| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: TR/Dropper.Gen in system32/tdlwsp.dll gefundenWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
07.11.2009, 10:10
| #1 |
| |  TR/Dropper.Gen in system32/tdlwsp.dll gefunden Hallo bin neu hier und hoffe ihr könnt mir hier weiterhelfen. Antivir hat folgendes gebracht: In der Datei 'C:\WINDOWS\system32\tdlwsp.dll' wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden. Abgesicherter Modus ist nicht mehr ausführbar.. hiermal die logs von den ganzen Programmen: Code:
ATTFilter Malwarebytes' Anti-Malware 1.41
Datenbank Version: 3012
Windows 5.1.2600 Service Pack 2
06.11.2009 23:55:21
mbam-log-2009-11-06 (23-55-21).txt
Scan-Methode: Vollständiger Scan (C:\|F:\|)
Durchsuchte Objekte: 247790
Laufzeit: 48 minute(s), 36 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 5
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 9
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe oqrk.pso dkhsx) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
C:\Dokumente und Einstellungen\pc\Anwendungsdaten\Macromedia\Common\feb000401.dll (Hijack.Sound) -> Quarantined and deleted successfully.
C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wuasirvy.dll (Trojan.Banker) -> Quarantined and deleted successfully.
Code:
ATTFilter Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\Dokumente und Einstellungen\pc\Anwendungsdaten\Macromedia\Common\feb000401.dll" not found!
Deletion of file "C:\Dokumente und Einstellungen\pc\Anwendungsdaten\Macromedia\Common\feb000401.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\msacm32.drv" deleted successfully.
File "C:\WINDOWS\wuasirvy.dll" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
|
|
07.11.2009, 10:13
| #2 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefundenCode:
ATTFilter ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Header
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
find.bat Version 2008.03.07
Microsoft Windows XP [Version 5.1.2600]
Bootmodus: Normal
eScan Version: 11.0.86
Sprache: German
C:\DOKUME~1\pc\LOKALE~1\Temp\MWAV.LOG
~~~~~~~~~~~
Dateien
~~~~~~~~~~~
~~~~ Infected files
~~~~~~~~~~~
Datei C:\WINDOWS\HKNTDLL.dll ist durch den Virus "Application.Generic.15152 (DB)" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\WINDOWS\HKNTDLL.dll ist durch den Virus "Application.Generic.15152 (DB)" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\MPAC3UAX\dotnetfx35setup[1].exe ist durch den Virus "NULL.Corrupted" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Firefox_Setup_3.0.4-de.exe ist durch den Virus "Trojan.Generic.IS.519634 (DB)" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
Datei C:\WINDOWS\HKNTDLL.dll ist durch den Virus "Application.Generic.15152 (DB)" infiziert! Maßnahme ergriffen: Keine Maßnahme ergriffen.
~~~~~~~~~~~
~~~~ Tagged files
~~~~~~~~~~~
~~~~~~~~~~~
~~~~ Offending files
~~~~~~~~~~~
Offending file found: C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\TrendMicro_Downloader\Agent\sqlite3.dll
~~~~~~~~~~~
~~~~ Spyware (Vorsicht: Oft Fehlalarm!)
~~~~~~~~~~~
eScan-Antiviren- und Antispyware-Werkzeugsatz.
Antiviren- und Antispywaredatenbanken werden heruntergeladen...
Indexed Spyware Databases Successfully Created...
eScan-Antiviren- und Antispyware-Werkzeugsatz.
Scannen Spyware: Aktiviert
***** Registrierungsdatenbank und Dateisystem werden auf Schnüffelprogramme (Spyware) und werbefinanzierte Software (Adware) geprüft *****
Indexed Spyware Databases Successfully Created...
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{03C4C5F4-1893-444C-B8D8-002F0034DA92})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{11E2BC0C-5D4F-4E0C-B438-501FFE05A382})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{37587889-FC28-4507-B6D3-8557305F7511})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{4A5E947E-C407-4DCC-A0B5-5658E457153B})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{4FD5C4D3-6C15-4EA0-9EB9-EEE8FC74A91B})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{620D55B0-F2FB-464E-A278-B4308DB1DB2B})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{741BEEFD-AEC0-4AFF-84AF-4F61D15F5526})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{7A41359E-0407-470F-B3F7-7C6A0F7C449A})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{7C4A630A-DE98-4E3E-8093-E8F5E159BB72})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{7ED1E9B1-CB57-4FA0-84E8-FAE653FE8E6B})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{A6931B16-90FA-4D69-A49F-3ABFA2C04060})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{C5AA36A1-8BD1-47E0-90F8-47E7239C6EA1})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{CA3EB689-8F09-4026-AA10-B9534C691CE0})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{FA2CBAFB-F7B1-4F41-9B7A-73329A6C1CB7})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\typelib\{4509D3CC-B642-4745-B030-645B79522C6D})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{0A95BE2D-1543-46BE-AD6D-18653034BF87})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{0B8EDB8D-4575-4942-9C34-55591E415909})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{278EAD7A-2A45-4D4E-ACB4-A1A4AD9BB54B})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{2B539D9C-127A-4F10-855F-EF31C83D2007})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{2D91877A-468C-4802-8CD7-21F6BF776790})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{3120A5E4-552D-4EDF-8C48-70C5D5FF22D2})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{31CE2164-4D5C-4508-BCA7-B10E11D08E6B})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{359A062F-CDA8-4A9C-9B28-588446D35098})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{35EFAD55-134A-47BF-912A-44A9D9FD556F})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{38F95B22-32BF-4378-B3EC-47B2C09DE1F5})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{3D177BA8-BF8C-45E2-8CA2-20ACA6269A68})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{3E1392BB-3B66-4A39-BBD0-259FC2BDC979})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{45128C11-A7E5-46D2-A164-3D1273E92C44})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{47146231-B550-4B13-B9E7-4257F740F39D})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{4897BBA6-48D9-468C-8EFA-846275D7701B})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{5C61669E-F0CE-4126-B365-316588E6228F})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{60E5F55E-236F-422D-A5F9-560F1778CCD4})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{62B6A513-3764-42CD-8410-9B81E8DFF135})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{6A5D680A-8F9F-4752-A056-2C0273F60B4E})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{6CCD925E-E833-4BE3-A62E-D3C8838C5D6D})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{6CDD1F89-FC3B-401C-B1F1-932C48F45EB5})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{78412EB9-E06B-4484-BC85-0B1594F6E23A})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{7EE495F3-345B-4CC1-AAB7-A255ED85EED2})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{82B58FCB-73F3-46DC-A52D-74D3FE359702})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{86797248-1A4E-41D0-A0C3-2175A36B3D0E})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{919DF860-D321-4D02-AC3D-1C25EFAE551A})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{AA6CCB5D-0F97-4A37-A077-8B49FB5BC60D})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{C18D120C-B7AB-4499-8BDC-0CD2BD0861FD})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{C1DFD382-E253-434D-B22D-2E47233B6147})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{C52D8C84-C5DD-457B-993B-04E997B330E5})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{CACB61E0-AEEA-404D-88E1-7F3BCA8B8726})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{CD5B9523-6EAF-4D63-8FE8-C081C51D1673})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{D45B0772-5801-4E61-9CBA-84120557A4D7})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{D7E6FB7C-A22F-4A9D-A89D-653D1AA37324})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{D80AC53D-E102-4A55-A265-529A626515E5})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{DBCAD616-BFD4-4C72-8D87-C5926921D378})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{E16F1874-C5B1-4400-A9F0-08E7FD4D3F8C})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{E3EC74BB-5522-462D-A00F-2728C53FCA04})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{EBB4EBA9-D546-4C85-A05A-167BF875FB83})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{F71D2854-2609-4A63-B4BF-BF2BA61A61CF})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{F7919641-3978-4668-8388-7310329C800E})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{F961CE9D-AE2B-4CFB-887C-3A055FF685C9})! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{FFBBDECE-4363-4B4D-B35E-39EFF228C723})! Action taken: Keine Maßnahme ergriffen.
System found infected with Lsas.Trojan-Spy.DOS.Keycopy Corrupted Adware/Spyware (sqlite3.dll)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.AddressLists)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.MAPIFolder)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.MAPITable)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.MAPIUtils)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeAppointmentItem)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeContactItem)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeCurrentUser)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeDistList)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeJournalItem)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeMailItem)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeMeetingItem)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafePostItem)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeTaskItem)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\ToolBand.XTTBPos00.1)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\ToolBand.XTTBPos00)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\URLSearchHook.ToolbarURLSearchHook.1)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\URLSearchHook.ToolbarURLSearchHook)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\XTTB00001.IEToolbar.1)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\XTTB00001.IEToolbar)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\XTTB00001.XTTB00001.1)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCR\XTTB00001.XTTB00001)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKCU\SOFTWARE\XTTB00001)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\XTTB00001.XTTB00001Toolbar)! Action taken: Keine Maßnahme ergriffen.
System found infected with combo Spyware/Adware (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run/Alcmtr)! Action taken: Keine Maßnahme ergriffen.
System found infected with PersonalAntispy Corrupted Adware/Spyware (HKCU\Software\Mirabilis)! Action taken: Keine Maßnahme ergriffen.
~~~~~~~~~~~
Ordner
~~~~~~~~~~~
Offending Registry Entry found: HKCR\Redemption.MAPIFolder
~~~~~~~~~~~
Registry
~~~~~~~~~~~
Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65e3a19d-1c31-11dd-8a6e-001e8c82a29d} !!!
Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fe86e552-534f-11de-8cae-001e8c82a29d} !!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Diverses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
laufende Prozesse - commandline
~~~~~~~~~~~~~~~~~~~~~~
System Idle Process -
System -
smss.exe - \SystemRoot\System32\smss.exe
csrss.exe -
winlogon.exe - winlogon.exe
services.exe - C:\WINDOWS\system32\services.exe
lsass.exe - C:\WINDOWS\system32\lsass.exe
svchost.exe - C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe -
svchost.exe - C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe -
svchost.exe -
brsvc01a.exe - C:\WINDOWS\System32\brsvc01a.exe
brss01a.exe - brss01a.exe
spoolsv.exe - C:\WINDOWS\system32\spoolsv.exe
sched.exe - "C:\Programme\Avira\AntiVir Desktop\sched.exe"
explorer.exe - C:\WINDOWS\Explorer.EXE
svchost.exe -
mHotkey.exe - "C:\WINDOWS\mHotkey.exe"
RTHDCPL.exe - "C:\WINDOWS\RTHDCPL.EXE"
avgnt.exe - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
rundll32.exe - "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
jusched.exe - "C:\Programme\Java\jre6\bin\jusched.exe"
ctfmon.exe - "C:\WINDOWS\system32\ctfmon.exe"
wcescomm.exe - "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
TeaTimer.exe - "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe"
StCenter.exe - "C:\Programme\FRITZ!DSL\StCenter.exe"
GoogleCrashHandler.exe - "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.2.183.13\GoogleCrashHandler.exe" /crashhandler
rapimgr.exe - C:\PROGRA~1\MICROS~4\rapimgr.exe -Embedding
avguard.exe - "C:\Programme\Avira\AntiVir Desktop\avguard.exe"
AppleMobileDeviceService.exe - "C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
IGDCTRL.EXE - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
tbmux32.exe - C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
svchost.exe - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
jqs.exe - "C:\Programme\Java\jre6\bin\jqs.exe" -service -config "C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf"
NBService.exe - "C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe"
nvsvc32.exe - C:\WINDOWS\system32\nvsvc32.exe
svchost.exe - C:\WINDOWS\System32\svchost.exe -k imgsvc
spnsrvnt.exe - C:\WINDOWS\system32\spnsrvnt.exe
ApchT2kW.exe - C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
ApchT2kW.exe - "TIS 2000 Apache Web Server" -Z ap2904_C1
java.exe - C:\PROGRA~1\COSIDS\JRE\bin\java.exe -Xmx512m org.apache.jserv.JServ "C:\PROGRA~1\COSIDS\APACHE~1\APACHE~1\conf\jserv.properties"
VideoAcceleratorService.exe - C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm
[verify-U]-Service.exe - "C:\Programme\[verify-U] AVS\[verify-U]-Service.exe"
VideoAcceleratorEngine.exe - "C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe"
wscntfy.exe - C:\WINDOWS\system32\wscntfy.exe
alg.exe -
wuauclt.exe - "C:\WINDOWS\system32\wuauclt.exe"
cmd.exe - cmd /c ""C:\Dokumente und Einstellungen\pc\Desktop\Virus\find.bat" "
cscript.exe - cscript C:\escan\prclst.vbs //nologo
wmiprvse.exe -
~~~~~~~~~~~~~~~~~~~~~~
Scanfehler
~~~~~~~~~~~~~~~~~~~~~~
ERROR!!! Invalid Entry {73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll (in key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved). No Action Taken.
ERROR!!! Invalid Entry %SystemRoot%\System32\appmgmts.dll in HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters. Action Taken: No Action Taken.
ERROR!!! Invalid Entry %SystemRoot%\System32\hidserv.dll in HKLM\SYSTEM\CurrentControlSet\Services\HidServ\Parameters. Action Taken: No Action Taken.
ERROR(3)!!! ScanFile fails for C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Jdownloader\downloads\OTIS0808.part01.rar
~~~~~~~~~~~~~~~~~~~~~~
Hosts-Datei
~~~~~~~~~~~~~~~~~~~~~~
DataBasePath: %SystemRoot%\System32\drivers\etc
Zeilen die nicht dem Standard entsprechen:
C:\WINDOWS\System32\drivers\etc\hosts:
C:\WINDOWS\System32\drivers\etc\hosts:127.0.0.1 localhost
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunes.msi!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\163.75_forceware_winxp_32bit_international_whql.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\169.21_forceware_winxp_32bit_international_whql.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\182.50_geforce_winxp_32bit_international_whql.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\8final.rar!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Crysis_Patch_1_2.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\HTC_Mega_Packet.zip!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\iTunesSetup.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Jdownloader\downloads\Opel TIS 08.2008\IO940A_1.mdf!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Nero-9.4.12.3_free.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\OOo_2.3.1_Win32Intel_install_de.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\OOo_2.4.1_Win32Intel_install_de.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\TrendMicro_TIS_17.00_en-US_32-bit.exe!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Identities\{B8DE085B-50B6-4F2B-BEA2-2BFAE476B51B}\Microsoft\Outlook Express\Gelöschte Objekte.dbx!!!
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Identities\{B8DE085B-50B6-4F2B-BEA2-2BFAE476B51B}\Microsoft\Outlook Express\Gesendete Objekte.dbx!!!
Zeit überschritten beim Scannen von C:\MSOCache\All Users\{90120000-006E-0407-0000-0000000FF1CE}-C\OfficeLR.cab!!!
Zeit überschritten beim Scannen von C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\HomeSrWW.cab!!!
Zeit überschritten beim Scannen von !!!
Zeit überschritten beim Scannen von C:\Programme\OpenOffice\openofficeorg3.cab!!!
Zeit überschritten beim Scannen von C:\WINDOWS\Driver Cache\i386\driver.cab!!!
Zeit überschritten beim Scannen von C:\WINDOWS\Installer\29608f6.msp!!!
Zeit überschritten beim Scannen von C:\WINDOWS\Installer\36963f6.msp!!!
Zeit überschritten beim Scannen von C:\WINDOWS\SoftwareDistribution\Download\ecd3943fb91c82f3266d39b3ea7ddb7e519f0c69!!!
Zeit überschritten beim Scannen von F:\Packard Bell\Packard Bell\CD\Partners\GoogleSuite\GoogleSuite.exe!!!
Zeit überschritten beim Scannen von F:\Packard Bell\Packard Bell\CD\Partners\Norton Internet Security\NIS\SV\NIS.exe!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Bin32\Crysis_Patch_1_2.exe!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Crysis_Patch_1_2.exe!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Localized\german.pak!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Localized\russian.pak!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Localized\Turkish.pak!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\LowSpec\LowSpec.pak!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Objects.pak!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\ShaderCache.pak!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Sounds.pak!!!
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Textures.pak!!!
Zahl der gescannten Objekte: 282965
Zahl der kritischen Objekte: 6
Zahl der desinfizierten Objekte: 0
Zahl der umbenannten Objekte: 0
Zahl der gelöschten Objekte: 0
Zeit verstrichen: 01:26:14
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan-Optionen
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Speicherüberprüfung: Aktiviert
Überprüfung der Registrierungsdatenbank: Aktiviert
Überprüfung des Startordners: Aktiviert
Überprüfung des Systemordners: Aktiviert
Überprüfung der Dienste: Aktiviert
Überprüfung der Laufwerke: Deaktiviert
Überprüfung aller Laufwerke:Aktiviert
Überprüfung der Ordner: Deaktiviert
Batchstart: 9:30:58,14
Batchende: 9:31:15,07
|
|
07.11.2009, 10:15
| #3 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefundenCode:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:39:23, on 07.11.2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\brsvc01a.exe C:\WINDOWS\System32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir Desktop\sched.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\mHotkey.exe C:\WINDOWS\RTHDCPL.EXE C:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Programme\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Microsoft ActiveSync\wcescomm.exe C:\Programme\Spybot - Search & Destroy\TeaTimer.exe C:\Programme\FRITZ!DSL\StCenter.exe C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.2.183.13\GoogleCrashHandler.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\FRITZ!DSL\IGDCTRL.EXE C:\PROGRA~1\COSIDS\BIN\TbMux32.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spnsrvnt.exe C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe C:\PROGRA~1\COSIDS\JRE\bin\java.exe C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe C:\Programme\[verify-U] AVS\[verify-U]-Service.exe C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Programme\Trend Micro\HijackThis\HijackThis.exe C:\Programme\Avira\AntiVir Desktop\avwsc.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: (no name) - - (no file) O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SBCONVERT - {31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B} - C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl05a\BrStDvPt.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [WAB] C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Macromedia\Common\feb0004019.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Programme\FRITZ!DSL\StCenter.exe O4 - Global Startup: Status Monitor.lnk = C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204917686280 O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - C:\PROGRA~1\COSIDS\BIN\TbMux32.exe O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\system32\spnsrvnt.exe O23 - Service: TIS 2000 Apache Web Server - Unknown owner - C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe O23 - Service: [verify-U]-Service ([verify-U]) - Cybit AG - C:\Programme\[verify-U] AVS\[verify-U]-Service.exe -- End of file - 9569 bytes |
|
07.11.2009, 10:17
| #4 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefundenCode:
ATTFilter "Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Google Update" = ""C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c" ["Google Inc."]
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\wcescomm.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]
"WAB" = "C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Macromedia\Common\feb0004019.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SetDefPrt" = "C:\Programme\Brother\Brmfl05a\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"avgnt" = ""C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
" Malwarebytes Anti-Malware (reboot)" = ""C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript" ["Malwarebytes Corporation"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B}\(Default) = "SBCONVERT"
-> {HKLM...CLSID} = "SBCONVERT Class"
\InProcServer32\(Default) = "C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]
{FF7C3CF0-4B15-11D1-ABED-709549C10000}\(Default) = "GrabberObj Class"
-> {HKLM...CLSID} = "GrabberObj Class"
\InProcServer32\(Default) = "C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll" ["Speedbit Ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Meine freigegebenen Ordner"
\InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{94586423-855F-4EB2-9F6A-D9DA5658DBE3}" = "SxContextMenu1stConv"
-> {HKLM...CLSID} = "Context menu"
\InProcServer32\(Default) = "C:\PROGRA~1\FREEM4~1\m4a_menu.dll" [null data]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobiles Gerät"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Wcesview.dll" [MS]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
|
|
07.11.2009, 10:19
| #5 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefundenCode:
ATTFilter Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
ImgBurnBluRayBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BuildImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnBluRayBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BurnImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnCDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnCDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnHDDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnHDDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnPlayBluRayOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayBluRayOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayBluRayOnArrival_ReadDisc\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]
ImgBurnPlayCDAudioOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayCDAudioOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayCDAudioOnArrival_ReadDisc\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]
ImgBurnPlayDVDMovieOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayDVDMovieOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayDVDMovieOnArrival_ReadDisc\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]
ImgBurnPlayHDDVDOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayHDDVDOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayHDDVDOnArrival_ReadDisc\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
MSWMEncVCArrival\
"Provider" = "Codeur Windows Media Série 9"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Windows Media Components\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
NeroAutoPlay9LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 9\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]
RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]
RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]
RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /play %1 " ["RealNetworks, Inc."]
RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /dvd %1 " ["RealNetworks, Inc."]
RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]
VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]
VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]
WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"]
Startup items in "pc" & "All Users" startup folders:
----------------------------------------------------
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"FRITZ!DSL Startcenter" -> shortcut to: "C:\Programme\FRITZ!DSL\StCenter.exe" ["AVM Berlin"]
"Status Monitor" -> shortcut to: "C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe Brother MFC-215C /STARTUP" ["Brother Industries, Ltd."]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"GoogleUpdateTaskUserS-1-5-21-448539723-162531612-725345543-1004Core" -> launches: "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskUserS-1-5-21-448539723-162531612-725345543-1004UA" -> launches: "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\PROGRA~1\SPEEDB~2\sblsp.dll ["Speedbit Ltd."], 01 - 02, 16
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0329E7D6-6F54-462D-93F6-F5C3118BADF2}"
-> {HKLM...CLSID} = "SpeedBit Video Downloader"
\InProcServer32\(Default) = "C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll" [null data]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0329E7D6-6F54-462D-93F6-F5C3118BADF2}" = (no title provided)
-> {HKLM...CLSID} = "SpeedBit Video Downloader"
\InProcServer32\(Default) = "C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll" [null data]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search && Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6.5\ICQ.exe" ["ICQ, LLC."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
Missing lines (compared with English-language version):
[Strings]: 2 lines
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
[verify-U]-Service, [verify-U], ""C:\Programme\[verify-U] AVS\[verify-U]-Service.exe"" ["Cybit AG"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Avira AntiVir Guard, AntiVirService, ""C:\Programme\Avira\AntiVir Desktop\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Planer, AntiVirSchedulerService, ""C:\Programme\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"]
AVM IGD CTRL Service, AVM IGD CTRL Service, "C:\Programme\FRITZ!DSL\IGDCTRL.EXE" ["AVM Berlin"]
BrSplService, Brother XP spl Service, "C:\WINDOWS\System32\brsvc01a.exe" ["brother Industries Ltd"]
COSIDS_TB, COSIDS_TB, "C:\PROGRA~1\COSIDS\BIN\TbMux32.exe" ["TransAction Software, D 81737 Munich"]
Java Quick Starter, JavaQuickStarterService, ""C:\Programme\Java\jre6\bin\jqs.exe" -service -config "C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Nero BackItUp Scheduler 4.0, Nero BackItUp Scheduler 4.0, "C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe" ["Nero AG"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SentinelSuperProNet Server, SuperProServer, "C:\WINDOWS\system32\spnsrvnt.exe" ["Rainbow Technologies"]
TIS 2000 Apache Web Server, TIS 2000 Apache Web Server, "C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe" [null data]
VideoAcceleratorService, VideoAcceleratorService, "C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm" ["Speedbit Ltd."]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]
---------- (launch time: 2009-11-07 09:33:52)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 33 seconds, including 18 seconds for message boxes)
|
|
07.11.2009, 10:31
| #6 |
  | TR/Dropper.Gen in system32/tdlwsp.dll gefunden Bitte starte noch eine GMER Rootkit suche, du bist überhaupt nicht sauber  Das was ich seh verleitet mich eher dazu dir zu sagen, dass du dein System Neuaufsetzen solltest. Aber versuchen wir mal unser Glück, wie gesagt erstmal mit Gmer 
__________________ --> TR/Dropper.Gen in system32/tdlwsp.dll gefunden |
|
07.11.2009, 13:33
| #7 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefunden hi, also ich hab mir gerade jetzt Windows 7 gekauft. und das auf meinen pc gespielt aber nicht als upgrade sondern benutzerdefinert installiert. Formatieren hab ich auch ausgewählt aber das ging so schnell das ich glaube das war nur eine art quickformat.. Naja jetzt müssten doch eigentlich alle Viren weg sein oder nicht? |
|
07.11.2009, 13:41
| #8 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefunden mache mal ein HijackThis log, und nochmal ein Malwarebytes scan. wenn die beide sagen sauber entlasse ich dich 
__________________ Avira Upgrade 10 ist auf dem Markt! Agressive Einstellung von Avira What goes around comes around! |
|
07.11.2009, 14:13
| #9 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefundenCode:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:12:16, on 07.11.2009 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\AVG\AVG9\avgtray.exe C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST') O13 - Gopher Prefix: O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe -- End of file - 2703 bytes |
|
07.11.2009, 16:25
| #10 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefundenCode:
ATTFilter Malwarebytes' Anti-Malware 1.41
Datenbank Version: 3115
Windows 6.1.7600
07.11.2009 16:24:32
mbam-log-2009-11-07 (16-24-31).txt
Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 140888
Laufzeit: 18 minute(s), 52 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
|
|
07.11.2009, 16:36
| #11 |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefunden Okeh, ich denke mal beim Neuaufsetzen haste nicht versehntlich infizierte Datein mit rübergezogen. Viel Spaß mit sauberem Rechner
__________________ Avira Upgrade 10 ist auf dem Markt! Agressive Einstellung von Avira What goes around comes around! |
|
09.11.2009, 17:28
| #12 | |
| | TR/Dropper.Gen in system32/tdlwsp.dll gefunden Hallo, mein Win XP scheint ebenfalls mit dem gleichen Trojaner infiziert, da die gleiche Datei (system32/tdlwsp.dll) (trotz mehrmaligem Löschen) gefunden wird. Habe mal wie oben genannt mit GMER nen Scan gemacht: Zitat:
|
|
| Themen zu TR/Dropper.Gen in system32/tdlwsp.dll gefunden |
| 'tr/dropper.gen', 0xc0000034, datei, dateien, einstellungen, explorer.exe, failed, file, hijack.shell, logfile, malwarebytes, malwarebytes' anti-malware, microsoft, neu, object, opera.exe, programm, programme, registrierungsschlüssel, rootkits, rundll, rundll32.exe, security.hijack, software, system, system32, tdlwsp.dll, tr/dropper.gen, trojan, trojan.agent, userinit.exe, virus, windows, winlogon |
Linear-Darstellung
