB5E837}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PDFCreator Toolbar Helper"
\InProcServer32\(Default) = "C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll" [null data]
{F040E541-A427-4CF7-85D8-75E3E0F476C5}\(Default) = "ThinkVantage Password Manager"
-> {HKLM...CLSID} = "CPwmIEBrowserHelper Object"
\InProcServer32\(Default) = "C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll" ["Lenovo Group Limited"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "Bluetooth-Umgebung"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor"
-> {HKLM...CLSID} = "Monitor Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btncopy.dll" ["Broadcom Corporation."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Programme\ThinkVantage\SMA\7z\7-zip.dll" ["Igor Pavlov"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Notification Packages" = "scecli"|"ACGina"|"psqlpwd"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> ACNotify\DLLName = "ACNotify.dll" [file not found]
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<<!>> psfus\DLLName = "C:\WINDOWS\system32\psqlpwd.dll" ["UPEK Inc."]
<<!>> tpfnf2\DLLName = "C:\Programme\Lenovo\HOTKEY\notifyf2.dll" [null data]
<<!>> tphotkey\DLLName = "C:\Programme\Lenovo\HOTKEY\tphklock.dll" [null data]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
TzShell\(Default) = "{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}"
-> {HKLM...CLSID} = "TzShell"
\InProcServer32\(Default) = "C:\Programme\TUGZip\TzShell.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
TzShell\(Default) = "{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}"
-> {HKLM...CLSID} = "TzShell"
\InProcServer32\(Default) = "C:\Programme\TUGZip\TzShell.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\xxx\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
IviCDBurningOnArrival\
"Provider" = "@C:\Programme\InterVideo\WCreator3\WCreator.exe,-57344"
"InvokeProgID" = "InterVideo WinDVD Creator .wcp"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\InterVideo WinDVD Creator .wcp\shell\open\command\(Default) = "C:\Programme\InterVideo\WCreator3\WCreator.exe "%L"" ["InterVideo Inc."]
IviDVDEventHandler\
"Provider" = "InterVideo WinDVD"
"InvokeProgID" = "Ivi.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = "C:\Programme\InterVideo\WinDVD\WinDVD.exe %1" ["InterVideo Inc."]
IviVideoCameraArrival\
"Provider" = "@C:\Programme\InterVideo\WCreator3\WCreator.exe,-57344"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Programme\InterVideo\WCreator3\WCreator.exe" --capture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
IviVideoCDHandler\
"Provider" = "InterVideo WinDVD"
"InvokeProgID" = "Ivi.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = "C:\Programme\InterVideo\WinDVD\WinDVD.exe %1" ["InterVideo Inc."]
Picasa2ImportPicturesOnArrival\
"Provider" = "Picasa3"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "C:\Programme\Google\Picasa3\Picasa3.exe "%1"" ["Google Inc."]
SonicSCAudioCDTask\
"Provider" = "RecordNow Audio"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Programme\Gemeinsame Dateien\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]
SonicSCCopyCD\
"Provider" = "RecordNow Copy"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Programme\Gemeinsame Dateien\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]
SonicSCCopyDisc\
"Provider" = "RecordNow Copy"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Programme\Gemeinsame Dateien\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]
SonicSCDataProject\
"Provider" = "RecordNow Data"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Programme\Gemeinsame Dateien\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]
|
|
04.05.2009, 20:33
| #5 |
| | Auswertung der Log-FileCode:
ATTFilter SonicSCDataTask\
"Provider" = "RecordNow Data"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Programme\Gemeinsame Dateien\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]
VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda://%1" ["the VideoLAN Team"]
VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd://%1" ["the VideoLAN Team"]
WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"]
Startup items in "xxx" & "All Users" startup folders:
-----------------------------------------------------
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"BTTray" -> shortcut to: "C:\Programme\ThinkPad\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]
"Digital Line Detect" -> shortcut to: "C:\Programme\Digital Line Detect\DLG.exe" ["Avanquest Software "]
Enabled Scheduled Tasks:
------------------------
"Auf Updates für Windows Live Toolbar prüfen" -> launches: "C:\Programme\Windows Live Toolbar\MSNTBUP.EXE" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Programme\Windows Live Toolbar\msntb.dll" [MS]
"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}"
-> {HKLM...CLSID} = "PDFCreator Toolbar"
\InProcServer32\(Default) = "C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll" [null data]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Programme\Windows Live Toolbar\msntb.dll" [MS]
"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}" = "PDFCreator Toolbar"
-> {HKLM...CLSID} = "PDFCreator Toolbar"
\InProcServer32\(Default) = "C:\Programme\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll" [null data]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{0045D4BC-5189-4B67-969C-83BB1906C421}\
"MenuText" = "ThinkVantage Password Manager..."
"CLSIDExtension" = "{0FE81B52-73FA-425F-8F06-3F32451AC73F}"
-> {HKLM...CLSID} = "CPwmIEToolsMenuItem Object"
\InProcServer32\(Default) = "C:\Programme\Lenovo\Client Security Solution\tvtpwm_ie_com.dll" ["Lenovo Group Limited"]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ac Profile Manager Service, AcPrfMgrSvc, "C:\Programme\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe" ["Lenovo "]
Access Connections Main Service, AcSvc, "C:\Programme\ThinkPad\ConnectUtilities\AcSvc.exe" ["Lenovo "]
Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal - Free Antivirus Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Bluetooth Service, btwdins, "C:\Programme\ThinkPad\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
Diskeeper, Diskeeper, ""C:\Programme\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]
Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
IPS-Basisservice, IPSSVC, "C:\WINDOWS\system32\IPSSVC.EXE" ["Lenovo Group Limited"]
IviRegMgr, IviRegMgr, "C:\Programme\Gemeinsame Dateien\InterVideo\RegMgr\iviRegMgr.exe" ["InterVideo"]
SQL Server (MSSMLBIZ), MSSQL$MSSMLBIZ, ""c:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ" [MS]
System Update, SUService, "c:\programme\lenovo\system update\suservice.exe" [null data]
ThinkPad HDD APS Logging Service, TPHDEXLGSVC, "System32\TPHDEXLG.exe" ["Lenovo."]
ThinkPad PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" ["Lenovo"]
ThinkVantage Registry Monitor Service, ThinkVantage Registry Monitor Service, ""C:\Programme\Gemeinsame Dateien\Lenovo\tvt_reg_monitor_svc.exe"" ["Lenovo Group Limited"]
TSS Core Service, TSSCoreService, ""C:\Programme\Lenovo\Client Security Solution\tvttcsd.exe"" ["IBM"]
TVT Backup Protection Service, TVT Backup Protection Service, ""C:\Programme\Lenovo\Rescue and Recovery\rrpservice.exe"" [null data]
TVT Backup Service, TVT Backup Service, ""C:\Programme\Lenovo\Rescue and Recovery\rrservice.exe"" ["Lenovo Group Limited"]
TVT Scheduler, TVT Scheduler, ""c:\Programme\Gemeinsame Dateien\Lenovo\Scheduler\tvtsched.exe"" ["Lenovo Group Limited"]
tvtnetwk, tvtnetwk, "C:\Programme\Lenovo\Rescue and Recovery\ADM\IUService.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Bluetooth-Druckeranschluss\Driver = "bthcrp.dll" ["Broadcom Corporation."]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]
---------- (launch time: 2009-05-04 21:10:40)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 37 seconds, including 18 seconds for message boxes)
|
|
05.05.2009, 06:33
| #6 |
| | Auswertung der Log-File Hi, Java ist total veraltet (jre1.5.0_06), updaten! Sonst sieht es gut aus! Zur Sicherheit noch ein Rootkitscan: Gmer: http://www.trojaner-board.de/74908-anleitung-gmer-rootkit-scanner.html Den Downloadlink findest Du links oben (www.gmer.net/files), dort dann auf den Button "Eownload EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken). Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser beendet, wähle Copy und füge den Bericht ein. chris
__________________ --> Auswertung der Log-File |
|
05.05.2009, 22:47
| #7 |
| | Auswertung der Log-File Hi, das mit Java mache ich später, hier erstmal ein Teil der scan-Auswertung: Der Rest sind auch alles diese RRbackup, waren insgesamt über127000 Zeichen, wollte jetzt nicht 6 Beiträge deswegen schreiben.... Code:
ATTFilter GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-05 23:38:26
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT A334EB64 ZwCreateThread
SSDT A334EB50 ZwOpenProcess
SSDT A334EB55 ZwOpenThread
SSDT A334EB5F ZwTerminateProcess
SSDT A334EB5A ZwWriteVirtualMemory
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs tvtfilter.sys (Rescue and Recovery filter driver/Lenovo)
Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fastfat \Fat 991FFC8A
Device \FileSystem\Fastfat \Fat 99203958
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\RRbackups\C 0 bytes
File C:\RRbackups\C\0 0 bytes
File C:\RRbackups\C\0\Data0 50003968 bytes
File C:\RRbackups\C\0\Data1 50003968 bytes
File C:\RRbackups\C\0\Data10 50003968 bytes
File C:\RRbackups\C\0\Data100 50003968 bytes
File C:\RRbackups\C\0\Data101
|
|
06.05.2009, 06:43
| #8 |
| | Auswertung der Log-File Hi, bitte das komplette Log von GMER senden, es scheint nicht vollständig zu sein! Schau doch bitte mal in die Ereignisanzeige von XP ("Start" - "Ausführen" - eventvwr.msc) unter "Anwendungsprotokoll", ob und welche Fehler dort von AntiVir gemeldet werden - gib uns die Details inkl. Fehlercode an (Doppelklick)... Sonst bitte wie folgt vorgehen: -> http://forum.avira.com/wbb/index.php?page=Thread&postid=71313#post71313 chris
__________________  Don't bring me downVor dem posten beachten! Spenden (Wer spenden will, kann sich gerne melden  ) |
|
07.05.2009, 21:54
| #9 |
| | Auswertung der Log-File OK, dann hier die komplette file von Gmer: Code:
ATTFilter GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-05 23:38:26
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.15 ----
SSDT A334EB64 ZwCreateThread
SSDT A334EB50 ZwOpenProcess
SSDT A334EB55 ZwOpenThread
SSDT A334EB5F ZwTerminateProcess
SSDT A334EB5A ZwWriteVirtualMemory
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs tvtfilter.sys (Rescue and Recovery filter driver/Lenovo)
Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fastfat \Fat 991FFC8A
Device \FileSystem\Fastfat \Fat 99203958
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\RRbackups\C 0 bytes
File C:\RRbackups\C\0 0 bytes
File C:\RRbackups\C\0\Data0 50003968 bytes
File C:\RRbackups\C\0\Data1 50003968 bytes
File C:\RRbackups\C\0\Data10 50003968 bytes
File C:\RRbackups\C\0\Data100 50003968 bytes
File C:\RRbackups\C\0\Data101 50003968 bytes
File C:\RRbackups\C\0\Data102 50003968 bytes
File C:\RRbackups\C\0\Data103 50003968 bytes
File C:\RRbackups\C\0\Data104 50003968 bytes
File C:\RRbackups\C\0\Data105 50003968 bytes
File C:\RRbackups\C\0\Data106 50003968 bytes
File C:\RRbackups\C\0\Data107 50003968 bytes
File C:\RRbackups\C\0\Data108 50003968 bytes
File C:\RRbackups\C\0\Data109 50003968 bytes
File C:\RRbackups\C\0\Data11 50003968 bytes
File C:\RRbackups\C\0\Data110 50003968 bytes
File C:\RRbackups\C\0\Data111 50003968 bytes
File C:\RRbackups\C\0\Data112 50003968 bytes
File C:\RRbackups\C\0\Data113 50003968 bytes
File C:\RRbackups\C\0\Data114 50003968 bytes
File C:\RRbackups\C\0\Data115 50003968 bytes
File C:\RRbackups\C\0\Data270 50003968 bytes
File C:\RRbackups\C\0\Data271 50003968 bytes
File C:\RRbackups\C\0\Data272 50003968 bytes
File C:\RRbackups\C\0\Data273 50003968 bytes
File C:\RRbackups\C\0\Data274 50003968 bytes
File C:\RRbackups\C\0\Data275 50003968 bytes
File C:\RRbackups\C\0\Data276 50003968 bytes
File C:\RRbackups\C\0\Data277 50003968 bytes
File C:\RRbackups\C\0\Data278 50003968 bytes
File C:\RRbackups\C\0\Data279 50003968 bytes
File C:\RRbackups\C\0\Data28 50003968 bytes
File C:\RRbackups\C\0\Data280 50003968 bytes
File C:\RRbackups\C\0\Data281 50003968 bytes
File C:\RRbackups\C\0\Data282 30591964 bytes
File C:\RRbackups\C\0\Data29 50003968 bytes
File C:\RRbackups\C\0\Data3 50003968 bytes
File C:\RRbackups\C\0\Data30 50003968 bytes
File C:\RRbackups\C\0\Data31 50003968 bytes
File C:\RRbackups\C\0\Data32 50003968 bytes
File C:\RRbackups\C\0\Data33 50003968 bytes
File C:\RRbackups\C\0\Data34 50003968 bytes
File C:\RRbackups\C\0\Data35 50003968 bytes
File C:\RRbackups\C\0\Data36 50003968 bytes
File C:\RRbackups\C\0\Data37 50003968 bytes
File C:\RRbackups\C\0\Data38 50003968 bytes
File C:\RRbackups\C\0\Data39 50003968 bytes
File C:\RRbackups\C\0\Data4 50003968 bytes
File C:\RRbackups\C\0\Data40 50003968 bytes
File C:\RRbackups\C\0\Data41 50003968 bytes
File C:\RRbackups\C\0\Data42 50003968 bytes
File C:\RRbackups\C\0\Data43 50003968 bytes
File C:\RRbackups\C\0\Data44 50003968 bytes
File C:\RRbackups\C\0\Data45 50003968 bytes
File C:\RRbackups\C\0\Data47 50003968 bytes
File C:\RRbackups\C\0\Data48 50003968 bytes
File C:\RRbackups\C\0\Data49 50003968 bytes
File C:\RRbackups\C\0\Data5 50003968 bytes
File C:\RRbackups\C\0\Data50 50003968 bytes
File C:\RRbackups\C\0\Data51 50003968 bytes
File C:\RRbackups\C\0\Data52 50003968 bytes
File C:\RRbackups\C\0\Data53 50003968 bytes
File C:\RRbackups\C\0\Data54 50003968 bytes
File C:\RRbackups\C\0\Data55 50003968 bytes
File C:\RRbackups\C\0\Data56 50003968 bytes
File C:\RRbackups\C\0\Data57 50003968 bytes
File C:\RRbackups\C\0\Data58 50003968 bytes
File C:\RRbackups\C\0\Data59 50003968 bytes
File C:\RRbackups\C\0\Data6 50003968 bytes
File C:\RRbackups\C\0\Data60 50003968 bytes
File C:\RRbackups\C\0\Data61 50003968 bytes
File C:\RRbackups\C\0\Data62 50003968 bytes
File C:\RRbackups\C\0\Data63 50003968 bytes
File C:\RRbackups\C\0\Data64 50003968 bytes
File C:\RRbackups\C\0\Data66 50003968 bytes
File C:\RRbackups\C\0\Data67 50003968 bytes
File C:\RRbackups\C\0\Data68 50003968 bytes
File C:\RRbackups\C\0\Data69 50003968 bytes
File C:\RRbackups\C\0\Data7 50003968 bytes
File C:\RRbackups\C\0\Data70 50003968 bytes
File C:\RRbackups\C\0\Data71 50003968 bytes
File C:\RRbackups\C\0\Data72 50003968 bytes
File C:\RRbackups\C\0\Data73 50003968 bytes
File C:\RRbackups\C\0\Data74 50003968 bytes
File C:\RRbackups\C\0\Data75 50003968 bytes
File C:\RRbackups\C\0\Data76 50003968 bytes
File C:\RRbackups\C\0\Data77 50003968 bytes
File C:\RRbackups\C\0\Data78 50003968 bytes
File C:\RRbackups\C\0\Data79 50003968 bytes
File C:\RRbackups\C\0\Data8 50003968 bytes
File C:\RRbackups\C\0\Data80 50003968 bytes
File C:\RRbackups\C\0\Data81 50003968 bytes
File C:\RRbackups\C\0\Data82 50003968 bytes
File C:\RRbackups\C\0\Data83 50003968 bytes
File C:\RRbackups\C\0\Data117 50003968 bytes
File C:\RRbackups\C\0\Data118 50003968 bytes
|
|
07.05.2009, 21:56
| #10 |
| | Auswertung der Log-File Teil 2: Code:
ATTFilter File C:\RRbackups\C\0\Data119 50003968 bytes
File C:\RRbackups\C\0\Data12 50003968 bytes
File C:\RRbackups\C\0\Data120 50003968 bytes
File C:\RRbackups\C\0\Data121 50003968 bytes
File C:\RRbackups\C\0\Data122 50003968 bytes
File C:\RRbackups\C\0\Data123 50003968 bytes
File C:\RRbackups\C\0\Data124 50003968 bytes
File C:\RRbackups\C\0\Data125 50003968 bytes
File C:\RRbackups\C\0\Data126 50003968 bytes
File C:\RRbackups\C\0\Data127 50003968 bytes
File C:\RRbackups\C\0\Data128 50003968 bytes
File C:\RRbackups\C\0\Data129 50003968 bytes
File C:\RRbackups\C\0\Data13 50003968 bytes
File C:\RRbackups\C\0\Data130 50003968 bytes
File C:\RRbackups\C\0\Data131 50003968 bytes
File C:\RRbackups\C\0\Data132 50003968 bytes
File C:\RRbackups\C\0\Data133 50003968 bytes
File C:\RRbackups\C\0\Data134 50003968 bytes
File C:\RRbackups\C\0\Data136 50003968 bytes
File C:\RRbackups\C\0\Data137 50003968 bytes
File C:\RRbackups\C\0\Data138 50003968 bytes
File C:\RRbackups\C\0\Data139 50003968 bytes
File C:\RRbackups\C\0\Data14 50003968 bytes
File C:\RRbackups\C\0\Data140 50003968 bytes
File C:\RRbackups\C\0\Data141 50003968 bytes
File C:\RRbackups\C\0\Data142 50003968 bytes
File C:\RRbackups\C\0\Data143 50003968 bytes
File C:\RRbackups\C\0\Data144 50003968 bytes
File C:\RRbackups\C\0\Data145 50003968 bytes
File C:\RRbackups\C\0\Data146 50003968 bytes
File C:\RRbackups\C\0\Data147 50003968 bytes
File C:\RRbackups\C\0\Data148 50003968 bytes
File C:\RRbackups\C\0\Data149 50003968 bytes
File C:\RRbackups\C\0\Data15 50003968 bytes
File C:\RRbackups\C\0\Data150 50003968 bytes
File C:\RRbackups\C\0\Data151 50003968 bytes
File C:\RRbackups\C\0\Data152 50003968 bytes
File C:\RRbackups\C\0\Data153 50003968 bytes
File C:\RRbackups\C\0\Data155 50003968 bytes
File C:\RRbackups\C\0\Data156 50003968 bytes
File C:\RRbackups\C\0\Data157 50003968 bytes
File C:\RRbackups\C\0\Data158 50003968 bytes
File C:\RRbackups\C\0\Data159 50003968 bytes
File C:\RRbackups\C\0\Data16 50003968 bytes
File C:\RRbackups\C\0\Data160 50003968 bytes
File C:\RRbackups\C\0\Data161 50003968 bytes
File C:\RRbackups\C\0\Data162 50003968 bytes
File C:\RRbackups\C\0\Data163 50003968 bytes
File C:\RRbackups\C\0\Data164 50003968 bytes
File C:\RRbackups\C\0\Data165 50003968 bytes
File C:\RRbackups\C\0\Data166 50003968 bytes
File C:\RRbackups\C\0\Data167 50003968 bytes
File C:\RRbackups\C\0\Data168 50003968 bytes
File C:\RRbackups\C\0\Data169 50003968 bytes
File C:\RRbackups\C\0\Data17 50003968 bytes
File C:\RRbackups\C\0\Data170 50003968 bytes
File C:\RRbackups\C\0\Data171 50003968 bytes
File C:\RRbackups\C\0\Data172 50003968 bytes
File C:\RRbackups\C\0\Data116 50003968 bytes
File C:\RRbackups\C\0\Data135 50003968 bytes
File C:\RRbackups\C\0\Data154 50003968 bytes
File C:\RRbackups\C\0\Data173 50003968 bytes
File C:\RRbackups\C\0\Data192 50003968 bytes
File C:\RRbackups\C\0\Data210 50003968 bytes
File C:\RRbackups\C\0\Data23 50003968 bytes
File C:\RRbackups\C\0\Data249 50003968 bytes
File C:\RRbackups\C\0\Data27 50003968 bytes
File C:\RRbackups\C\0\Data46 50003968 bytes
File C:\RRbackups\C\0\Data65 50003968 bytes
File C:\RRbackups\C\0\Data84 50003968 bytes
File C:\RRbackups\C\0\Data174 50003968 bytes
File C:\RRbackups\C\0\Data175 50003968 bytes
File C:\RRbackups\C\0\Data176 50003968 bytes
File C:\RRbackups\C\0\Data177 50003968 bytes
File C:\RRbackups\C\0\Data178 50003968 bytes
File C:\RRbackups\C\0\Data179 50003968 bytes
File C:\RRbackups\C\0\Data18 50003968 bytes
File C:\RRbackups\C\0\Data180 50003968 bytes
File C:\RRbackups\C\0\Data181 50003968 bytes
File C:\RRbackups\C\0\Data182 50003968 bytes
File C:\RRbackups\C\0\Data183 50003968 bytes
File C:\RRbackups\C\0\Data184 50003968 bytes
File C:\RRbackups\C\0\Data185 50003968 bytes
File C:\RRbackups\C\0\Data186 50003968 bytes
File C:\RRbackups\C\0\Data187 50003968 bytes
File C:\RRbackups\C\0\Data188 50003968 bytes
File C:\RRbackups\C\0\Data189 50003968 bytes
File C:\RRbackups\C\0\Data19 50003968 bytes
File C:\RRbackups\C\0\Data190 50003968 bytes
File C:\RRbackups\C\0\Data191 50003968 bytes
File C:\RRbackups\C\0\Data193 50003968 bytes
File C:\RRbackups\C\0\Data194 50003968 bytes
File C:\RRbackups\C\0\Data195 50003968 bytes
File C:\RRbackups\C\0\Data196 50003968 bytes
File C:\RRbackups\C\0\Data197 50003968 bytes
File C:\RRbackups\C\0\Data198 50003968 bytes
File C:\RRbackups\C\0\Data199 50003968 bytes
File C:\RRbackups\C\0\Data2 50003968 bytes
File C:\RRbackups\C\0\Data20 50003968 bytes
File C:\RRbackups\C\0\Data200 50003968 bytes
File C:\RRbackups\C\0\Data201 50003968 bytes
File C:\RRbackups\C\0\Data202 50003968 bytes
File C:\RRbackups\C\0\Data203 50003968 bytes
File C:\RRbackups\C\0\Data204 50003968 bytes
File C:\RRbackups\C\0\Data205 50003968 bytes
File C:\RRbackups\C\0\Data206 50003968 bytes
|
|
07.05.2009, 21:57
| #11 |
| | Auswertung der Log-File Teil 3: Code:
ATTFilter File C:\RRbackups\C\0\Data207 50003968 bytes
File C:\RRbackups\C\0\Data208 50003968 bytes
File C:\RRbackups\C\0\Data209 50003968 bytes
File C:\RRbackups\C\0\Data21 50003968 bytes
File C:\RRbackups\C\0\Data211 50003968 bytes
File C:\RRbackups\C\0\Data212 50003968 bytes
File C:\RRbackups\C\0\Data213 50003968 bytes
File C:\RRbackups\C\0\Data214 50003968 bytes
File C:\RRbackups\C\0\Data215 50003968 bytes
File C:\RRbackups\C\0\Data216 50003968 bytes
File C:\RRbackups\C\0\Data217 50003968 bytes
File C:\RRbackups\C\0\Data218 50003968 bytes
File C:\RRbackups\C\0\Data219 50003968 bytes
File C:\RRbackups\C\0\Data22 50003968 bytes
File C:\RRbackups\C\0\Data220 50003968 bytes
File C:\RRbackups\C\0\Data221 50003968 bytes
File C:\RRbackups\C\0\Data222 50003968 bytes
File C:\RRbackups\C\0\Data223 50003968 bytes
File C:\RRbackups\C\0\Data224 50003968 bytes
File C:\RRbackups\C\0\Data225 50003968 bytes
File C:\RRbackups\C\0\Data226 50003968 bytes
File C:\RRbackups\C\0\Data227 50003968 bytes
File C:\RRbackups\C\0\Data228 50003968 bytes
File C:\RRbackups\C\0\Data229 50003968 bytes
File C:\RRbackups\C\0\Data230 50003968 bytes
File C:\RRbackups\C\0\Data231 50003968 bytes
File C:\RRbackups\C\0\Data232 50003968 bytes
File C:\RRbackups\C\0\Data233 50003968 bytes
File C:\RRbackups\C\0\Data234 50003968 bytes
File C:\RRbackups\C\0\Data235 50003968 bytes
File C:\RRbackups\C\0\Data236 50003968 bytes
File C:\RRbackups\C\0\Data237 50003968 bytes
File C:\RRbackups\C\0\Data238 50003968 bytes
File C:\RRbackups\C\0\Data239 50003968 bytes
File C:\RRbackups\C\0\Data24 50003968 bytes
File C:\RRbackups\C\0\Data240 50003968 bytes
File C:\RRbackups\C\0\Data241 50003968 bytes
File C:\RRbackups\C\0\Data242 50003968 bytes
File C:\RRbackups\C\0\Data243 50003968 bytes
File C:\RRbackups\C\0\Data244 50003968 bytes
File C:\RRbackups\C\0\Data245 50003968 bytes
File C:\RRbackups\C\0\Data246 50003968 bytes
File C:\RRbackups\C\0\Data247 50003968 bytes
File C:\RRbackups\C\0\Data248 50003968 bytes
File C:\RRbackups\C\0\Data25 50003968 bytes
File C:\RRbackups\C\0\Data250 50003968 bytes
File C:\RRbackups\C\0\Data251 50003968 bytes
File C:\RRbackups\C\0\Data252 50003968 bytes
File C:\RRbackups\C\0\Data253 50003968 bytes
File C:\RRbackups\C\0\Data254 50003968 bytes
File C:\RRbackups\C\0\Data255 50003968 bytes
File C:\RRbackups\C\0\Data256 50003968 bytes
File C:\RRbackups\C\0\Data257 50003968 bytes
File C:\RRbackups\C\0\Data258 50003968 bytes
File C:\RRbackups\C\0\Data259 50003968 bytes
File C:\RRbackups\C\0\Data26 50003968 bytes
File C:\RRbackups\C\0\Data260 50003968 bytes
File C:\RRbackups\C\0\Data261 50003968 bytes
File C:\RRbackups\C\0\Data262 50003968 bytes
File C:\RRbackups\C\0\Data263 50003968 bytes
File C:\RRbackups\C\0\Data264 50003968 bytes
File C:\RRbackups\C\0\Data265 50003968 bytes
File C:\RRbackups\C\0\Data266 50003968 bytes
File C:\RRbackups\C\0\Data267 50003968 bytes
File C:\RRbackups\C\0\Data268 50003968 bytes
File C:\RRbackups\C\0\Data269 50003968 bytes
File C:\RRbackups\C\0\Data85 50003968 bytes
File C:\RRbackups\C\0\Data86 50003968 bytes
File C:\RRbackups\C\0\Data87 50003968 bytes
File C:\RRbackups\C\0\Data88 50003968 bytes
File C:\RRbackups\C\0\Data89 50003968 bytes
File C:\RRbackups\C\0\Data9 50003968 bytes
File C:\RRbackups\C\0\Data90 50003968 bytes
File C:\RRbackups\C\0\Data91 50003968 bytes
File C:\RRbackups\C\0\Data92 50003968 bytes
File C:\RRbackups\C\0\Data93 50003968 bytes
File C:\RRbackups\C\0\Data94 50003968 bytes
File C:\RRbackups\C\0\Data95 50003968 bytes
File C:\RRbackups\C\0\Data96 50003968 bytes
File C:\RRbackups\C\0\Data97 50003968 bytes
File C:\RRbackups\C\0\Data98 50003968 bytes
File C:\RRbackups\C\0\Data99 50003968 bytes
File C:\RRbackups\C\0\dats 0 bytes
File C:\RRbackups\C\0\EFSFile 0 bytes
File C:\RRbackups\C\0\HashFile 388722 bytes
File C:\RRbackups\C\0\Info 756 bytes
File C:\RRbackups\C\0\TOCFile 39520070 bytes
File C:\RRbackups\C\1 0 bytes
File C:\RRbackups\C\1\Data27 50003968 bytes
File C:\RRbackups\C\1\Data46 50003968 bytes
File C:\RRbackups\C\1\Data0 50003968 bytes
File C:\RRbackups\C\1\Data1 50003968 bytes
File C:\RRbackups\C\1\Data10 50003968 bytes
File C:\RRbackups\C\1\Data11 50003968 bytes
File C:\RRbackups\C\1\Data12 50003968 bytes
File C:\RRbackups\C\1\Data13 50003968 bytes
File C:\RRbackups\C\1\Data14 50003968 bytes
File C:\RRbackups\C\1\Data15 50003968 bytes
File C:\RRbackups\C\1\Data16 50003968 bytes
File C:\RRbackups\C\1\Data17 50003968 bytes
File C:\RRbackups\C\1\Data18 50003968 bytes
File C:\RRbackups\C\1\Data19 50003968 bytes
File C:\RRbackups\C\1\Data2 50003968 bytes
File C:\RRbackups\C\1\Data20 50003968 bytes
File C:\RRbackups\C\1\Data21 50003968 bytes
File C:\RRbackups\C\1\Data22 50003968 bytes
File C:\RRbackups\C\1\Data23 50003968 bytes
File C:\RRbackups\C\1\Data24 50003968 bytes
File C:\RRbackups\C\1\Data25 50003968 bytes
File C:\RRbackups\C\1\Data26 50003968 bytes
File C:\RRbackups\C\1\Data28 50003968 bytes
|
|
07.05.2009, 21:59
| #12 |
| | Auswertung der Log-File Teil 4: Code:
ATTFilter File C:\RRbackups\C\1\Data29 50003968 bytes
File C:\RRbackups\C\1\Data3 50003968 bytes
File C:\RRbackups\C\1\Data30 50003968 bytes
File C:\RRbackups\C\1\Data31 50003968 bytes
File C:\RRbackups\C\1\Data32 50003968 bytes
File C:\RRbackups\C\1\Data33 50003968 bytes
File C:\RRbackups\C\1\Data34 50003968 bytes
File C:\RRbackups\C\1\Data35 50003968 bytes
File C:\RRbackups\C\1\Data36 50003968 bytes
File C:\RRbackups\C\1\Data37 50003968 bytes
File C:\RRbackups\C\1\Data38 50003968 bytes
File C:\RRbackups\C\1\Data39 50003968 bytes
File C:\RRbackups\C\1\Data4 50003968 bytes
File C:\RRbackups\C\1\Data40 50003968 bytes
File C:\RRbackups\C\1\Data41 50003968 bytes
File C:\RRbackups\C\1\Data42 50003968 bytes
File C:\RRbackups\C\1\Data43 50003968 bytes
File C:\RRbackups\C\1\Data44 50003968 bytes
File C:\RRbackups\C\1\Data45 50003968 bytes
File C:\RRbackups\C\1\Data47 50003968 bytes
File C:\RRbackups\C\1\Data48 50003968 bytes
File C:\RRbackups\C\1\Data49 50003968 bytes
File C:\RRbackups\C\1\Data5 50003968 bytes
File C:\RRbackups\C\1\Data50 50003968 bytes
File C:\RRbackups\C\1\Data51 50003968 bytes
File C:\RRbackups\C\1\Data52 50003968 bytes
File C:\RRbackups\C\1\Data53 50003968 bytes
File C:\RRbackups\C\1\Data54 50003968 bytes
File C:\RRbackups\C\1\Data55 50003968 bytes
File C:\RRbackups\C\1\Data56 50003968 bytes
File C:\RRbackups\C\1\Data57 50003968 bytes
File C:\RRbackups\C\1\Data58 50003968 bytes
File C:\RRbackups\C\1\Data59 50003968 bytes
File C:\RRbackups\C\1\Data6 50003968 bytes
File C:\RRbackups\C\1\Data60 11403068 bytes
File C:\RRbackups\C\1\Data7 50003968 bytes
File C:\RRbackups\C\1\Data8 50003968 bytes
File C:\RRbackups\C\1\Data9 50003968 bytes
File C:\RRbackups\C\1\dats 0 bytes
File C:\RRbackups\C\1\EFSFile 0 bytes
File C:\RRbackups\C\1\HashFile 537456 bytes
File C:\RRbackups\C\1\Info 756 bytes
File C:\RRbackups\C\1\TOCFile 54641360 bytes
File C:\RRbackups\C\2 0 bytes
File C:\RRbackups\C\2\Data0 50003968 bytes
File C:\RRbackups\C\2\Data1 50003968 bytes
File C:\RRbackups\C\2\Data2 50003968 bytes
File C:\RRbackups\C\2\Data3 50003968 bytes
File C:\RRbackups\C\2\Data4 50003968 bytes
File C:\RRbackups\C\2\Data5 50003968 bytes
File C:\RRbackups\C\2\Data6 50003968 bytes
File C:\RRbackups\C\2\Data7 50003968 bytes
File C:\RRbackups\C\2\Data8 33767761 bytes
File C:\RRbackups\C\2\dats 0 bytes
File C:\RRbackups\C\2\EFSFile 0 bytes
File C:\RRbackups\C\2\HashFile 545088 bytes
File C:\RRbackups\C\2\Info 756 bytes
File C:\RRbackups\C\2\TOCFile 55417280 bytes
File C:\RRbackups\C\3 0 bytes
File C:\RRbackups\C\3\Data0 50003968 bytes
File C:\RRbackups\C\3\Data1 42692019 bytes
File C:\RRbackups\C\3\dats 0 bytes
File C:\RRbackups\C\3\EFSFile 0 bytes
File C:\RRbackups\C\3\HashFile 548496 bytes
File C:\RRbackups\C\3\Info 756 bytes
File C:\RRbackups\C\3\TOCFile 55763760 bytes
File C:\RRbackups\C\4 0 bytes
File C:\RRbackups\C\4\Data0 50003968 bytes
File C:\RRbackups\C\4\Data1 50003968 bytes
File C:\RRbackups\C\4\Data2 8353562 bytes
File C:\RRbackups\C\4\dats 0 bytes
File C:\RRbackups\C\4\EFSFile 0 bytes
File C:\RRbackups\C\4\HashFile 549018 bytes
File C:\RRbackups\C\4\Info 756 bytes
File C:\RRbackups\C\4\TOCFile 55816830 bytes
File C:\RRbackups\C\5 0 bytes
File C:\RRbackups\C\5\Data0 50003968 bytes
File C:\RRbackups\C\5\Data1 50003968 bytes
File C:\RRbackups\C\5\Data10 50003968 bytes
File C:\RRbackups\C\5\Data11 45993323 bytes
File C:\RRbackups\C\5\Data2 50003968 bytes
File C:\RRbackups\C\5\Data3 50003968 bytes
File C:\RRbackups\C\5\Data4 50003968 bytes
File C:\RRbackups\C\5\Data5 50003968 bytes
File C:\RRbackups\C\5\Data6 50003968 bytes
File C:\RRbackups\C\5\Data7 50003968 bytes
File C:\RRbackups\C\5\Data8 50003968 bytes
File C:\RRbackups\C\5\Data9 50003968 bytes
File C:\RRbackups\C\5\dats 0 bytes
File C:\RRbackups\C\5\EFSFile 0 bytes
File C:\RRbackups\C\5\HashFile 545976 bytes
File C:\RRbackups\C\5\Info 756 bytes
File C:\RRbackups\C\5\TOCFile 55507560 bytes
File C:\RRbackups\common 0 bytes
File C:\RRbackups\common\backups.dat 8192 bytes
File C:\RRbackups\common\bt0.dat 32256 bytes
File C:\RRbackups\common\bt1.dat 32256 bytes
File C:\RRbackups\common\bt2.dat 32256 bytes
File C:\RRbackups\common\bt3.dat 32256 bytes
File C:\RRbackups\common\bt4.dat 32256 bytes
File C:\RRbackups\common\bt5.dat 32256 bytes
File C:\RRbackups\common\css.dat 12288 bytes
File C:\RRbackups\common\hints.dat 8192 bytes
File C:\RRbackups\common\mnd.dat 8192 bytes
File C:\RRbackups\common\regcerts.dat 8192 bytes
File C:\RRbackups\common\restore.log 110 bytes
File C:\RRbackups\common\rr.log 56369 bytes
|
|
07.05.2009, 22:00
| #13 |
| | Auswertung der Log-File Teil 5: Code:
ATTFilter File C:\RRbackups\common\SAM 262144 bytes
File C:\RRbackups\common\seccache.dat 8192 bytes
File C:\RRbackups\common\secpolicy.dat 53248 bytes
File C:\RRbackups\common\settings.dat 28672 bytes
File C:\RRbackups\common\system.dat 12288 bytes
File C:\RRbackups\common\tvtcmn.dat 8192 bytes
File C:\RRbackups\common\usersids.dat 19760 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\Administrator 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500\56067a3b-e720-46c5-8101-704a1ec96aa5 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500\b8b416c9-066f-4d37-adff-62aeae3358dc 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500\f57de697-8b2f-4d36-8462-c0be222f1a7d 388 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Administrator\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Lenovo\Client Security Solution\encobject.dat 1608 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Lenovo\Client Security Solution\hwkeys.dat 4248 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Lenovo\Client Security Solution\symkeys.dat 656 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18\42e7e898003fbdeb9585806ee1664b51_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 57 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 54 bytes
File C:\RRbackups\Documents and Settings\All Users\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 917 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Lenovo 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500\56067a3b-e720-46c5-8101-704a1ec96aa5 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500\b8b416c9-066f-4d37-adff-62aeae3358dc 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500\f57de697-8b2f-4d36-8462-c0be222f1a7d 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Flo 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo
|
|
07.05.2009, 22:01
| #14 |
| | Auswertung der Log-File Teil 6: Code:
ATTFilter File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo\Client Security Solution 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo\Client Security Solution\config.ini 61 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo\Client Security Solution\cspContainer.dat 332 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo\Client Security Solution\cssversion.dat 1908 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo\Client Security Solution\encobject.dat 14472 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo\Client Security Solution\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo\Client Security Solution\hwkeys.dat 8496 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Lenovo\Client Security Solution\symkeys.dat 1968 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-42765336-578794157-4130597129-1008 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-42765336-578794157-4130597129-1008\49ac1cf87687c5a4c794042acbff288e_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 2099 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-42765336-578794157-4130597129-1008\533145ef011ddf5ca3983e2545a902b4_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 2099 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-42765336-578794157-4130597129-1008\5550e7cb640347345a345c63aa7a6848_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 59 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-42765336-578794157-4130597129-1008\8f71098770f72c7a67cd8f1151619865_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 54 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-21-42765336-578794157-4130597129-1008\e11c1fbc72fe79f605957d9debecfd04_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 44 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\CREDHIST 160 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500\56067a3b-e720-46c5-8101-704a1ec96aa5 388 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-1934161205-1546336866-4239196731-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500\b8b416c9-066f-4d37-adff-62aeae3358dc 388 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-3709008723-3291747824-738936254-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500\f57de697-8b2f-4d36-8462-c0be222f1a7d 388 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-398270163-1554303617-2424811709-500\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-42765336-578794157-4130597129-1008 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-42765336-578794157-4130597129-1008\0d82d83f-df60-4c8c-9ff6-1be13edddf06 388 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-42765336-578794157-4130597129-1008\94f3782a-82b9-4052-84da-587e77d1b318 388 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-42765336-578794157-4130597129-1008\97a979da-0a1c-4039-b7bd-f03c6138b159 388 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\Protect\S-1-5-21-42765336-578794157-4130597129-1008\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Flo\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Crypto\RSA\S-1-5-20\94498385663a229a93d423c6d144ae0b_f7f317a6-2ce2-447f-bca4-10f1c7585b0b 2567 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\042c990c-9e7a-4251-b52c-aa4b8edb571e 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\7ae6752b-2b70-43c7-ac9b-aa0bc838d920 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\83f33d6e-33c1-4886-847d-9eb3c37bba8f 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\eaa99c1b-cd9a-4f92-ba25-a7ebf9a40d49 388 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\Protect\S-1-5-20\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Anwendungsdaten\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\SIS 0 bytes
File C:\RRbackups\SIS\C 0 bytes
File C:\RRbackups\SIS\C\0 0 bytes
File C:\RRbackups\SIS\C\0\Data0 27241 bytes
File C:\RRbackups\SIS\C\0\HashFile 6 bytes
File C:\RRbackups\SIS\C\0\TOCFile 610 bytes
---- EOF - GMER 1.0.15 ----
|
|
07.05.2009, 22:11
| #15 |
| | Auswertung der Log-File Jetzt nochmal kurz zu meinem AntiVir-Problem: Das Programm startet beim Hochfahren, d.h. es wird ganz normal kurz das Logo auf dem Bildschirm angezeigt und danach erscheint das Symbol auch unten rechts in der Taskleiste, allerdings ist der Schirm zugeklappt. Ich muss also in das Programm gehen und es erst aktivieren, sodass sich der Schirm öffnet und es läuft. Der Check über eventvwr.msc hat für AntiVir dieses hier ergeben: 29.04.09 12:10 AntiVir erkannte in der Datei C:\WINDOWS\system32\drivers\nsvxtcrvbrnfyxmd.sys verdächtigen Code mit der Bezeichnung 'TR/Dropper.Gen'! 29.04.09 12:09 AntiVir erkannte in der Datei C:\WINDOWS\system32\drivers\nsvxtcrvbrnfyxmd.sys verdächtigen Code mit der Bezeichnung 'TR/Dropper.Gen'! Ab jetzt: 25.04. 15:48 AntiVir erkannte in der Datei C:\Dokumente und Einstellungen\Flo\Lokale Einstellungen\Temp\wavvsnet.tmp verdächtigen Code mit der Bezeichnung 'TR/Downloader.Gen'! AntiVir erkannte in der Datei C:\Dokumente und Einstellungen\Flo\Lokale Einstellungen\Temp\rasesnet.tmp verdächtigen Code mit der Bezeichnung 'TR/Vundo.Gen'! AntiVir erkannte in der Datei C:\Dokumente und Einstellungen\Flo\Lokale Einstellungen\Temp\rasesnet.tmp verdächtigen Code mit der Bezeichnung 'TR/Vundo.Gen'! AntiVir erkannte in der Datei C:\Dokumente und Einstellungen\Flo\Lokale Einstellungen\Temp\xpre.tmp verdächtigen Code mit der Bezeichnung 'TR/Crypt.CFI.Gen'! Wie schon gesagt, diese "Dateien" habe ich dann alle löschen lassen. Danke nochmals für deine Mühe, td |
|
| Themen zu Auswertung der Log-File |
| antivirus, avg, avira, bho, desktop, einstellungen, firefox, google, hijack, hijackthis, hkus\s-1-5-18, internet, internet explorer, lenovo, logfile, monitor, mozilla, pc läuft, pdfcreator, registry, rundll, security, senden, software, solution, system, thinkvantage registry monitor service, tr/crypt.cfi.gen, tr/vundo.gen, trojaner, windows, windows xp |
Linear-Darstellung
