|
Plagegeister aller Art und deren Bekämpfung: Trojaner "TR/Agent.ruo"Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
29.03.2010, 21:27 | #1 |
| Trojaner "TR/Agent.ruo" Hallo, Seit ein paar Tagen zeigt Antivir mir an, das ich 2 Trojaner habe. 1. TR/Agent.ruo in 'C:\System Volume Information\_restore{0A82D01C-C56E-4F7E-A5A4-6C096F46042B}\RP25\A0024520.dll' und 2. TR/Agent.ruo in 'C:\System Volume Information\_restore{0A82D01C-C56E-4F7E-A5A4-6C096F46042B}\RP26\A0026526.dll' Betriebssystem: WindowsXP Home mit SP 3 Antivir Software: Avira Antivir 10 Ich habe schon einen Scan mit Malwarbytes gemacht: Malwarebytes' Anti-Malware 1.44 Datenbank Version: 3927 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 29.03.2010 21:46:37 mbam-log-2010-03-29 (21-46-24).txt Scan-Methode: Vollständiger Scan (C:\|) Durchsuchte Objekte: 184405 Laufzeit: 3 hour(s), 12 minute(s), 2 second(s) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 1 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken. Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) und ein Logfile: Logfile of random's system information tool 1.06 (written by random/random) Run by Marvin at 2010-03-29 22:03:37 Microsoft Windows XP Home Edition Service Pack 3 System drive C: has 127 GB (84%) free of 152 GB Total RAM: 1012 MB (36% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:04:10, on 29.03.2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Programme\Avira\AntiVir Desktop\sched.exe C:\Programme\Avira\AntiVir Desktop\avguard.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\Option\GlobeTrotter Connect\GtDetectSc.exe C:\Programme\Java\jre6\bin\jqs.exe C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Avira\AntiVir Desktop\avgnt.exe C:\WINDOWS\RTHDCPL.EXE C:\Programme\Synaptics\SynTP\SynTPEnh.exe C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Programme\Gemeinsame Dateien\AOL\1267638333\ee\AOLSoftware.exe C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Programme\Windows Live\Messenger\msnmsgr.exe c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\PROGRA~1\ViStart\ViStart.exe C:\Programme\OpenOffice.org 3\program\soffice.exe C:\Programme\OpenOffice.org 3\program\soffice.bin C:\PROGRA~1\ViGlance\ViGlance.exe C:\PROGRA~1\ViSplore\ViSplore.exe C:\PROGRA~1\TRUETR~1\TRUETR~1.EXE C:\PROGRA~1\WinFlip\WinFlip.exe C:\DOKUME~1\Marvin\LOKALE~1\Temp\RtkBtMnt.exe C:\Programme\iPod\bin\iPodService.exe C:\PROGRA~1\VISTAR~1\Rainbar.exe C:\Programme\Windows Live\Contacts\wlcomm.exe C:\Programme\Lavasoft\Ad-Aware\AAWTray.exe C:\Programme\Malwarebytes' Anti-Malware\mbam.exe C:\WINDOWS\system32\notepad.exe C:\Programme\Avira\AntiVir Desktop\avscan.exe C:\Programme\Avira\AntiVir Desktop\avscan.exe C:\Programme\Avira\AntiVir Desktop\avscan.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\taskmgr.exe C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Dokumente und Einstellungen\Marvin\Eigene Dateien\Downloads\RSIT.exe C:\Programme\trend micro\Marvin.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.windowsxlive.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: Mediaplayer - {1536BA74-8625-4240-99B0-BE65883689C8} - C:\Programme\Mediapiraten\Mediapiraten\IEButtonMPInterface.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Programme\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Programme\Windows Live\Toolbar\wltcore.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\Audio\Drivers\AzMixerSel.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [M3000Mnt] Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [LanTalk.NET] C:\Programme\CEZEO software\LanTalk NET\LanTalk.exe O4 - HKLM\..\Run: [HostManager] C:\Programme\Gemeinsame Dateien\AOL\1267638333\ee\AOLSoftware.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [DrvIcon] C:\Programme\Vista Drive Icon\DrvIcon.exe O4 - HKLM\..\Run: [vilaunch] C:\WINDOWS\system32\vilaunch.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [viwc] C:\WINDOWS\system32\viwc.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 3.2.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe O9 - Extra button: In Blog veröffentlichen - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: In Windows Live Writer in Blog veröffentliche&n - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Programme/Monopoly/Images/stg_drm.ocx O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Programme/Monopoly/Images/armhelper.ocx O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: GtDetectSc - OptionNV - C:\Programme\Option\GlobeTrotter Connect\GtDetectSc.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\AAWService.exe -- End of file - 9235 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\Norton Security Scan for Marvin.job C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-879983540-725345543-1004.job C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-879983540-725345543-1004.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1536BA74-8625-4240-99B0-BE65883689C8}] Mediaplayer - C:\Programme\Mediapiraten\Mediapiraten\IEButtonMPInterface.dll [2006-11-08 663040] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}] RealPlayer Download and Record Plugin for Internet Explorer - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll [2010-03-28 341600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}] Search Helper - C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2009-05-19 137600] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Anmelde-Hilfsprogramm - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Programme\Java\jre6\bin\jp2ssv.dll [2010-02-02 41760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}] Windows Live Toolbar Helper - C:\Programme\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] JQSIEStartDetectorImpl Class - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-02-02 79648] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Programme\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "avgnt"=C:\Programme\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153] "RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2009-12-22 18789920] "AzMixerSel"=C:\Programme\Realtek\Audio\Drivers\AzMixerSel.exe [2009-12-11 59936] "SynTPEnh"=C:\Programme\Synaptics\SynTP\SynTPEnh.exe [2008-04-25 1044480] "M3000Mnt"=M3000Rmv.dll ,WinMainRmv /StartStillMnt [] "SunJavaUpdateSched"=C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe [2010-01-11 246504] "Adobe Reader Speed Launcher"=C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760] "Adobe ARM"=C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672] "IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2008-02-28 141848] "HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2008-02-28 166424] "Persistence"=C:\WINDOWS\system32\igfxpers.exe [2008-02-28 137752] "LanTalk.NET"=C:\Programme\CEZEO software\LanTalk NET\LanTalk.exe [2009-11-26 364224] "HostManager"=C:\Programme\Gemeinsame Dateien\AOL\1267638333\ee\AOLSoftware.exe [2006-04-27 50760] "QuickTime Task"=C:\Programme\QuickTime\qttask.exe [2009-11-11 417792] "iTunesHelper"=C:\Programme\iTunes\iTunesHelper.exe [2010-01-22 141608] "Share-to-Web Namespace Daemon"=c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-17 69632] "DrvIcon"=C:\Programme\Vista Drive Icon\DrvIcon.exe [2008-04-13 49152] "vilaunch"=C:\WINDOWS\system32\vilaunch.exe [2009-09-09 146412] "TkBellExe"=C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe [2010-03-28 202256] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes' Anti-Malware"=C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe [2010-01-07 429392] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "Skype"=C:\Programme\Skype\Phone\Skype.exe [2009-10-09 25623336] "msnmsgr"=C:\Programme\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883840] "viwc"=C:\WINDOWS\system32\viwc.exe [2009-11-30 360499] C:\Dokumente und Einstellungen\Marvin\Startmenü\Programme\Autostart OpenOffice.org 3.2.lnk - C:\Programme\OpenOffice.org 3\program\quickstart.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui] C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "HonorAutoRunSetting"= [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Programme\Skype\Plugin Manager\skypePM.exe"="C:\Programme\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager" "C:\Programme\Windows Live\Messenger\wlcsdk.exe"="C:\Programme\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call" "C:\Programme\Windows Live\Messenger\msnmsgr.exe"="C:\Programme\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\Programme\Windows Live\Sync\WindowsLiveSync.exe"="C:\Programme\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync" "C:\Programme\Chilirec\chilirec.exe"="C:\Programme\Chilirec\chilirec.exe:*:Enabled:Chilirec" "C:\Programme\CEZEO software\LanTalk NET\LanTalk.exe"="C:\Programme\CEZEO software\LanTalk NET\LanTalk.exe:*:Enabled:LanTalk NET Messenger" "C:\Programme\Bonjour\mDNSResponder.exe"="C:\Programme\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour" "C:\Programme\iTunes\iTunes.exe"="C:\Programme\iTunes\iTunes.exe:*:Enabled:iTunes" "C:\Programme\Speak-A-Message\bin\SpeakAMessage.exe"="C:\Programme\Speak-A-Message\bin\SpeakAMessage.exe:*:Enabled:Speak-A-Message" "C:\Programme\Speak-A-Message\updater.exe"="C:\Programme\Speak-A-Message\updater.exe:*:Enabled:Speak-A-Message Updater" "C:\Programme\Skype\Phone\Skype.exe"="C:\Programme\Skype\Phone\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\Programme\Windows Live\Messenger\wlcsdk.exe"="C:\Programme\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call" "C:\Programme\Windows Live\Messenger\msnmsgr.exe"="C:\Programme\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\Programme\Windows Live\Sync\WindowsLiveSync.exe"="C:\Programme\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2031246a-21e8-11df-b641-00234da5b197}] shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d1d1f32-0e89-11df-b5f9-00234da5b197}] shell\AutoRun\command - D:\LaunchU3.exe -a ======List of files/folders created in the last 1 months====== 2010-03-29 22:03:42 ----D---- C:\Programme\trend micro 2010-03-29 22:03:37 ----D---- C:\rsit 2010-03-29 18:30:11 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Malwarebytes 2010-03-29 18:29:51 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes 2010-03-29 18:29:50 ----D---- C:\Programme\Malwarebytes' Anti-Malware 2010-03-29 18:26:54 ----D---- C:\Programme\CCleaner 2010-03-28 20:09:17 ----A---- C:\WINDOWS\system32\unrar.dll 2010-03-28 20:09:15 ----A---- C:\WINDOWS\avisplitter.ini 2010-03-28 20:09:10 ----A---- C:\WINDOWS\system32\yv12vfw.dll 2010-03-28 20:09:10 ----A---- C:\WINDOWS\system32\xvidvfw.dll 2010-03-28 20:09:10 ----A---- C:\WINDOWS\system32\xvidcore.dll 2010-03-28 20:09:03 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest 2010-03-28 20:09:03 ----A---- C:\WINDOWS\system32\ff_vfw.dll 2010-03-28 20:08:57 ----D---- C:\Programme\K-Lite Codec Pack 2010-03-28 20:03:21 ----A---- C:\WINDOWS\WatchTVProEx.ini 2010-03-28 20:03:18 ----A---- C:\WINDOWS\MSBDA.INI 2010-03-28 20:00:01 ----D---- C:\Programme\WatchTVPro Essential 2010-03-28 18:47:30 ----HDC---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6} 2010-03-28 18:46:48 ----D---- C:\Programme\Lavasoft 2010-03-28 18:46:48 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft 2010-03-28 18:25:17 ----A---- C:\WINDOWS\system32\rmoc3260.dll 2010-03-28 18:25:02 ----A---- C:\WINDOWS\system32\pndx5032.dll 2010-03-28 18:25:02 ----A---- C:\WINDOWS\system32\pndx5016.dll 2010-03-28 18:24:46 ----D---- C:\Programme\Gemeinsame Dateien\xing shared 2010-03-28 18:24:00 ----A---- C:\WINDOWS\system32\pncrt.dll 2010-03-28 18:23:54 ----D---- C:\Programme\Gemeinsame Dateien\Real 2010-03-28 18:23:52 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real 2010-03-28 18:23:50 ----D---- C:\Programme\Real 2010-03-28 18:23:14 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Real 2010-03-28 18:12:23 ----A---- C:\WINDOWS\system32\wmpns.dll 2010-03-28 18:11:11 ----D---- C:\WINDOWS\Prefetch 2010-03-28 18:01:38 ----D---- C:\Programme\Mediapiraten 2010-03-28 17:54:55 ----D---- C:\WINDOWS\Driver Cache 2010-03-28 17:47:50 ----D---- C:\WINDOWS\ServicePackFiles 2010-03-28 17:45:38 ----A---- C:\WINDOWS\000001_.tmp 2010-03-25 19:39:32 ----D---- C:\Programme\Pinnacle 2010-03-25 19:37:16 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Pinnacle 2010-03-25 19:10:44 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Speak-A-Message 2010-03-25 19:10:05 ----D---- C:\Programme\Speak-A-Message 2010-03-25 19:09:10 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Inventivio 2010-03-21 20:58:33 ----D---- C:\WINDOWS\system32\VIRepair 2010-03-21 20:58:32 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\ViStart 2010-03-21 20:58:32 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\ViSplore 2010-03-21 20:58:16 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\ViGlance 2010-03-21 20:55:22 ----A---- C:\WINDOWS\system32\viwc.exe 2010-03-21 20:55:22 ----A---- C:\WINDOWS\system32\vilaunch.exe 2010-03-21 20:55:21 ----D---- C:\Programme\ViSplore 2010-03-21 20:55:21 ----D---- C:\Programme\TrueTransparency 2010-03-21 20:55:19 ----D---- C:\Programme\WinFlip 2010-03-21 20:55:18 ----D---- C:\Programme\ViStart 2010-03-21 20:55:18 ----D---- C:\Programme\Vista Rainbar 2010-03-21 20:55:18 ----D---- C:\Programme\ViGlance 2010-03-21 20:55:16 ----D---- C:\Programme\Vista Drive Icon 2010-03-21 20:47:27 ----D---- C:\WINDOWS\system32\VITrans 2010-03-21 20:47:25 ----D---- C:\VTPFiles 2010-03-21 20:47:25 ----A---- C:\WINDOWS\system32\Uharc.exe 2010-03-21 20:47:25 ----A---- C:\WINDOWS\system32\reico.exe 2010-03-21 20:47:25 ----A---- C:\WINDOWS\system32\moveex.exe 2010-03-21 20:47:25 ----A---- C:\WINDOWS\system32\modifype.exe 2010-03-21 20:47:24 ----A---- C:\WINDOWS\system32\pskill.exe 2010-03-21 20:47:04 ----A---- C:\WINDOWS\system32\scrnrdr.exe 2010-03-21 20:25:27 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Styler 2010-03-21 20:20:01 ----D---- C:\Programme\Styler 2010-03-14 11:34:39 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Hewlett-Packard 2010-03-14 11:33:52 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Ordner HP Share-to-Web 2010-03-14 11:32:54 ----D---- C:\Programme\Gemeinsame Dateien\Hewlett-Packard 2010-03-14 11:32:41 ----D---- C:\Programme\Hewlett-Packard 2010-03-14 11:31:02 ----D---- C:\col3927 2010-03-12 14:15:50 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$ 2010-03-11 17:55:44 ----D---- C:\WINDOWS\Sun 2010-03-09 15:30:22 ----D---- C:\Programme\GameTop.com 2010-03-09 15:07:10 ----A---- C:\WINDOWS\system32\ptpusb.dll 2010-03-09 15:07:09 ----A---- C:\WINDOWS\system32\ptpusd.dll 2010-03-08 21:56:59 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Apple Computer 2010-03-08 21:56:33 ----A---- C:\WINDOWS\system32\GEARAspi.dll 2010-03-08 21:55:34 ----D---- C:\Programme\iPod 2010-03-08 21:55:25 ----D---- C:\Programme\iTunes 2010-03-08 21:55:25 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{755AC846-7372-4AC8-8550-C52491DAA8BD} 2010-03-08 21:54:53 ----D---- C:\Programme\Bonjour 2010-03-08 21:53:58 ----D---- C:\Programme\QuickTime 2010-03-08 21:53:55 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple Computer 2010-03-08 21:53:29 ----D---- C:\Programme\Apple Software Update 2010-03-08 21:53:15 ----A---- C:\WINDOWS\system32\usbaaplrc.dll 2010-03-08 21:52:14 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple 2010-03-08 21:52:13 ----D---- C:\Programme\Gemeinsame Dateien\Apple 2010-03-03 19:45:51 ----D---- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL 2010-03-03 19:45:31 ----D---- C:\Programme\Gemeinsame Dateien\AOL 2010-03-03 19:45:25 ----D---- C:\Programme\AOL ======List of files/folders modified in the last 1 months====== 2010-03-29 22:03:42 ----RD---- C:\Programme 2010-03-29 20:51:42 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Skype 2010-03-29 20:42:44 ----D---- C:\WINDOWS\Temp 2010-03-29 19:43:51 ----SD---- C:\WINDOWS\Tasks 2010-03-29 18:29:56 ----D---- C:\WINDOWS\system32\drivers 2010-03-29 18:28:51 ----D---- C:\WINDOWS\Debug 2010-03-29 18:28:51 ----D---- C:\WINDOWS 2010-03-29 18:28:49 ----D---- C:\WINDOWS\Minidump 2010-03-29 18:16:57 ----D---- C:\WINDOWS\system32 2010-03-29 14:48:00 ----D---- C:\WINDOWS\system32\CatRoot2 2010-03-29 14:47:09 ----D---- C:\Programme\Mozilla Firefox 2010-03-29 10:08:39 ----D---- C:\WINDOWS\system32\CatRoot 2010-03-29 10:06:53 ----HD---- C:\WINDOWS\inf 2010-03-29 10:06:50 ----D---- C:\Programme\Messenger 2010-03-28 20:01:16 ----SHD---- C:\WINDOWS\Installer 2010-03-28 18:52:52 ----DC---- C:\WINDOWS\system32\DRVSTORE 2010-03-28 18:47:50 ----D---- C:\WINDOWS\WinSxS 2010-03-28 18:24:46 ----D---- C:\Programme\Gemeinsame Dateien 2010-03-28 18:24:01 ----A---- C:\WINDOWS\system32\msvcr71.dll 2010-03-28 18:24:01 ----A---- C:\WINDOWS\system32\msvcp71.dll 2010-03-28 18:16:33 ----RSHDC---- C:\WINDOWS\system32\dllcache 2010-03-28 18:09:58 ----N---- C:\WINDOWS\SchedLgU.Txt 2010-03-28 18:02:26 ----D---- C:\WINDOWS\security 2010-03-28 17:54:56 ----D---- C:\WINDOWS\Help 2010-03-28 17:54:56 ----D---- C:\Programme\Windows Media Player 2010-03-28 17:47:50 ----D---- C:\WINDOWS\Media 2010-03-28 17:47:49 ----D---- C:\WINDOWS\system32\Restore 2010-03-28 17:47:49 ----D---- C:\Programme\Outlook Express 2010-03-28 17:47:47 ----D---- C:\WINDOWS\system32\oobe 2010-03-28 17:45:36 ----D---- C:\WINDOWS\system32\ReinstallBackups 2010-03-28 17:45:11 ----D---- C:\WINDOWS\EHome 2010-03-28 16:45:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI 2010-03-25 19:51:07 ----A---- C:\WINDOWS\emMON.exe 2010-03-25 19:39:47 ----HD---- C:\Programme\InstallShield Installation Information 2010-03-21 20:57:16 ----D---- C:\Programme\Internet Explorer 2010-03-21 20:55:22 ----RSD---- C:\WINDOWS\Fonts 2010-03-21 20:55:16 ----D---- C:\WINDOWS\Cursors 2010-03-14 11:33:35 ----A---- C:\WINDOWS\win.ini 2010-03-12 19:42:42 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\skypePM 2010-03-12 14:15:53 ----D---- C:\Programme\Movie Maker 2010-03-12 14:15:29 ----HD---- C:\WINDOWS\$hf_mig$ 2010-03-11 09:38:04 ----D---- C:\Programme\phase5 2010-03-10 19:38:59 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Identities 2010-03-05 19:16:51 ----D---- C:\Dokumente und Einstellungen\Marvin\Anwendungsdaten\Chilirec 2010-03-05 19:08:00 ----D---- C:\Programme\Gemeinsame Dateien\Symantec Shared 2010-03-02 07:30:12 ----A---- C:\WINDOWS\system32\MRT.exe 2010-03-01 18:21:25 ----RSD---- C:\WINDOWS\assembly ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2010-03-14 82380] R1 avgio;avgio; \??\C:\Programme\Avira\AntiVir Desktop\avgio.sys [] R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104] R1 intelppm;Intel-Prozessortreiber; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-14 40448] R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520] R1 WmiAcpi;Microsoft Windows-Verwaltungsschnittstelle für ACPI; C:\WINDOWS\System32\DRIVERS\wmiacpi.sys [2008-04-14 8832] R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-11-25 56816] R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-08-05 54752] R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\System32\DRIVERS\athw.sys [2008-08-20 1318464] R3 CmBatt;Microsoft-Netzteiltreiber; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-14 13952] R3 HDAudBus;Microsoft UAA-Bustreiber für High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384] R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-12-22 6039072] R3 M3000Srv;Acer Crystal Eye webcam Driver; C:\WINDOWS\System32\Drivers\M3000KNT.sys [2008-05-05 254976] R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys [] R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-04-25 225024] R3 usbehci;Miniporttreiber für erweiterten Microsoft USB 2.0-Hostcontroller; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-14 30208] R3 usbhub;Microsoft USB-Standardhubtreiber; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-14 59520] R3 usbuhci;Miniporttreiber für universellen Microsoft USB-Hostcontroller; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-14 20608] S1 kbdhid;Tastatur-HID-Treiber; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14720] S1 kbdqlt;kbdqlt; \??\C:\WINDOWS\system32\drivers\kbdqlt.sys [] S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2009-11-18 1691480] S3 BrScnUsb;Brother USB Still Image driver; C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 15295] S3 CCDECODE;Untertiteldecoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024] S3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600] S3 HidUsb;Microsoft HID Class-Treiber; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368] S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2009-11-18 1395800] S3 mouhid;Maus-HID-Treiber; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-18 12288] S3 MPE;BDA MPE-Filter; C:\WINDOWS\system32\DRIVERS\MPE.sys [2008-04-14 15232] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504] S3 NABTSFEC;NABTS/FEC VBI-Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248] S3 NdisIP;Microsoft TV-/Videoverbindung; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880] S3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-14 79232] S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136] S3 streamip;BDA-IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232] S3 USB28xxBGA;PCTV 330e/8x0e Device; C:\WINDOWS\system32\DRIVERS\emBDA.sys [2010-03-25 540288] S3 USB28xxOEM;USB 28xx OEM Filter; C:\WINDOWS\system32\DRIVERS\emOEM.sys [2010-03-25 443520] S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2009-08-28 40448] S3 usbccgp;Microsoft Standard-USB-Haupttreiber; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128] S3 usbprint;Microsoft USB-Druckerklasse; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856] S3 usbscan;USB-Scannertreiber; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104] S3 usbstor;USB-Massenspeichertreiber; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-14 26368] S3 WSTCODEC;World Standard Teletext-Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Programme\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289] R2 AntiVirService;Avira AntiVir Guard; C:\Programme\Avira\AntiVir Desktop\avguard.exe [2009-07-21 185089] R2 Apple Mobile Device;Apple Mobile Device; C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672] R2 Bonjour Service;Bonjour-Dienst; C:\Programme\Bonjour\mDNSResponder.exe [2008-12-12 238888] R2 GtDetectSc;GtDetectSc; C:\Programme\Option\GlobeTrotter Connect\GtDetectSc.exe [2008-04-30 200704] R2 JavaQuickStarterService;Java Quick Starter; C:\Programme\Java\jre6\bin\jqs.exe [2010-02-02 153376] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; C:\Programme\Lavasoft\Ad-Aware\AAWService.exe [2010-03-28 1263728] R2 SeaPort;SeaPort; C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-05-19 240512] R3 iPod Service;iPod-Dienst; C:\Programme\iPod\bin\iPodService.exe [2010-01-22 545576] S2 gvxuufuhs;ihfaze; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312] S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632] S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104] S3 fsssvc;Windows Live Family Safety-Dienst; C:\Programme\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864] S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664] S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096] -----------------EOF----------------- Ich hoffe es kann mir jemand helfen. Vielen Dank im Voraus. Multivitamin |
29.03.2010, 22:44 | #2 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner "TR/Agent.ruo" Hallo und
__________________Bitte mal den Avenger anwenden: 1.) Lade Dir von hier Avenger: Swandog46's Public Anti-Malware Tools (Download, linksseitig) 2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen: 3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld: Code:
ATTFilter files to delete: C:\WINDOWS\system32\viwc.exe C:\WINDOWS\system32\vilaunch.exe C:\WINDOWS\000001_.tmp C:\WINDOWS\system32\drivers\kbdqlt.sys drivers to delete: kbdqlt 5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein. 6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso. 7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier. 8.) Die Datei c:\avenger\backup.zip bei file-upload.net hochladen und hier verlinken 9.) EIn Log mit OSAM erstellen und posten
__________________ |
30.03.2010, 10:20 | #3 |
| Trojaner "TR/Agent.ruo" Hallo,
__________________vielen Dank schon mal für die schnelle Hilfe. Hier nun die Logfile von Awanger: Logfile of The Avenger Version 2.0, (c) by Swandog46 hxxp://swandog46.geekstogo.com Platform: Windows XP ******************* Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: Rootkit scan active. No rootkits found! File "C:\WINDOWS\system32\viwc.exe" deleted successfully. File "C:\WINDOWS\system32\vilaunch.exe" deleted successfully. File "C:\WINDOWS\000001_.tmp" deleted successfully. File "C:\WINDOWS\system32\drivers\kbdqlt.sys" deleted successfully. Driver "kbdqlt" deleted successfully. Completed script processing. ******************* Finished! Terminate. hier die Datei C:\Avanger\Backup.zi: hxxp://www.file-upload.net/download-2391676/backup.zip.html Und die Log mit Osam: Report of OSAM: Autorun Manager v5.0.11926.0 hxxp://www.online-solutions.ru/en/ Saved at 11:14:20 on 30.03.2010 OS: Windows XP Home Edition Service Pack 3 (Build 2600) Default Browser: Mozilla Corporation Firefox 3.6.2 Scanner Settings Rootkits detection (hidden registry) Rootkits detection (hidden files) Retrieve files information Check Microsoft signatures Filters Trusted entries Empty entries Hidden registry entries (rootkit activity) Exclusively opened files Not found files Files without detailed information Existing files Non-startable services Non-startable drivers Active entries Disabled entries Risk Name Publisher Full Path Status Common %SystemRoot%\Tasks |||| "AppleSoftwareUpdate.job" "Apple Inc." C:\Programme\Apple Software Update\SoftwareUpdate.exe File exists "Ad-Aware Update (Weekly).job" "Lavasoft " C:\Programme\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe File exists |||||| "Norton Security Scan for Marvin.job" "Symantec Corporation" C:\Programme\Norton Security Scan\Engine\2.3.0.44\Nss.exe File exists "RealUpgradeLogonTaskS-1-5-21-1390067357-879983540-725345543-1004.job" "RealNetworks, Inc." C:\Programme\Real\RealUpgrade\realupgrade.exe File exists "RealUpgradeScheduledTaskS-1-5-21-1390067357-879983540-725345543-1004.job" "RealNetworks, Inc." C:\Programme\Real\RealUpgrade\realupgrade.exe File exists Control Panel Objects %SystemRoot%\system32 |||||| "infocardcpl.cpl" "Microsoft Corporation" C:\WINDOWS\system32\infocardcpl.cpl File exists |||||| "javacpl.cpl" "Sun Microsystems, Inc." C:\WINDOWS\system32\javacpl.cpl File exists "main.cpl" "Microsoft Corporation" C:\WINDOWS\system32\main.cpl File exists |||||| "telephon.cpl" "Microsoft Corporation" C:\WINDOWS\system32\telephon.cpl File exists HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls |||||| "Avira AntiVir Personal - Free Antivirus " "Avira GmbH" C:\PROGRA~1\Avira\ANTIVI~1\avconfig.cpl File exists |||||| "QuickTime" "Apple Inc." C:\Programme\QuickTime\QTSystem\QuickTime.cpl File exists Drivers HKLM\SYSTEM\CurrentControlSet\Services |||||| "AFS2k" (AFS2K) "Oak Technology Inc." C:\WINDOWS\system32\drivers\AFS2K.sys File exists |||||| "avgio" (avgio) "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\avgio.sys File exists |||||| "avgntflt" (avgntflt) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\avgntflt.sys File exists |||||| "avipbb" (avipbb) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\avipbb.sys File exists "Changer" (Changer) C:\WINDOWS\system32\drivers\Changer.sys File not found |||||| "FssFltr" (fssfltr) "Microsoft Corporation" C:\WINDOWS\System32\DRIVERS\fssfltr_tdi.sys File exists "i2omgmt" (i2omgmt) C:\WINDOWS\system32\drivers\i2omgmt.sys File not found |||||| "Lbd" (Lbd) "Lavasoft AB" C:\WINDOWS\System32\DRIVERS\Lbd.sys File exists "lbrtfdc" (lbrtfdc) C:\WINDOWS\system32\drivers\lbrtfdc.sys File not found "PCIDump" (PCIDump) C:\WINDOWS\system32\drivers\PCIDump.sys File not found "PDCOMP" (PDCOMP) C:\WINDOWS\system32\drivers\PDCOMP.sys File not found "PDFRAME" (PDFRAME) C:\WINDOWS\system32\drivers\PDFRAME.sys File not found "PDRELI" (PDRELI) C:\WINDOWS\system32\drivers\PDRELI.sys File not found "PDRFRAME" (PDRFRAME) C:\WINDOWS\system32\drivers\PDRFRAME.sys File not found |||||| "ssmdrv" (ssmdrv) "Avira GmbH" C:\WINDOWS\System32\DRIVERS\ssmdrv.sys File exists "WDICA" (WDICA) C:\WINDOWS\system32\drivers\WDICA.sys File not found Explorer HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components |||||| {89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" "Microsoft Corporation" c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install File exists {89820200-ECBD-11cf-8B85-00AA005B4340} "Windows Desktop-Update" "Microsoft Corporation" regsvr32.exe /s /n /i:U shell32.dll File exists HKLM\Software\Classes\Folder\shellex\ColumnHandlers |||||| {F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" "Adobe Systems, Inc." C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll File exists {0D2E74C4-3C34-11d2-A27E-00C04FC30871} "{0D2E74C4-3C34-11d2-A27E-00C04FC30871}" "Microsoft Corporation" C:\WINDOWS\system32\SHELL32.dll File exists {24F14F01-7B1C-11d1-838f-0000F80461CF} "{24F14F01-7B1C-11d1-838f-0000F80461CF}" "Microsoft Corporation" C:\WINDOWS\system32\SHELL32.dll File exists {24F14F02-7B1C-11d1-838f-0000F80461CF} "{24F14F02-7B1C-11d1-838f-0000F80461CF}" "Microsoft Corporation" C:\WINDOWS\system32\SHELL32.dll File exists {66742402-F9B9-11D1-A202-0000F81FEDEE} "{66742402-F9B9-11D1-A202-0000F81FEDEE}" "Microsoft Corporation" C:\WINDOWS\system32\SHELL32.dll File exists |||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists HKLM\Software\Classes\Protocols\Filter |||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists |||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists |||||| {1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" "Microsoft Corporation" C:\WINDOWS\system32\mscoree.dll File exists {733AC4CB-F1A4-11d0-B951-00A0C90312E1} "WebView MIME Filter" "Microsoft Corporation" C:\WINDOWS\system32\SHELL32.dll File exists HKLM\Software\Classes\Protocols\Handler |||||| {314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll File exists |||||| {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} "IEProtocolHandler Class" "Skype Technologies" C:\Programme\Gemeinsame Dateien\Skype\Skype4COM.dll File exists |||| {828030A1-22C1-4009-854F-8E305202313F} "livecall" "Microsoft Corporation" C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL File exists |||| {828030A1-22C1-4009-854F-8E305202313F} "msnim" "Microsoft Corporation" C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL File exists |||||| {03C514A3-1EFB-4856-9F99-10D7BE1653C0} "Windows Live Mail HTML Asynchronous Pluggable Protocol Handler" "Microsoft Corporation" C:\Programme\Windows Live\Mail\mailcomm.dll File exists HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {AEB6717E-7E19-11d0-97EE-00C04FD91972} "URL Exec Hook" "Microsoft Corporation" C:\WINDOWS\system32\shell32.dll File exists HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved |||||| {23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" "Igor Pavlov" C:\Programme\7-Zip\7-zip.dll File exists |||||| {0563DB41-F538-4B37-A92D-4659049B7766} "CLSID_WLMCMimeFilter" "Microsoft Corporation" C:\Programme\Windows Live\Mail\mailcomm.dll File exists {42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" deskpan.dll File not found {FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" File not found | COM-object registry key not found |||||| {B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "iTunes" "Apple Inc." C:\Programme\iTunes\iTunesMiniPlayer.dll File exists {853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" File not found | COM-object registry key not found {32683183-48a0-441b-a342-7c2a440a9478} "Media Band" File not found | COM-object registry key not found |||||| {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396} "OpenOffice.org Column Handler" C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists |||||| {087B3AE3-E237-4467-B8DB-5A38AB959AC9} "OpenOffice.org Infotip Handler" C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists |||||| {63542C48-9552-494A-84F7-73AA6A7C99C1} "OpenOffice.org Property Sheet Handler" C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists |||||| {3B092F0C-7696-40E3-A80F-68D74DA84210} "OpenOffice.org Thumbnail Viewer" C:\Programme\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll File exists |||||| {A4DF5659-0801-4A60-9607-1C48695EFDA9} "Ordner HP Share-to-Web" "Hewlett-Packard" c:\Programme\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL File exists {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "RealOne Player Context Menu Class" "RealNetworks, Inc." C:\Programme\Real\RealPlayer\rpshell.dll File exists |||||| {45AC2688-0253-4ED8-97DE-B5370FA7D48A} "Shell Extension for Malware scanning" "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\shlext.dll File exists |||||| {E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists {764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" File not found | COM-object registry key not found |||||| {e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" "Microsoft Corporation" c:\WINDOWS\system32\dfshim.dll File exists {0DF44EAA-FF21-4412-828E-260A8728E7F1} "Taskleiste und Startmenü" "Microsoft Corporation" C:\WINDOWS\system32\shell32.dll File exists |||||| {2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} "Windows Live Photo Gallery Autoplay Drop Target" "Microsoft Corporation" C:\Programme\Windows Live\Photo Gallery\WLXPhotoGallery.exe File exists |||||| {00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} "Windows Live Photo Gallery Editor Drop Target" "Microsoft Corporation" C:\Programme\Windows Live\Photo Gallery\WLXPhotoGallery.exe File exists |||||| {00F3712A-CA79-45B4-9E4D-D7891E7F8B9D} "Windows Live Photo Gallery Editor Shim" "Microsoft Corporation" C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll File exists |||||| {00F30F90-3E96-453B-AFCD-D71989ECC2C7} "Windows Live Photo Gallery Viewer Autoplay Shim" "Microsoft Corporation" C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll File exists |||||| {00F33137-EE26-412F-8D71-F84E4C2C6625} "Windows Live Photo Gallery Viewer Autoplay Shim" "Microsoft Corporation" C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll File exists |||||| {00F374B7-B390-4884-B372-2FC349F2172B} "Windows Live Photo Gallery Viewer Drop Target" "Microsoft Corporation" C:\Programme\Windows Live\Photo Gallery\WLXPhotoGallery.exe File exists |||||| {00F346CB-35A4-465B-8B8F-65A29DBAB1F6} "Windows Live Photo Gallery Viewer Shim" "Microsoft Corporation" C:\Programme\Windows Live\Photo Gallery\PhotoViewerShim.dll File exists |||||| {06A2568A-CED6-4187-BB20-400B8C02BE5A} "{06A2568A-CED6-4187-BB20-400B8C02BE5A}" "Microsoft Corporation" C:\Programme\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe File exists HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad {7849596a-48ea-486e-8937-a2a3009f31a9} "PostBootReminder object" "Microsoft Corporation" C:\WINDOWS\system32\SHELL32.dll File exists {fbeb8a05-beee-4442-804e-409d6c4515e9} "ShellFolder for CD Burning" "Microsoft Corporation" C:\WINDOWS\system32\SHELL32.dll File exists Internet Explorer HKCU\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars {32683183-48a0-441b-a342-7c2a440a9478} "{32683183-48a0-441b-a342-7c2a440a9478}" File not found | COM-object registry key not found HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser "&Links" "Microsoft Corporation" C:\WINDOWS\system32\SHELL32.dll File exists |||| "&Windows Live Toolbar" "Microsoft Corporation" C:\Programme\Windows Live\Toolbar\wltcore.dll File exists ITBar7Height "ITBar7Height" File not found | COM-object registry key not found "ITBar7Layout" File not found | COM-object registry key not found "ITBarLayout" File not found | COM-object registry key not found HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units {CC450D71-CC90-424C-8638-1F2DBAC87A54} "ArmHelper Control" file:///C:/Programme/Monopoly/Images/armhelper.ocx ./Images/armhelper.ocx File not found DirectAnimation Java Classes "DirectAnimation Java Classes" file://C:\WINDOWS\Java\classes\dajava.cab File not found | COM-object registry key not found |||| {8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_18" hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\npjpi160_18.dll File exists |||| {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\npjpi160_18.dll File exists |||| {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_18" hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\npjpi160_18.dll File exists Microsoft XML Parser for Java "Microsoft XML Parser for Java" file://C:\WINDOWS\Java\classes\xmldso.cab File not found | COM-object registry key not found || {149E45D8-163E-4189-86FC-45022AB2B6C9} "SpinTop DRM Control" file:///C:/Programme/Monopoly/Images/stg_drm.ocx "SpinTop Media Inc." C:\WINDOWS\DOWNLO~1\stg_drm.ocx File exists {E2883E8F-472F-4FB0-9522-AC9BF37916A7} "{E2883E8F-472F-4FB0-9522-AC9BF37916A7}" hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab File not found | COM-object registry key not found HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions |||| {5F7B1267-94A9-47F5-98DB-E99415F33AEC} "In Blog veröffentlichen" "Microsoft Corporation" C:\Programme\Windows Live\Writer\WriterBrowserExtension.dll File exists HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar |||| "&Windows Live Toolbar" "Microsoft Corporation" C:\Programme\Windows Live\Toolbar\wltcore.dll File exists HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects |||||| {18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" "Adobe Systems Incorporated" C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll File exists |||| {DBC80044-A445-435b-BC74-9C25C1C588A9} "Java(tm) Plug-In 2 SSV Helper" "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\jp2ssv.dll File exists |||| {E7E6F031-17CE-4C07-BC86-EABFE594F69C} "JQSIEStartDetectorImpl Class" "Sun Microsystems, Inc." C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll File exists || {1536BA74-8625-4240-99B0-BE65883689C8} "Mediaplayer" C:\Programme\Mediapiraten\Mediapiraten\IEButtonMPInterface.dll File found, but it contains no detailed information {3049C3E9-B461-4BC5-8870-4C09146192CA} "RealPlayer Download and Record Plugin for Internet Explorer" "RealPlayer" C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll File exists || {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} "Search Helper" "Microsoft Corporation" C:\Programme\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll File exists |||||| {9030D464-4C02-4ABF-8ECC-5164760863C6} "Windows Live Anmelde-Hilfsprogramm" "Microsoft Corporation" C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll File exists |||| {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} "Windows Live Toolbar Helper" "Microsoft Corporation" C:\Programme\Windows Live\Toolbar\wltcore.dll File exists {5C255C8A-E604-49b4-9D64-90988571CECB} "{5C255C8A-E604-49b4-9D64-90988571CECB}" File not found | COM-object registry key not found Known DLLs HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs "shell32" "Microsoft Corporation" C:\WINDOWS\system32\shell32.dll File exists Logon %AllUsersProfile%\Startmenü\Programme\Autostart |||||| "desktop.ini" C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini File exists %UserProfile%\Startmenü\Programme\Autostart |||||| "desktop.ini" C:\Dokumente und Einstellungen\Marvin\Startmenü\Programme\Autostart\desktop.ini File exists "OpenOffice.org 3.2.lnk" C:\Programme\OpenOffice.org 3\program\quickstart.exe Shortcut exists | File found, but it contains no detailed information | File exists HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |||| "msnmsgr" "Microsoft Corporation" "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background File exists |||| "Skype" "Skype Technologies S.A." "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized File exists "viwc" C:\WINDOWS\system32\viwc.exe File not found HKLM\Software\Microsoft\Windows\CurrentVersion\Run |||| "Adobe ARM" "Adobe Systems Incorporated" "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe" File exists |||| "Adobe Reader Speed Launcher" "Adobe Systems Incorporated" "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" File exists |||||| "avgnt" "Avira GmbH" "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min File exists "AzMixerSel" "Realtek Semiconductor Corp." C:\Programme\Realtek\Audio\Drivers\AzMixerSel.exe File exists |||| "DrvIcon" "artArmin" C:\Programme\Vista Drive Icon\DrvIcon.exe File exists "HostManager" "America Online, Inc." C:\Programme\Gemeinsame Dateien\AOL\1267638333\ee\AOLSoftware.exe File exists "iTunesHelper" "Apple Inc." "C:\Programme\iTunes\iTunesHelper.exe" File exists "LanTalk.NET" "CEZEO software Ltd." C:\Programme\CEZEO software\LanTalk NET\LanTalk.exe File exists || "M3000Mnt" Rundll32.exe M3000Rmv.dll ,WinMainRmv /StartStillMnt File signed by Microsoft | File found, but it contains no detailed information |||| "QuickTime Task" "Apple Inc." "C:\Programme\QuickTime\qttask.exe" -atboottime File exists |||| "Share-to-Web Namespace Daemon" "Hewlett-Packard" c:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe File exists |||| "SunJavaUpdateSched" "Sun Microsystems, Inc." "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" File exists "TkBellExe" "RealNetworks, Inc." "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot File exists "vilaunch" C:\WINDOWS\system32\vilaunch.exe File not found Print Monitors HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors |||||| "novaPDF Server OEM 6 Monitor" "Softland" C:\WINDOWS\system32\novamnv6.dll File exists Services HKLM\SYSTEM\CurrentControlSet\Services |||||| ".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe File exists "Anwendungsverwaltung" (AppMgmt) C:\WINDOWS\System32\appmgmts.dll File not found |||||| "Apple Mobile Device" (Apple Mobile Device) "Apple Inc." C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe File exists |||||| "ASP.NET State Service" (aspnet_state) "Microsoft Corporation" C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe File exists |||||| "Avira AntiVir Guard" (AntiVirService) "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\avguard.exe File exists |||||| "Avira AntiVir Planer" (AntiVirSchedulerService) "Avira GmbH" C:\Programme\Avira\AntiVir Desktop\sched.exe File exists |||||| "Bonjour-Dienst" (Bonjour Service) "Apple Inc." C:\Programme\Bonjour\mDNSResponder.exe File exists |||||| "GtDetectSc" (GtDetectSc) "OptionNV" C:\Programme\Option\GlobeTrotter Connect\GtDetectSc.exe File exists "ihfaze" (gvxuufuhs) C:\WINDOWS\system32\fvkqb.dll File not found "iPod-Dienst" (iPod Service) "Apple Inc." C:\Programme\iPod\bin\iPodService.exe File exists |||||| "Java Quick Starter" (JavaQuickStarterService) "Sun Microsystems, Inc." C:\Programme\Java\jre6\bin\jqs.exe File exists "Lavasoft Ad-Aware Service" (Lavasoft Ad-Aware Service) "Lavasoft" C:\Programme\Lavasoft\Ad-Aware\AAWService.exe File exists |||||| "SeaPort" (SeaPort) "Microsoft Corporation" C:\Programme\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe File exists |||||| "Windows CardSpace" (idsvc) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe File exists |||||| "Windows Live Family Safety-Dienst" (fsssvc) "Microsoft Corporation" C:\Programme\Windows Live\Family Safety\fsssvc.exe File exists |||||| "Windows Presentation Foundation Font Cache 3.0.0.0" (FontCache3.0.0.0) "Microsoft Corporation" c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe File exists Winlogon HKCU\Control Panel\IOProcs "MVB" mvfs32.dll File not found HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions {c6dc5466-785a-11d2-84d0-00c04fb169f7} "Softwareinstallation" appmgmts.dll File not found Winsock Providers HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries |||||| "mdnsNSP" "Apple Inc." C:\Programme\Bonjour\mdnsNSP.dll File exists If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru Vilene Dank im Voraus. Multivitamin |
30.03.2010, 10:55 | #4 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner "TR/Agent.ruo" Das Rootkit hätten wir. Quakt der Virenscanner noch?
__________________ Logfiles bitte immer in CODE-Tags posten |
30.03.2010, 12:11 | #5 |
| Trojaner "TR/Agent.ruo" Hallo, wenn ich meinen PC neu starte und Firefox öffnen meldet sich Antivir nicht mehr. Ich habe gerade eine Systemprüfung mit Antivir gemacht. Dabei wurden beide Trojaner wieder gefunden. Multivitamin |
30.03.2010, 12:38 | #6 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner "TR/Agent.ruo" Dann löschen. Deaktiviere auch die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des Systems durch einen Wiederherstellungspunkt wahrscheinlich wieder eine Infektion nach sich ziehen würde.
__________________ --> Trojaner "TR/Agent.ruo" |
30.03.2010, 15:15 | #7 |
| Trojaner "TR/Agent.ruo" Ich habe jetzt den Trojaner mit AntiVir gelöscht. Danach habe ich eine neue Systemüberprüfung gemacht. Jetzt wird nichts mehr gefunden. Ist der Trojaner jetzt komplett gelöscht? Vielen Dank. Multivitamin |
30.03.2010, 15:25 | #8 |
/// Winkelfunktion /// TB-Süch-Tiger™ | Trojaner "TR/Agent.ruo" Jo, die Logs sind nun ok. Du kannst ja noch Kontrollscans mit Malwarebytes und SUPERAntiSpyware machen und die Logs posten. Denk dran beide Tools zu updaten vor dem Scan!!
__________________ Logfiles bitte immer in CODE-Tags posten |
30.03.2010, 15:35 | #9 |
| Trojaner "TR/Agent.ruo" Danke für die Hilfe. Multivitamin |
Themen zu Trojaner "TR/Agent.ruo" |
ad-aware, adobe, antivir, antivir guard, avgntflt.sys, avira, bho, bonjour, c:\windows\system32\rundll32.exe, desktop, einstellungen, firefox, fontcache, hijack.system.hidden, hijackthis, hkus\s-1-5-18, home, installation, logfile, mozilla, plug-in, realtek, registry, rundll, scan, security, security scan, shell32.dll, skype.exe, software, symantec, system, trojaner, windows xp |