| Rechner befallen von Trojanern (wahrscheinlich ihaupd32.exe) Nach einem gestrigen Download (aber keiner Ausführung der Datei) begann mein Rechner sich merkwürdig zu verhalten, da ich mich mit Viren, Trojanern und Co. nicht auskenne, schaltete ich erstmal das Internet aus und suchte von einem anderen Rechner dieses Forum auf. Derweil lies ich Antivirs Suche laufen und diese ergab den Trojaner ihaupd32.exe (und khvcol.exe).
Nach den hier beschriebenen Anleitungen habe ich folgende Programme laufen lassen und stelle die Ergebnisse hier rein: CCleaner: Wurde laut Anleitung durchgeführt und ergab nach mehrmaliger Registry-Fehler-Behebung keine Fehler mehr. Malwarebytes Anti-Malware :
Beim Updaten trat ein Fehler auf:
MBAM_ERROR_UPDATING (12029, 0, WinHttpSendRequest)
Der trotzdem durchgeführte Vollscan ergab: Zitat:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Datenbank Version: 3930
Windows 6.0.6000
Internet Explorer 7.0.6000.16575
02.04.2010 15:11:10
mbam-log-2010-04-02 (15-11-10).txt
Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|)
Durchsuchte Objekte: 292577
Laufzeit: 1 Stunde(n), 59 Minute(n), 57 Sekunde(n)
Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 2
Infizierte Registrierungsschlüssel: 5
Infizierte Registrierungswerte: 11
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 1
Infizierte Dateien: 38
Infizierte Speicherprozesse:
c:\lsass.exe (Trojan.Agent) -> Unloaded process successfully.
Infizierte Speichermodule:
C:\Windows\System32\sbm94bjg.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\Windows\System32\BtwSvc.dll (Backdoor.Bot) -> Delete on reboot.
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a9ba40a1-74f1-52bd-f431-00b15a2c8953} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a9ba40a1-74f1-52bd-f431-00b15a2c8953} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\protect (Rootkit.Agent) -> Quarantined and deleted successfully.
Infizierte Registrierungswerte:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\gootkitsso (Trojan.GootKit) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
C:\Program Files\Protection System (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
Infizierte Dateien:
C:\Windows\System32\sbm94bjg.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\Windows\System32\BtwSvc.dll (Backdoor.Bot) -> Delete on reboot.
C:\Windows\System32\config\systemprofile\reader_s.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\setups\Adobe CS3\Keygen\Keygen.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\setups\Sibelius.v5.0.incl.KeyGen.READ.NFO-BEAT\KeyGen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\***\wuaucldt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\pludoh.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\wxoanscemr.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Windows\System32\6099.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\E34F.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\E90B.tmp (Email.Worm) -> Quarantined and deleted successfully.
C:\Windows\System32\ioyhbblo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ms.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\msxsltsso.dll (Trojan.GootKit) -> Quarantined and deleted successfully.
C:\Windows\System32\opear.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\reader_s.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\wuaucldt.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NHI0E58A\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Local\Windows Server\ricssa.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\qjzwi.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\tymbc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\***\.COMMgr\complmgr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Roaming\wiaservg.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\rasadhlp.dll (Spyware.Passowrds) -> Quarantined and deleted successfully.
C:\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ihaupd32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Windows\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\taskmgr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\***\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\sc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\rasadhlp.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Local\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\***\AppData\Roaming\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\PereSvc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\protect.sys (Rootkit.Agent) -> Quarantined and deleted successfully. | Die Analyse mit RSIT ergab: Zitat:
info.txt logfile of random's system information tool 1.06 2010-04-02 16:30:21
======Uninstall list======
-->C:\Program Files\Conexant\SmartAudio\SETUP.EXE -U -ISmartAudio -SM=SMAUDIO.EXE,1801
-->MsiExec /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
3DMark06-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
Ableton Live v7.0.1-->"C:\Program Files\Ableton\Live 7.0.1\Uninstall\unins000.exe"
Adobe After Effects CS3 Presets-->MsiExec.exe /I{193EAFD0-1BAF-4FB4-B18F-79D5D6A4B285}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe BridgeTalk Plugin CS3-->MsiExec.exe /I{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Recommended Settings-->MsiExec.exe /I{73B5D990-04EA-4751-B10F-5534770B91F2}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Extra Settings-->MsiExec.exe /I{FF29A7E2-FF40-4D07-B7E4-2093DE59E10A}
Adobe Creative Suite 3 Master Collection hinzufügen oder entfernen-->C:\Program Files\Common Files\Adobe\Installers\67a7fb1e97aa14ee9ef0950eb6fd757\Setup.exe
Adobe Creative Suite 3 Master Collection-->MsiExec.exe /I{DA896917-C1DA-45B2-B4D2-68162F16C0DD}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Extension Manager CS3-->MsiExec.exe /I{BE5F3842-8309-4754-92D5-83E02E6077A3}
Adobe Flash CS3-->MsiExec.exe /I{8C640345-AF96-4ABA-A697-97D2A0B8C6DB}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{BC4F8E84-5E29-49EC-B4E7-E6F9CB50986C}
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Video Encoder-->MsiExec.exe /I{BCEDD813-269C-4D8F-A4BA-01FDC66254D3}
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{7ACFB90E-8FD0-4397-AD3A-5195412623A3}
Adobe InDesign CS3 Icon Handler-->MsiExec.exe /I{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}
Adobe InDesign CS3-->MsiExec.exe /I{411E0CC3-587A-468C-B461-95FAFD05E4DE}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe MotionPicture Color Files-->MsiExec.exe /I{6B708481-748A-4EB4-97C1-CD386244FF77}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->MsiExec.exe /I{D3C605D8-3A5E-4BAD-965D-2C61441BF2AC}
Adobe Reader 9.1.3 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A91000000001}
Adobe Setup-->MsiExec.exe /I{DFFDDCF5-CB32-4354-8823-1B9E68025953}
Adobe Shockwave Player-->MsiExec.exe /X{1BDC9633-895B-4842-BCB6-8FA1EC2A3C5A}
Adobe SING CS3-->MsiExec.exe /I{B671CBFD-4109-4D35-9252-3062D3CCB7B2}
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe Video Profiles-->MsiExec.exe /I{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}
Adobe WAS CS3-->MsiExec.exe /I{C5BD220A-EFE8-48A5-B70E-9503D535FACE}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP DVA Panels CS3-->MsiExec.exe /I{0224CACC-994D-45F8-B973-D65056EA9C2F}
Adobe XMP Panels CS3-->MsiExec.exe /I{D5A31AB1-345D-47C7-A87B-036A669F6DF1}
AHV content for Acrobat and Flash-->MsiExec.exe /I{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ASIO4ALL-->C:\Program Files\ASIO4ALL v2\uninstall.exe
Atheros Driver Installation Program-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28006915-2739-4EBE-B5E8-49B25D32EB33}\setup.exe" -l0x7 -removeonly
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
Band-in-a-Box 2006-->"C:\Program Files\Band in a box\unins000.exe"
Battle.net-->C:\Windows\bnetunin.exe
BattleForge™-->MsiExec.exe /X{C580908C-B3BA-4C19-BD60-16F02F272201}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Command & Conquer(TM) Generäle-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Command and Conquer(TM) Generäle Die Stunde Null -->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1}
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -IQh30CFza.INF
devolo EasyShare-->C:\Program Files\devolo\setup.exe /remove:easyshare
Diablo II-->C:\Program Files\Common Files\Blizzard Entertainment\Diablo II\Uninstall.exe
Diablo-->C:\Windows\diabunin.exe
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
ESU for Microsoft Vista-->MsiExec.exe /I{65AA10FF-6F32-48AE-881F-FC96E7BF3A5E}
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
foobar2000 v0.9.6.7-->"C:\Program Files\foobar2000\uninstall.exe" _?=C:\Program Files\foobar2000
Free Audio CD Burner version 1.2-->"C:\Program Files\DVDVideoSoft\Free Audio CD Burner\unins000.exe"
Free YouTube to MP3 Converter version 3.2-->"C:\Program Files\DVDVideoSoft\Free YouTube to MP3 Converter\unins000.exe"
Hauppauge MCE XP/Vista Software Encoder (2.0.25149)-->C:\PROGRA~1\WinTV\UNSftMCE.EXE C:\PROGRA~1\WinTV\softMCE.LOG
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDA_HSF\UIU32m.exe -U -I*.INF
Hewlett-Packard Active Check-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent for Health Check-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HISTO interaktiv 1.0-->"C:\Program Files\HISTO interaktiv\unins000.exe"
HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{11BB336F-0E58-4977-B866-F24FA334616B}\setup.exe -runfromtemp -l0x0409
HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BD0E2B92-3814-46F0-893B-4612EA010C7E}\setup.exe" -l0x9 -removeonly
HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9885A11E-60E4-417C-B58B-8B31B21C0B8A}\setup.exe" -l0x9 -removeonly
HP Help and Support-->MsiExec.exe /I{28EDCE9C-3304-4331-8AB3-F3EBE94C35B4}
HP Quick Launch Buttons 6.40 D3-->C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\Setup.exe -runfromtemp -l0x0007 -removeonly uninst
HP QuickPlay 3.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP QuickTouch 1.00 C4-->MsiExec.exe /I{7DC4A410-9986-4329-9E5D-687B2C42CA39}
HP Update-->MsiExec.exe /X{AB40272D-92AB-4F30-B36B-22EDE16F8FE5}
HP User Guides 0087-->MsiExec.exe /I{4D49757C-367A-4333-BDB3-68966162B14E}
HP Wireless Assistant-->MsiExec.exe /I{CBAE4F50-9FC9-4557-AB36-9826DF3C103C}
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Last.fm 1.5.4.24567-->"C:\Program Files\Last.fm\unins000.exe"
LogMeIn Hamachi-->C:\Windows\system32\\msiexec.exe /i {8A74DEFD-A224-49CC-AB80-4E88BC730125} REMOVE=ALL
LogMeIn Hamachi-->MsiExec.exe /I{8A74DEFD-A224-49CC-AB80-4E88BC730125}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Mediscript-CD GK1-->C:\PROGRA~1\GK1neu\UNWISE.EXE C:\PROGRA~1\GK1neu\INSTALL.LOG
Microsoft Age of Empires II-->"C:\Program Files\Games\Age2\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Morrowind-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Bethesda Softworks\Morrowind\MWUninstall\Setup.exe" -l0x7
Mozilla Firefox (3.0.15)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML4 Parser-->MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Need For Speed Underground-->C:\Program Files\Need For Speed Underground\EAUninstall.exe
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{DD1865F0-AD73-40FB-B23E-1822E02396FF}
OpenOffice.org 2.4-->MsiExec.exe /I{43721D86-16D1-46BF-8353-37CD82333BC3}
Opera 10.51-->MsiExec.exe /X{211FD4F6-43CF-41E6-8F6D-5FDF8D70B733}
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
pdf24-->"C:\Program Files\pdf24\unins000.exe"
Personal Ancestral File 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0FE67B3A-3F1D-11D5-9DA4-00B0D0B1BCB9}\Setup.exe"
PG Music DirectX Plugins 1.3.4.1-->"C:\Program Files\PowerTracks DirectX Plugins\unins000.exe"
Quake Live Mozilla Plugin-->MsiExec.exe /I{D9B3B577-26BD-4CB2-9072-8029AE097AFE}
QuickTime-->MsiExec.exe /I{C78EAC6F-7A73-452E-8134-DBB2165C5A68}
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x7 anything
Sacred Underworld-->"C:\Program Files\Ascaron Entertainment\Sacred Underworld\unins000.exe"
SequoiaView-->C:\Program Files\SequoiaView\Uninstal.exe
Sibelius 5-->MsiExec.exe /I{C23B8C30-E05E-4CB5-8188-F27CC3B2DD3E}
Skype™ 3.8-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004}
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TeamSpeak 2 RC2-->"C:\Program Files\Teamspeak2_RC2\unins000.exe"
TES Construction Set-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Bethesda Softworks\Morrowind\CSUninstall\Setup.exe" -l0x7
Trillian-->C:\Program Files\Trillian\Trillian.exe /uninstall
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
VLC media player 1.0.3-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Warcraft III-->C:\Windows\War3Unin.exe C:\Windows\War3Unin.dat
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Media Encoder 9-Reihe-->msiexec.exe /I {E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Encoder 9-Reihe-->MsiExec.exe /I{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR-->C:\Program Files\WinRAR\uninstall.exe
YAWLE 0.5b-->C:\Windows\iun6002.exe "C:\Program Files\Warcraft III\irunin.ini"
======Hosts File======
127.0.0.1 www.Brenz.pl
======Security center information======
AV: AntiVir Desktop (outdated)
AS: AntiVir Desktop (outdated)
AS: Windows-Defender (outdated)
======System event log======
Computer Name: Freiheit
Event Code: 7036
Message: Dienst "RAS-Verbindungsverwaltung" befindet sich jetzt im Status "Ausgeführt".
Record Number: 159225
Source Name: Service Control Manager
Time Written: 20100402131900.000000-000
Event Type: Informationen
User:
Computer Name: Freiheit
Event Code: 10029
Message: DCOM hat den Dienst TrustedInstaller mit den Argumenten "" gestartet, um den Server auszuführen:
{752073A1-23F2-4396-85F0-8FDB879ED0ED}
Record Number: 159226
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20100402132914.000000-000
Event Type: Informationen
User:
Computer Name: Freiheit
Event Code: 7036
Message: Dienst "Windows Modules Installer" befindet sich jetzt im Status "Ausgeführt".
Record Number: 159227
Source Name: Service Control Manager
Time Written: 20100402132914.000000-000
Event Type: Informationen
User:
Computer Name: Freiheit
Event Code: 7036
Message: Dienst "WinHTTP-Web Proxy Auto-Discovery-Dienst" befindet sich jetzt im Status "Beendet".
Record Number: 159228
Source Name: Service Control Manager
Time Written: 20100402133145.000000-000
Event Type: Informationen
User:
Computer Name: Freiheit
Event Code: 7036
Message: Dienst "Windows Modules Installer" befindet sich jetzt im Status "Beendet".
Record Number: 159229
Source Name: Service Control Manager
Time Written: 20100402133914.000000-000
Event Type: Informationen
User:
=====Application event log=====
Computer Name: Freiheit
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\lsass.exe verdächtigen Code mit der Bezeichnung 'TR/Spy.Gen'!
Record Number: 69511
Source Name: Avira AntiVir
Time Written: 20100402143318.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Freiheit
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\lsass.exe verdächtigen Code mit der Bezeichnung 'TR/Spy.Gen'!
Record Number: 69512
Source Name: Avira AntiVir
Time Written: 20100402143319.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Freiheit
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\lsass.exe verdächtigen Code mit der Bezeichnung 'TR/Spy.Gen'!
Record Number: 69513
Source Name: Avira AntiVir
Time Written: 20100402143320.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Freiheit
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\lsass.exe verdächtigen Code mit der Bezeichnung 'TR/Spy.Gen'!
Record Number: 69514
Source Name: Avira AntiVir
Time Written: 20100402143321.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
Computer Name: Freiheit
Event Code: 4113
Message: AntiVir erkannte in der Datei C:\lsass.exe verdächtigen Code mit der Bezeichnung 'TR/Spy.Gen'!
Record Number: 69515
Source Name: Avira AntiVir
Time Written: 20100402143321.000000-000
Event Type: Warnung
User: NT-AUTORITÄT\SYSTEM
=====Security event log=====
Computer Name: Freiheit
Event Code: 4624
Message: Ein Konto wurde erfolgreich angemeldet.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: FREIHEIT$
Kontodomäne: ARBEITSGRUPPE
Anmelde-ID: 0x3e7
Anmeldetyp: 5
Neue Anmeldung:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Prozessinformationen:
Prozess-ID: 0x234
Prozessname: C:\Windows\System32\services.exe
Netzwerkinformationen:
Arbeitsstationsname:
Quellnetzwerkadresse: -
Quellport: -
Detaillierte Authentifizierungsinformationen:
Anmeldeprozess: Advapi
Authentifizierungspaket: Negotiate
Übertragene Dienste: -
Paketname (nur NTLM): -
Schlüssellänge: 0
Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde.
Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe".
Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk).
Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto.
Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben.
Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung.
- Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren.
- Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren.
- Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an.
- Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0.
Record Number: 55359
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100313182208.174913-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Freiheit
Event Code: 4672
Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Berechtigungen: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 55360
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100313182208.174913-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Freiheit
Event Code: 5056
Message: Ein Kryptografieselbsttest wurde ausgeführt.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: FREIHEIT$
Kontodomäne: ARBEITSGRUPPE
Anmelde-ID: 0x3e7
Modul: ncrypt.dll
Rückgabecode: 0x0
Record Number: 55361
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100313182209.812923-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Freiheit
Event Code: 4648
Message: Anmeldeversuch mit expliziten Anmeldeinformationen.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: FREIHEIT$
Kontodomäne: ARBEITSGRUPPE
Anmelde-ID: 0x3e7
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Konto, dessen Anmeldeinformationen verwendet wurden:
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Zielserver:
Zielservername: localhost
Weitere Informationen: localhost
Prozessinformationen:
Prozess-ID: 0x234
Prozessname: C:\Windows\System32\services.exe
Netzwerkinformationen:
Netzwerkadresse: -
Port: -
Dieses Ereignis wird bei einem Anmeldeversuch durch einen Prozess generiert, wenn ausdrücklich die Anmeldeinformationen des Kontos angegeben werden. Dies ist normalerweise der Fall in Batch-Konfigurationen, z. B. bei geplanten Aufgaben oder wenn der Befehl "runas" verwendet wird.
Record Number: 55362
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100313182211.185732-000
Event Type: Überwachung erfolgreich
User:
Computer Name: Freiheit
Event Code: 4624
Message: Ein Konto wurde erfolgreich angemeldet.
Antragsteller:
Sicherheits-ID: S-1-5-18
Kontoname: FREIHEIT$
Kontodomäne: ARBEITSGRUPPE
Anmelde-ID: 0x3e7
Anmeldetyp: 5
Neue Anmeldung:
Sicherheits-ID: S-1-5-18
Kontoname: SYSTEM
Kontodomäne: NT-AUTORITÄT
Anmelde-ID: 0x3e7
Anmelde-GUID: {00000000-0000-0000-0000-000000000000}
Prozessinformationen:
Prozess-ID: 0x234
Prozessname: C:\Windows\System32\services.exe
Netzwerkinformationen:
Arbeitsstationsname:
Quellnetzwerkadresse: -
Quellport: -
Detaillierte Authentifizierungsinformationen:
Anmeldeprozess: Advapi
Authentifizierungspaket: Negotiate
Übertragene Dienste: -
Paketname (nur NTLM): -
Schlüssellänge: 0
Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde.
Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe".
Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk).
Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto.
Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben.
Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung.
- Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren.
- Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren.
- Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an.
- Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0.
Record Number: 55363
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100313182211.185732-000
Event Type: Überwachung erfolgreich
User:
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\CyberLink\Power2Go\;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\DivX Shared\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 104 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6802
"NUMBER_OF_PROCESSORS"=2
"PLATFORM"=MCD
"PCBRAND"=Pavilion
"OnlineServices"=Online-Dienste
"USERPART"=E:
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
-----------------EOF----------------- | Zitat:
Logfile of random's system information tool 1.06 (written by random/random)
Run by Carlo at 2010-04-02 16:30:03
Microsoft® Windows Vista™ Home Premium
System drive C: has 133 GB (59%) free of 227 GB
Total RAM: 2046 MB (71% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30:17, on 02.04.2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe
C:\Users\Carlo\AppData\Local\Temp\khvcol.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\lsass.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehsched.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Carlo\Desktop\rüber\RSIT.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\Carlo.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=81&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=de_de&c=81&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [7760] C:\Users\Carlo\AppData\Local\Temp\khvcol.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [hf8wefhuaihf8ewfydiujhfdsfdf] C:\Windows\TEMP\lujfjc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [hf8wefhuaihf8ewfydiujhfdsfdf] C:\Windows\TEMP\lujfjc.exe (User 'Default user')
O4 - Startup: zipdkg32.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: hasiufhiusdfjdhfudd - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - (no file)
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 6789 bytes
======Scheduled tasks folder======
C:\Windows\tasks\User_Feed_Synchronization-{81D31A74-F3A3-4F4F-AF03-F775B90C834B}.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"25581"=C:\Users\Carlo\AppData\Local\Temp\khvcol.exe [2010-04-02 23040]
C:\Users\***\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
zipdkg32.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
hasiufhiusdfjdhfudd - {A9BA40A1-74F1-52BD-F431-00B15A2C8953}
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Hamachi2Svc]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Windows\system32\winlogon.exe"="C:\Windows\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1969d203-535a-11dd-9ae1-806e6f6e6963}]
shell\AutoRun\command - E:\AUTOPLAY.EXE id=10000017000015000002 ver=1.0.0.0
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4142b8ff-8eca-11dd-afa2-001e6834dac0}]
shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7618b87c-9456-11dd-8cfd-001e6834dac0}]
shell\AutoRun\command - G:\Setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9d5162-9380-11dd-baab-001e6834dac0}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe SCHULE-95D50201.vbs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9d5167-9380-11dd-baab-001e6834dac0}]
shell\AutoRun\command - H:\LaunchU3.exe -a
======List of files/folders created in the last 1 months======
2010-04-02 16:30:03 ----D---- C:\rsit
2010-04-02 16:29:44 ----D---- C:\Program Files\Trend Micro
2010-04-02 15:14:29 ----N---- C:\lsass.exe
2010-04-02 12:33:37 ----D---- C:\Users\***\AppData\Roaming\Malwarebytes
2010-04-02 12:33:12 ----D---- C:\ProgramData\Malwarebytes
2010-04-02 12:33:11 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-02 12:17:55 ----D---- C:\Program Files\CCleaner
2010-04-02 11:35:40 ----D---- C:\Users\***\AppData\Roaming\Avira
2010-04-01 23:09:04 ----A---- C:\Windows\system32\EBCA.tmp
2010-04-01 23:09:04 ----A---- C:\gyudekrjh4wh108.bat
2010-04-01 23:09:03 ----A---- C:\Windows\system32\1818,461.exe
2010-04-01 23:08:53 ----A---- C:\Windows\system32\BF3A.tmp
2010-04-01 23:08:40 ----A---- C:\Windows\system32\5203,363.exe
2010-04-01 23:08:37 ----A---- C:\ProgramData\zganxubfn12mnrbuxok7r7r4.ini
2010-04-01 23:08:37 ----A---- C:\ProgramData\kfdtk.ini
2010-04-01 22:58:51 ----D---- C:\Windows\Sun
2010-03-31 10:46:44 ----D---- C:\Program Files\LogMeIn Hamachi
2010-03-27 22:47:53 ----D---- C:\Program Files\Ascaron Entertainment
2010-03-27 22:26:50 ----D---- C:\Program Files\devolo
2010-03-22 00:42:13 ----D---- C:\Program Files\Steam
2010-03-14 23:52:52 ----A---- C:\Windows\system32\devil.dll
2010-03-14 23:52:52 ----A---- C:\Windows\system32\avisynth.dll
2010-03-14 23:52:50 ----A---- C:\Windows\system32\yv12vfw.dll
2010-03-14 23:52:50 ----A---- C:\Windows\system32\i420vfw.dll
2010-03-14 23:52:50 ----A---- C:\Windows\system32\AVSredirect.dll
2010-03-14 23:52:49 ----D---- C:\Program Files\AviSynth 2.5
2010-03-14 22:09:56 ----D---- C:\Users\***\AppData\Roaming\Broad Intelligence
2010-03-14 22:09:04 ----D---- C:\Program Files\MediaCoder
======List of files/folders modified in the last 1 months======
2010-04-02 16:29:59 ----D---- C:\Windows\Temp
2010-04-02 16:29:44 ----D---- C:\Program Files
2010-04-02 15:20:22 ----D---- C:\Windows\System32
2010-04-02 15:20:22 ----D---- C:\Windows\inf
2010-04-02 15:20:22 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-04-02 15:15:54 ----D---- C:\Windows\Prefetch
2010-04-02 15:13:36 ----D---- C:\Windows
2010-04-02 15:13:24 ----D---- C:\Windows\system32\drivers
2010-04-02 15:12:15 ----D---- C:\Windows\Provisioning
2010-04-02 15:11:10 ----D---- C:\Program Files\Mozilla Firefox
2010-04-02 15:11:10 ----D---- C:\Program Files\Internet Explorer
2010-04-02 12:33:12 ----D---- C:\ProgramData
2010-04-02 12:22:06 ----D---- C:\Windows\Minidump
2010-04-02 12:22:06 ----D---- C:\Windows\Debug
2010-04-02 11:55:03 ----SHD---- C:\System Volume Information
2010-04-02 00:20:09 ----SHD---- C:\Windows\Installer
2010-04-02 00:20:07 ----D---- C:\Windows\winsxs
2010-04-02 00:13:00 ----RD---- C:\Downloads
2010-04-02 00:09:35 ----D---- C:\Games
2010-04-01 23:59:16 ----D---- C:\Program Files\Opera
2010-04-01 23:09:45 ----D---- C:\Program Files\Trillian
2010-04-01 23:09:05 ----D---- C:\Windows\system32\GroupPolicy
2010-04-01 22:07:55 ----A---- C:\Windows\BBW_INFO.INI
2010-04-01 13:43:18 ----D---- C:\Live
2010-04-01 11:14:17 ----D---- C:\Users\***\AppData\Roaming\OpenOffice.org2
2010-03-28 22:44:19 ----D---- C:\Users\***\AppData\Roaming\teamspeak2
2010-03-27 22:30:40 ----RD---- C:\Music
2010-03-27 15:16:20 ----D---- C:\Bilder
2010-03-26 11:46:58 ----D---- C:\Windows\system32\catroot2
2010-03-25 19:32:43 ----D---- C:\Users\***\AppData\Roaming\vlc
2010-03-21 23:38:53 ----D---- C:\Users\***\AppData\Roaming\Hamachi
2010-03-21 20:21:34 ----D---- C:\SWSetup
2010-03-21 20:13:40 ----D---- C:\Users\Carlo\AppData\Roaming\Skype
2010-03-21 20:13:34 ----D---- C:\Users\***\AppData\Roaming\skypePM
2010-03-16 23:07:42 ----D---- C:\Filme
2010-03-14 23:52:47 ----RSD---- C:\Windows\Fonts
2010-03-05 15:04:19 ----D---- C:\Windows\system32\catroot
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys [2009-02-13 11608]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2010-03-01 124784]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [2010-02-16 60936]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-03-21 37376]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-07-10 8704]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2007-12-06 761856]
R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-02-23 14208]
R3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [2009-09-23 26176]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDART.sys [2007-09-10 176640]
R3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-18 16768]
R3 HpqRemHid;HP Remote Control HID Device; C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 7168]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-06-20 984064]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-06-20 208896]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2009-04-30 9850016]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 12032]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-02-23 82432]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-09-15 191408]
R3 usbvideo;USB-Videogerät (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-02-22 132864]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-06-20 660480]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-02-23 11264]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
S3 aa1g6z5w;aa1g6z5w; C:\Windows\system32\drivers\aa1g6z5w.sys []
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 CrystalSysInfo;CrystalSysInfo; \??\C:\Program Files\MediaCoder\SysInfo.sys []
S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 E100B;Intel(R) PRO Adapter Driver; C:\Windows\system32\DRIVERS\e100b325.sys [2006-11-02 163328]
S3 ENTECH;ENTECH; \??\C:\Windows\system32\DRIVERS\ENTECH.sys [2007-09-07 27672]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-19 1380864]
S3 mod7700;DiBcom DIB7700 based TV tuner device; C:\Windows\System32\Drivers\mod7700.sys [2007-04-18 473728]
S3 MODRC;DiBcom Infrared Receiver; C:\Windows\system32\DRIVERS\modrc.sys [2007-02-06 13440]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvmfdx32.sys [2007-03-07 1059112]
S3 SymIM;Symantec Network Security Intermediate Filter Service; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP; C:\Windows\system32\DRIVERS\SymIM.sys []
S3 usbaudio;USB-Audiotreiber (WDM); C:\Windows\system32\drivers\usbaudio.sys [2006-11-02 71552]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2010-03-16 267432]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine; C:\Program Files\LogMeIn Hamachi\hamachi-2.exe [2010-03-30 1107336]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2007-09-19 65536]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2008-01-25 148832]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-08-23 79136]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-05-01 211488]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS); C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe [2007-09-30 271760]
R2 QPSched;QuickPlay Task Scheduler (QTS); C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe [2007-09-30 112016]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-07-10 386560]
S3 Com4QLBEx;Com4QLBEx; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-11 654848]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-07-16 316664]
-----------------EOF----------------- | Ich hoffe jeden Namen und Link entfernt zu haben..
Ich wäre für jeden Hinweis dankbar, ob und wie stark mein Computer noch befallen ist und was man dagegen tun kann ! |