|
Log-Analyse und Auswertung: Trojaner "Winserv.exe" eingefangenWindows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
21.09.2010, 18:29 | #1 |
| Trojaner "Winserv.exe" eingefangen Hallo! Ich hab mir heute den Trojaner "Winserv.exe" eingefangen. Nachdem ich die infizierte Datei geöffnet hatte, wurden 3-4 Prozesse unter dieser Bezeichnung im Task-Manager angezeigt, wobei ich sie manuell beenden konnte. Nach erfolgtem Neustart folgte aber zunächst ein kurzes Blackscreen, indem irgendwas "eingerichtet" wurde. (Kann mich jetzt aber nicht mehr erinnern was da genau stand, jedenfalls ein Pfad nach C:\Program Files (x86) wo der neue Ordner "WindowsUpdate" erstellt wurde. Darin befand sich das "eingerichtete" File, das die Prozesse scheinbar startete. Eigenartigerweise konnte ich diese Datei mitsamt Ordner ganz normal löschen. Nach neuerlichem Neustart wurden die Prozesse ("Winserv.exe") plötzlich nicht mehr gestartet. Auch Antivir fand nach einem Komplettscan nichts. Hab seitdem mehrmals Neu gestartet und bemerke jetzt keinerlei Leistungseinbußen oder Probleme. Trotzdem ist mir bei der ganzen Sache nicht wohl, weil laut google-recherche dieser Trojaner als ziemlich gefährlich eingestuft wird. Deswegen wollte ich hier mal einen Hijackthis-Log posten und fragen, ob ihr was verdächtiges entdecken könnt. Mir ist jedenfalls aufgefallen, dass da wieder dieses "Winserv.exe" vorkommt... Jedenfalls vielen Dank für Eure Hilfe! Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 19:07:00, on 21.09.2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18943) Boot mode: Normal Running processes: C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe C:\Windows\SysWOW64\DllHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://trojaner-board.de R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://trojaner-board.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://trojaner-board.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://trojaner-board.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://trojaner-board.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://trojaner-board.de R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - h**p://trojaner-board.de O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - h**p://trojaner-board.de O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://trojaner-board.de O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553525700} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing) O23 - Service: Google Update Service (gupdate1c98d47b52ad115) (gupdate1c98d47b52ad115) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: @C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files (x86)\Tunngle\TnglCtrl.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8836 bytes |
21.09.2010, 21:19 | #3 | |
| Trojaner "Winserv.exe" eingefangenZitat:
Hab den Malwarebytes-Komplettscan nochmal durchgeführt, wobei ich den schon einmal heute, vor deiner Antwort, gemacht hab. Jetzt hat er scheinbar nichts gefunden, heute Nachmittag schon (wobei da keine "Winserv.exe"-Datei dabei war). Code:
ATTFilter Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4666 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.18943 21.09.2010 22:16:05 mbam-log-2010-09-21 (22-16-05).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|) Durchsuchte Objekte: 341899 Laufzeit: 1 Stunde(n), 18 Minute(n), 50 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 0 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: (Keine bösartigen Objekte gefunden) [code]info.txtRSIT Logfile: Code:
ATTFilter logfile of random's system information tool 1.08 2010-09-21 22:21:58 ======Uninstall list====== -->C:\Program Files (x86)\DivX\DivXConverterUninstall.exe /CONVERTER -->C:\Program Files (x86)\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL -->C:\Windows\UNNeroBackItUp.exe /UNINSTALL -->C:\Windows\UNNeroMediaHome.exe /UNINSTALL -->C:\Windows\UNNeroShowTime.exe /UNINSTALL -->C:\Windows\UNNeroVision.exe /UNINSTALL -->C:\Windows\UNRecode.exe /UNINSTALL -->MsiExec /X{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA} µTorrent-->"C:\Program Files (x86)\uTorrent\uTorrent.exe" /UNINSTALL 7-Zip 9.15 beta-->"C:\Program Files (x86)\7-Zip\Uninstall.exe" Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player 10 Plugin-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10i_Plugin.exe -maintain plugin Adobe Reader 9.3.4 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A93000000001} Adobe Shockwave Player-->C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log Amnesia - The Dark Descent Demo-->"C:\Program Files (x86)\Amnesia - The Dark Descent Demo\unins000.exe" Apple Application Support-->MsiExec.exe /I{DAEAFD68-BB4A-4507-A241-C8804D2EA66D} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} Ashampoo Magical Optimizer-->"C:\Program Files (x86)\Ashampoo\Ashampoo Magical Optimizer\Uninstall\1406_Uninstall.exe" Avira AntiVir Personal - Free Antivirus-->C:\Program Files (x86)\Avira\AntiVir Desktop\setup.exe /REMOVE Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch-->C:\Program Files (x86)\InstallShield Installation Information\{E5141379-B2D9-4BBC-BB2A-5805541571DD}\setup.exe -runfromtemp -l0x0409 Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch-->C:\Program Files (x86)\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe -runfromtemp -l0x0409 Citrix XenApp Web Plugin-->MsiExec.exe /X{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76} Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Compatibility Pack für 2007 Office System-->MsiExec.exe /X{90120000-0020-0407-0000-0000000FF1CE} Counter-Strike: Source-->"C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/240 DivX Converter-->C:\Program Files (x86)\DivX\DivXConverterUninstall.exe /CONVERTER DivX Player-->C:\Program Files (x86)\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player-->C:\Program Files (x86)\DivX\DivXWebPlayerUninstall.exe /PLUGIN FastStone Image Viewer 4.2-->C:\Program Files (x86)\FastStone Image Viewer\uninst.exe Fraps-->"C:\Fraps\uninstall.exe" Gigabyte Raid Configurer-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x7 -removeonly Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} Gothic II - Die Nacht des Raben-->C:\PROGRA~2\JoWooD\GOTHIC~1\UNWISE.EXE C:\PROGRA~2\JoWooD\GOTHIC~1\INSTALL.LOG Gothic II-->C:\PROGRA~2\JoWooD\GOTHIC~1\UNWISE.EXE C:\PROGRA~2\JoWooD\GOTHIC~1\INSTALL.LOG Grand Theft Auto IV-->"C:\Program Files (x86)\InstallShield Installation Information\{579BA58C-F33D-4970-9953-B94B43768AC3}\setup.exe" -runfromtemp -l0x0007 -removeonly Grand Theft Auto IV-->MsiExec.exe /I{5454083B-1308-4485-BF17-1110000D8301} Half-Life(R) 2-->MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA} HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7} Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT="" Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {08155812-0202-4D5F-A7FF-12A2782DC548} /qb+ REBOOTPROMPT="" Hotspot Shield 1.49-->C:\Program Files (x86)\Hotspot Shield\Uninstall.exe Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020} Java(TM) 6 Update 21-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF} Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030} Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} JDownloader-->C:\Program Files (x86)\JDownloader\uninstall.exe Malwarebytes' Anti-Malware-->"C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.exe" Medieval II Total War-->C:\Program Files (x86)\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0007 -removeonly Microsoft AppLocale-->MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7} Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570} Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{8FB1B528-E260-451E-9B55-E9152F94B80B} Microsoft Games for Windows - LIVE-->MsiExec.exe /X{F97E3841-CA9D-4964-9D64-26066241D26F} Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC} Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110407-6000-11D3-8CFE-0150048383C9} Microsoft Office XP Professional mit FrontPage-->MsiExec.exe /I{90280407-6000-11D3-8CFE-0050048383C9} Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8} Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c} Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C} Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729-->MsiExec.exe /X{6AFCA4E1-9B78-3640-8F72-A7BF33448200} Microsoft XNA Framework Redistributable 3.0-->MsiExec.exe /I{3898934B-05AE-41CD-96BE-70DA9BFBCE1F} Mozilla Firefox (3.6.10)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94} MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF} MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC} MyMicroBalance-->MsiExec.exe /I{9B219133-CA46-47EF-98E1-AB12E32D53F9} Nero 8-->MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1031} neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} NVIDIA PhysX-->MsiExec.exe /X{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA} NVIDIA Stereoscopic 3D Driver-->"C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvStInst.exe" /uninstall /ask ODF Add-in for Microsoft Office-->MsiExec.exe /I{59D1195A-7E64-4120-BB37-F053D9FD45FB} OpenAL-->"C:\Program Files (x86)\OpenAL\oalinst.exe" /U PDF24 Creator-->"C:\Program Files (x86)\pdf24\unins000.exe" Portal-->"C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/400 PowerDVD-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall PunkBuster Services-->C:\Windows\system32\pbsvc.exe -u QuickTime-->MsiExec.exe /I{EB900AF8-CC61-4E15-871B-98D1EA3E8025} Realtek Ethernet Controller Driver For Windows Vista and Later-->C:\Program Files (x86)\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -removeonly Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)-->MsiExec.exe /X{09959E11-AD5D-408E-96AF-E3346954D6B8} Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)-->MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B} Shockwave-->C:\Windows\System32\Macromed\SHOCKW~2\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~2\Install.log Skype™ 4.2-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36} Source SDK Base - Orange Box-->"C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/218 Source SDK Base-->"C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/215 Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004} Steam(TM)-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3} Total Commander (Remove or Repair)-->c:\totalcmd\tcuninst.exe TuneUp Utilities-->C:\Program Files (x86)\TuneUp Utilities 2010\TUInstallHelper.exe --Trigger-Uninstall Tunngle beta-->"C:\Program Files (x86)\Tunngle\unins000.exe" TweakNow RegCleaner Standard-->"C:\Program Files (x86)\TweakNow RegCleaner Std\unins000.exe" Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT="" VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027} VLC media player 1.1.4-->C:\Program Files (x86)\VideoLAN\VLC\uninstall.exe Vuze-->C:\Program Files (x86)\Vuze\uninstall.exe Windows Live Anmelde-Assistent-->MsiExec.exe /I{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60} Windows Live Call-->MsiExec.exe /I{5FC68772-6D56-41C6-9DF1-24E868198AE6} Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52} Windows Live Essentials-->C:\Program Files (x86)\Windows Live\Installer\wlarp.exe Windows Live Essentials-->MsiExec.exe /I{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F} Windows Live Messenger-->MsiExec.exe /X{41E654A9-26D0-4EAC-854B-0FA824FFFABB} Windows Live Sync-->MsiExec.exe /X{ED636101-1959-4360-8BF7-209436E7DEE4} Windows Live-Uploadtool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238} Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4} WinRAR-->C:\Program Files (x86)\WinRAR\uninstall.exe WinSCP 4.0.7-->"C:\Program Files (x86)\WinSCP\unins000.exe" WinZip 11.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5} Wolfenstein(TM) 1.1 Patch-->C:\Program Files (x86)\InstallShield Installation Information\{E03B44A3-9237-4B55-B7A5-DB1DD46920D3}\setup.exe -runfromtemp -l0x0409 ZoneAlarm-->C:\Program Files (x86)\Zone Labs\ZoneAlarm\zauninst.exe ======Security center information====== AS: Avira AntiVir PersonalEdition AS: Windows-Defender ======System event log====== Computer Name: MUSTERMANN Event Code: 10029 Message: DCOM hat den Dienst fdPHost mit den Argumenten "" gestartet, um den Server auszuführen: {145B4335-FE2A-4927-A040-7C35AD3180EF} Record Number: 244023 Source Name: Microsoft-Windows-DistributedCOM Time Written: 20100303080651.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 7036 Message: Dienst "Windows Update" befindet sich jetzt im Status "Ausgeführt". Record Number: 244022 Source Name: Service Control Manager Time Written: 20100303080532.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 14206 Message: Media-Server "MUSTERMANN: user:" wurde initialisiert und lässt die gemeinsame Nutzung von Medien durch Netzwerkmediengeräte zu. Record Number: 244021 Source Name: Microsoft-Windows-WMPNSS-Service Time Written: 20100303080530.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 7036 Message: Dienst "Startprogramm für Windows Media Center" befindet sich jetzt im Status "Beendet". Record Number: 244020 Source Name: Service Control Manager Time Written: 20100303080529.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 537 Message: Auf diesem Computer konnte kein kompatibles TPM-Sicherheitsgerät (Trusted Platform Module) gefunden werden. TBS konnte nicht gestartet werden. Record Number: 244019 Source Name: Microsoft-Windows-TBS Time Written: 20100303080527.101523-000 Event Type: Informationen User: NT-AUTORITÄT\LOKALER DIENST =====Application event log===== Computer Name: MUSTERMANN Event Code: 9009 Message: Der Desktopfenster-Manager wurde mit dem Code (0x40010004) abgebrochen. Record Number: 30371 Source Name: Desktop Window Manager Time Written: 20081124214445.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 2 Message: Der Zertifikatdiensteclient wurde angehalten. Record Number: 30370 Source Name: Microsoft-Windows-CertificateServicesClient Time Written: 20081124214441.767200-000 Event Type: Informationen User: MUSTERMANN\user Computer Name: MUSTERMANN Event Code: 8224 Message: Der VSS-Dienst wird aufgrund eines Leerlaufzeitlimits heruntergefahren. Record Number: 30369 Source Name: VSS Time Written: 20081124165430.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 1033 Message: Das Produkt wurde durch Windows Installer installiert. Produktname: Java(TM) 6 Update 7. Produktversion: 1.6.0.70. Produktsprache: 1031. Erfolg- bzw. Fehlerstatus der Installation: 0. Record Number: 30368 Source Name: MsiInstaller Time Written: 20081124165252.000000-000 Event Type: Informationen User: MUSTERMANN\user Computer Name: MUSTERMANN Event Code: 11707 Message: Produkt: Java(TM) 6 Update 7 -- Installationsvorgang erfolgreich abgeschlossen. Record Number: 30367 Source Name: MsiInstaller Time Written: 20081124165252.000000-000 Event Type: Informationen User: MUSTERMANN\user =====Security event log===== Computer Name: MUSTERMANN Event Code: 4624 Message: Ein Konto wurde erfolgreich angemeldet. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: MUSTERMANN$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Anmeldetyp: 5 Neue Anmeldung: Sicherheits-ID: S-1-5-18 Kontoname: SYSTEM Kontodomäne: NT-AUTORITÄT Anmelde-ID: 0x3e7 Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Prozessinformationen: Prozess-ID: 0x2bc Prozessname: C:\Windows\System32\services.exe Netzwerkinformationen: Arbeitsstationsname: Quellnetzwerkadresse: - Quellport: - Detaillierte Authentifizierungsinformationen: Anmeldeprozess: Advapi Authentifizierungspaket: Negotiate Übertragene Dienste: - Paketname (nur NTLM): - Schlüssellänge: 0 Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde. Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe". Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk). Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto. Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben. Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung. - Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren. - Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren. - Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an. - Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0. Record Number: 83831 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090911121757.357333-000 Event Type: Überwachung erfolgreich User: Computer Name: MUSTERMANN Event Code: 4648 Message: Anmeldeversuch mit expliziten Anmeldeinformationen. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: MUSTERMANN$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Konto, dessen Anmeldeinformationen verwendet wurden: Kontoname: SYSTEM Kontodomäne: NT-AUTORITÄT Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Zielserver: Zielservername: localhost Weitere Informationen: localhost Prozessinformationen: Prozess-ID: 0x2bc Prozessname: C:\Windows\System32\services.exe Netzwerkinformationen: Netzwerkadresse: - Port: - Dieses Ereignis wird bei einem Anmeldeversuch durch einen Prozess generiert, wenn ausdrücklich die Anmeldeinformationen des Kontos angegeben werden. Dies ist normalerweise der Fall in Batch-Konfigurationen, z. B. bei geplanten Aufgaben oder wenn der Befehl "runas" verwendet wird. Record Number: 83830 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090911121757.357333-000 Event Type: Überwachung erfolgreich User: Computer Name: MUSTERMANN Event Code: 4672 Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen. Antragsteller: Sicherheits-ID: S-1-5-19 Kontoname: LOKALER DIENST Kontodomäne: NT-AUTORITÄT Anmelde-ID: 0x3e5 Berechtigungen: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege Record Number: 83829 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090911121757.248133-000 Event Type: Überwachung erfolgreich User: Computer Name: MUSTERMANN Event Code: 4624 Message: Ein Konto wurde erfolgreich angemeldet. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: MUSTERMANN$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Anmeldetyp: 5 Neue Anmeldung: Sicherheits-ID: S-1-5-19 Kontoname: LOKALER DIENST Kontodomäne: NT-AUTORITÄT Anmelde-ID: 0x3e5 Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Prozessinformationen: Prozess-ID: 0x2bc Prozessname: C:\Windows\System32\services.exe Netzwerkinformationen: Arbeitsstationsname: Quellnetzwerkadresse: - Quellport: - Detaillierte Authentifizierungsinformationen: Anmeldeprozess: Advapi Authentifizierungspaket: Negotiate Übertragene Dienste: - Paketname (nur NTLM): - Schlüssellänge: 0 Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde. Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe". Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk). Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto. Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben. Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung. - Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren. - Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren. - Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an. - Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0. Record Number: 83828 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090911121757.248133-000 Event Type: Überwachung erfolgreich User: Computer Name: MUSTERMANN Event Code: 4672 Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: SYSTEM Kontodomäne: NT-AUTORITÄT Anmelde-ID: 0x3e7 Berechtigungen: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege Record Number: 83827 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090911121757.154532-000 Event Type: Überwachung erfolgreich User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "Path"=C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\QuickTime\QTSystem\ "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC "PROCESSOR_ARCHITECTURE"=AMD64 "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "USERNAME"=SYSTEM "windir"=%SystemRoot% "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 15 Stepping 11, GenuineIntel "PROCESSOR_REVISION"=0f0b "NUMBER_OF_PROCESSORS"=2 "asl.log"=Destination=file;OnFirstLog=command,environment "PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\ "CLASSPATH"=.;C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip "tvdumpflags"=8 -----------------EOF----------------- RSIT Logfile: Code:
ATTFilter Logfile of random's system information tool 1.08 (written by random/random) Run by user at 2010-09-21 22:21:48 Microsoft® Windows Vista™ Home Premium Service Pack 2 System drive C: has 5 GB (2%) free of 238 GB Total RAM: 4094 MB (51% free) Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 22:21:56, on 21.09.2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18943) Boot mode: Normal Running processes: C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe C:\Users\user\Desktop\RSIT.exe C:\Program Files (x86)\trend micro\user.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://trojaner-board.de R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://trojaner-board.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://trojaner-board.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://trojaner-board.de R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://trojaner-board.de R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://trojaner-board.de R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - h**p://trojaner-board.de O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - h**p://trojaner-board.de O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h**p://trojaner-board.de O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553525700} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing) O23 - Service: Google Update Service (gupdate1c98d47b52ad115) (gupdate1c98d47b52ad115) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: @C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files (x86)\Tunngle\TnglCtrl.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 9124 bytes ======Scheduled tasks folder====== C:\Windows\tasks\GoogleUpdateTaskMachineCore.job C:\Windows\tasks\GoogleUpdateTaskMachineUA.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Anmelde-Hilfsprogramm - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-07-17 41760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}] Hotspot Shield Class - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll [2010-06-23 230448] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "avgnt"=C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [2010-03-02 282792] "ZoneAlarm Client"=C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe [2010-06-28 1043968] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce] "Malwarebytes' Anti-Malware"=C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe [2010-04-29 437584] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] "Policies"=C:\Program Files (x86)\Windows Update\Winserv.exe [] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"=C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] "Policies"=C:\Program Files (x86)\Windows Update\Winserv.exe [] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=0 "dontdisplaylastusername"=0 "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableUIADesktopToggle"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoActiveDesktop"=1 "NoActiveDesktopChanges"=1 "ForceActiveDesktopOn"=0 "BindDirectlyToPropertySetStorage"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] ======File associations====== .js - edit - C:\Windows\SysWOW64\Notepad.exe %1 .js - open - C:\Windows\SysWOW64\WScript.exe "%1" %* ======List of files/folders created in the last 1 months====== 2010-09-21 22:21:48 ----D---- C:\rsit 2010-09-21 20:55:40 ----A---- C:\Windows\SysWOW64\drivers\mbamswissarmy.sys 2010-09-21 20:55:39 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware 2010-09-21 20:37:08 ----D---- C:\Program Files (x86)\FastStone Image Viewer 2010-09-21 19:34:45 ----A---- C:\Windows\SysWOW64\vsutil_loc0407.dll 2010-09-21 19:34:42 ----A---- C:\Windows\SysWOW64\vsregexp.dll 2010-09-21 19:33:47 ----A---- C:\Windows\SysWOW64\zlcommdb.dll 2010-09-21 19:33:47 ----A---- C:\Windows\SysWOW64\zlcomm.dll 2010-09-21 19:33:45 ----A---- C:\Windows\SysWOW64\vswmi.dll 2010-09-21 19:33:43 ----D---- C:\Windows\SysWOW64\ZoneLabs 2010-09-21 19:33:43 ----A---- C:\Windows\SysWOW64\zpeng25.dll 2010-09-21 19:33:43 ----A---- C:\Windows\SysWOW64\vsxml.dll 2010-09-21 19:33:43 ----A---- C:\Windows\SysWOW64\vspubapi.dll 2010-09-21 19:33:43 ----A---- C:\Windows\SysWOW64\vsmonapi.dll 2010-09-21 19:33:42 ----A---- C:\Windows\SysWOW64\vsdata.dll 2010-09-21 19:31:02 ----A---- C:\Windows\SysWOW64\vsutil.dll 2010-09-21 19:31:02 ----A---- C:\Windows\SysWOW64\vsinit.dll 2010-09-21 18:55:19 ----D---- C:\Program Files (x86)\Zone Labs 2010-09-21 18:55:12 ----D---- C:\Windows\Internet Logs 2010-09-21 18:55:12 ----D---- C:\ProgramData\CheckPoint 2010-09-21 18:35:53 ----D---- C:\Program Files (x86)\Trend Micro 2010-09-21 16:02:48 ----D---- C:\Users\user\AppData\Roaming\Malwarebytes 2010-09-21 16:02:35 ----D---- C:\ProgramData\Malwarebytes 2010-09-21 15:54:17 ----A---- C:\autoexec.bat 2010-09-21 15:53:30 ----D---- C:\Windows\95431C66CF9A4913BFFF6050785AFB65.TMP 2010-09-21 15:47:26 ----D---- C:\Users\user\AppData\Roaming\Uniblue 2010-09-18 11:15:29 ----D---- C:\Program Files (x86)\Amnesia - The Dark Descent Demo 2010-09-15 09:18:05 ----A---- C:\Windows\SysWOW64\MP4SDECD.DLL 2010-09-15 09:17:59 ----A---- C:\Windows\SysWOW64\inetcomm.dll 2010-09-15 09:17:58 ----A---- C:\Windows\SysWOW64\usp10.dll 2010-09-12 15:34:29 ----D---- C:\Users\user\AppData\Roaming\vlc 2010-09-12 10:53:13 ----D---- C:\Program Files (x86)\JoWooD 2010-09-08 13:19:33 ----D---- C:\Windows\usgwmt 2010-09-06 15:39:41 ----D---- C:\Hotspot Shield 2010-09-06 15:39:39 ----D---- C:\Program Files (x86)\Hotspot Shield 2010-08-29 18:02:35 ----D---- C:\Fraps 2010-08-27 11:33:29 ----A---- C:\Windows\SysWOW64\uxtuneup.dll 2010-08-27 11:33:24 ----A---- C:\Windows\SysWOW64\authuitu.dll 2010-08-26 22:45:40 ----D---- C:\Program Files (x86)\QuickTime ======List of files/folders modified in the last 1 months====== 2010-09-21 22:21:50 ----D---- C:\Windows\Temp 2010-09-21 21:22:49 ----A---- C:\Windows\NeroDigital.ini 2010-09-21 20:55:40 ----D---- C:\Windows\SysWOW64\drivers 2010-09-21 20:55:39 ----D---- C:\Program Files (x86) 2010-09-21 20:15:21 ----D---- C:\Users\user\AppData\Roaming\Azureus 2010-09-21 20:02:48 ----D---- C:\Windows\System32 2010-09-21 20:02:48 ----D---- C:\Windows\inf 2010-09-21 19:39:59 ----D---- C:\ProgramData\NVIDIA 2010-09-21 19:34:47 ----D---- C:\Windows\SysWOW64 2010-09-21 19:34:39 ----D---- C:\Windows 2010-09-21 19:34:28 ----D---- C:\Windows\winsxs 2010-09-21 19:34:03 ----SHD---- C:\System Volume Information 2010-09-21 18:55:12 ----HD---- C:\ProgramData 2010-09-21 18:35:54 ----SHD---- C:\Windows\Installer 2010-09-21 18:22:14 ----D---- C:\Users\user\AppData\Roaming\Desktopicon 2010-09-21 16:07:40 ----D---- C:\Users\user\AppData\Roaming\uTorrent 2010-09-21 15:53:29 ----D---- C:\Program Files (x86)\Common Files\Wise Installation Wizard 2010-09-21 15:51:43 ----D---- C:\Windows\Tasks 2010-09-21 11:57:12 ----D---- C:\Windows\registration 2010-09-21 11:57:12 ----D---- C:\Users\user\AppData\Roaming\dvdcss 2010-09-21 11:57:12 ----D---- C:\Program Files (x86)\MyMicroBalance 2010-09-21 11:15:50 ----D---- C:\Windows\Prefetch 2010-09-21 09:32:50 ----D---- C:\Users\user\AppData\Roaming\Skype 2010-09-21 09:08:50 ----D---- C:\Users\user\AppData\Roaming\skypePM 2010-09-20 15:20:20 ----RD---- C:\Users 2010-09-19 20:54:38 ----RD---- C:\Program Files 2010-09-19 14:19:44 ----RSD---- C:\Windows\assembly 2010-09-17 09:31:33 ----D---- C:\Program Files (x86)\Mozilla Firefox 2010-09-15 09:24:15 ----D---- C:\Program Files (x86)\Windows Mail 2010-09-15 09:23:44 ----A---- C:\Windows\win.ini 2010-09-11 21:07:53 ----D---- C:\ProgramData\Tunngle 2010-09-11 21:07:52 ----D---- C:\Users\user\AppData\Roaming\Tunngle 2010-09-08 11:34:11 ----D---- C:\Program Files (x86)\iTunes 2010-09-08 11:33:37 ----D---- C:\Program Files (x86)\Common Files\Apple 2010-09-08 11:32:55 ----D---- C:\Program Files (x86)\JDownloader 2010-09-06 14:42:13 ----D---- C:\Windows\AppPatch 2010-09-06 14:35:00 ----SHD---- C:\Boot 2010-09-06 14:12:50 ----D---- C:\ProgramData\NOS 2010-09-03 06:41:17 ----D---- C:\Program Files (x86)\Microsoft Silverlight 2010-08-29 20:34:11 ----A---- C:\Windows\SysWOW64\PnkBstrB.exe 2010-08-27 11:33:20 ----D---- C:\Program Files (x86)\TuneUp Utilities 2010 2010-08-26 16:52:59 ----A---- C:\Windows\SysWOW64\PerfStringBackup.INI 2010-08-25 21:40:07 ----SD---- C:\Windows\Downloaded Program Files ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R0 JGOGO;JMicron Hot-Plug Driver; C:\Windows\system32\DRIVERS\JGOGO.sys [] R0 JRAID;JRAID; C:\Windows\system32\DRIVERS\jraid.sys [] R0 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [] R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [] R1 Vsdatant;Zone Alarm Firewall Driver; C:\Windows\system32\DRIVERS\vsdatant.sys [] R2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [] R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [] R2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [] R3 HssDrv;Hotspot Shield Helper Miniport; C:\Windows\system32\DRIVERS\HssDrv.sys [] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [] R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [] R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh64.sys [] R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle); C:\Windows\system32\DRIVERS\tap0901t.sys [] R3 taphss;Anchorfree HSS Adapter; C:\Windows\system32\DRIVERS\taphss.sys [] R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv; \??\C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesDriver64.sys [2009-10-14 11856] R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\Windows\system32\drivers\WmBEnum.sys [] R3 WmXlCore;Logitech Translation Layer Driver; C:\Windows\system32\drivers\WmXlCore.sys [] S3 as5cdvj8;as5cdvj8; C:\Windows\SysWOW64\drivers\as5cdvj8.sys [] S3 CrystalSysInfo;CrystalSysInfo; \??\C:\Program Files (x86)\MediaCoder\SysInfoX64.sys [] S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [] S3 ENTECH64;ENTECH64; \??\C:\Windows\system32\DRIVERS\ENTECH64.sys [] S3 esgiguard;esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [] S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2007-09-10 22336] S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [] S3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [] S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [] S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [] S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Sandra.sys [] S3 USBAAPL64;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl64.sys [] S3 vsdatant7;vsdatant7; C:\Windows\System32\drivers\vsdatant.win7.sys [] S3 WmFilter;Logitech Gaming HID Filter Driver; C:\Windows\system32\drivers\WmFilter.sys [] S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\Windows\system32\drivers\WmVirHid.sys [] S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [] S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [] S3 xusb21;Xbox 360 Wireless Receiver Driver Service 21; C:\Windows\system32\DRIVERS\xusb21.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336] R2 AntiVirService;Avira AntiVir Guard; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-04-19 267432] R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-08-13 144672] R2 Bonjour Service;Dienst "Bonjour"; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [2010-05-18 345376] R2 HotspotShieldService;Hotspot Shield Service; C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [2010-07-27 247808] R2 HssSrv;Hotspot Shield Routing Service; C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe [2010-06-23 348208] R2 HssWd;Hotspot Shield Monitoring Service; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [2010-06-23 322608] R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [] R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2010-07-29 75064] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936] R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service; C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe [2010-08-26 1403200] R2 TunngleService;TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [2010-06-24 715512] R2 UxTuneUp;@%SystemRoot%\System32\uxtuneup.dll,-4096; C:\Windows\System32\svchost.exe [2008-01-19 21504] R2 vsmon;TrueVector Internet Monitor; C:\Windows\SysWOW64\ZoneLabs\vsmon.exe [2010-06-28 2435592] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] S2 gupdate1c98d47b52ad115;Google Update Service (gupdate1c98d47b52ad115); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-02-12 133104] S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504] S3 HssTrayService;Hotspot Shield Tray Service; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [2010-07-27 57640] S3 iPod Service;iPod-Dienst; C:\Program Files\iPod\bin\iPodService.exe [2010-09-01 932640] S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-19 19968] S3 Steam Client Service;Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [2010-03-03 332720] S3 TuneUp.Defrag;@C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe,-1; C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe [2010-08-27 607040] S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768] S4 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE [2006-04-18 102400] S4 IDriverT;InstallDriver Table Manager; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632] S4 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [2007-12-03 869672] S4 NMIndexingService;NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [2007-12-13 447784] S4 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe [2005-08-08 167936] -----------------EOF----------------- [code] Geändert von bresch6 (21.09.2010 um 21:31 Uhr) |
22.09.2010, 08:07 | #4 |
/// Helfer-Team | Trojaner "Winserv.exe" eingefangen Noch da. O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe Das ist ein Monitoring Tool. Hast du das installiert? Zeichnet alle Aktionen auf dem Bildschirm auf. R2 HotspotShieldService;Hotspot Shield Service; C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [2010-07-27 247808] Online Scan durchlaufen lassen. Bitte während der Online-Scans evtl. vorhandene externe Festplatten einschalten! Bitte während der Scans alle Hintergrundwächter (Anti-Virus-Programm, Firewall, Skriptblocking und ähnliches) abstellen und nicht vergessen, alles hinterher wieder einzuschalten.
|
22.09.2010, 11:15 | #5 |
| Trojaner "Winserv.exe" eingefangen Hab den Scan gemacht: Code:
ATTFilter ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=ff8924739ba07e4ba86de83b8cdec516 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-09-22 10:12:19 # local_time=2010-09-22 12:12:19 (+0100, Mitteleuropäische Sommerzeit) # country="Germany" # lang=1033 # osver=6.0.6002 NT Service Pack 2 # compatibility_mode=512 16777215 100 0 44407 44407 0 0 # compatibility_mode=1797 16775165 100 100 58737 60045087 46496 0 # compatibility_mode=5892 16776573 100 56 90624 122668829 0 0 # compatibility_mode=8192 67108863 100 0 98 98 0 0 # compatibility_mode=9217 16777214 75 66 54383 7422153 0 0 # scanned=206229 # found=8 # cleaned=8 # scan_time=5416 C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C C:\Users\user\AppData\Local\Temp\NOD3027.tmp a variant of Win32/HotSpotShield application (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\55a4ff8b-190bbc4c Java/TrojanDownloader.OpenStream.NAC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\12\1dd6a40c-33b02f75 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\30feb821-30151a69 Java/TrojanDownloader.Agent.NBK trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\4\5541aec4-67d67c20 Java/TrojanDownloader.Agent.NBM trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\1eff1eb1-3f368110 Java/TrojanDownloader.Agent.NBL trojan (deleted - quarantined) 00000000000000000000000000000000 C C:\Users\user\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\52\31bba1f4-1222de2a Java/TrojanDownloader.Agent.NBL trojan (deleted - quarantined) 00000000000000000000000000000000 C |
22.09.2010, 11:33 | #7 |
| Trojaner "Winserv.exe" eingefangen Hier: (hab davor nochmal neu gestartet!) [code]info.txtRSIT Logfile: Code:
ATTFilter logfile of random's system information tool 1.08 2010-09-22 12:26:56 ======Uninstall list====== -->C:\Program Files (x86)\DivX\DivXConverterUninstall.exe /CONVERTER -->C:\Program Files (x86)\Nero\Nero8\\nero\uninstall\UNNERO.exe /UNINSTALL -->C:\Windows\UNNeroBackItUp.exe /UNINSTALL -->C:\Windows\UNNeroMediaHome.exe /UNINSTALL -->C:\Windows\UNNeroShowTime.exe /UNINSTALL -->C:\Windows\UNNeroVision.exe /UNINSTALL -->C:\Windows\UNRecode.exe /UNINSTALL -->MsiExec /X{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA} µTorrent-->"C:\Program Files (x86)\uTorrent\uTorrent.exe" /UNINSTALL 7-Zip 9.15 beta-->"C:\Program Files (x86)\7-Zip\Uninstall.exe" Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe Adobe Flash Player 10 Plugin-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10i_Plugin.exe -maintain plugin Adobe Reader 9.3.4 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A93000000001} Adobe Shockwave Player-->C:\Windows\System32\Macromed\SHOCKW~1\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~1\Install.log Amnesia - The Dark Descent Demo-->"C:\Program Files (x86)\Amnesia - The Dark Descent Demo\unins000.exe" Apple Application Support-->MsiExec.exe /I{DAEAFD68-BB4A-4507-A241-C8804D2EA66D} Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033} Ashampoo Magical Optimizer-->"C:\Program Files (x86)\Ashampoo\Ashampoo Magical Optimizer\Uninstall\1406_Uninstall.exe" Avira AntiVir Personal - Free Antivirus-->C:\Program Files (x86)\Avira\AntiVir Desktop\setup.exe /REMOVE Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch-->C:\Program Files (x86)\InstallShield Installation Information\{E5141379-B2D9-4BBC-BB2A-5805541571DD}\setup.exe -runfromtemp -l0x0409 Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch-->C:\Program Files (x86)\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe -runfromtemp -l0x0409 Citrix XenApp Web Plugin-->MsiExec.exe /X{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76} Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE} Compatibility Pack für 2007 Office System-->MsiExec.exe /X{90120000-0020-0407-0000-0000000FF1CE} Counter-Strike: Source-->"C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/240 DivX Converter-->C:\Program Files (x86)\DivX\DivXConverterUninstall.exe /CONVERTER DivX Player-->C:\Program Files (x86)\DivX\DivXPlayerUninstall.exe /PLAYER DivX Web Player-->C:\Program Files (x86)\DivX\DivXWebPlayerUninstall.exe /PLUGIN FastStone Image Viewer 4.2-->C:\Program Files (x86)\FastStone Image Viewer\uninst.exe Fraps-->"C:\Fraps\uninstall.exe" Gigabyte Raid Configurer-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\setup.exe" -l0x7 -removeonly Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} Gothic II - Die Nacht des Raben-->C:\PROGRA~2\JoWooD\GOTHIC~1\UNWISE.EXE C:\PROGRA~2\JoWooD\GOTHIC~1\INSTALL.LOG Gothic II-->C:\PROGRA~2\JoWooD\GOTHIC~1\UNWISE.EXE C:\PROGRA~2\JoWooD\GOTHIC~1\INSTALL.LOG Grand Theft Auto IV-->"C:\Program Files (x86)\InstallShield Installation Information\{579BA58C-F33D-4970-9953-B94B43768AC3}\setup.exe" -runfromtemp -l0x0007 -removeonly Grand Theft Auto IV-->MsiExec.exe /I{5454083B-1308-4485-BF17-1110000D8301} Half-Life(R) 2-->MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA} HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7} Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT="" Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {08155812-0202-4D5F-A7FF-12A2782DC548} /qb+ REBOOTPROMPT="" Hotspot Shield 1.49-->C:\Program Files (x86)\Hotspot Shield\Uninstall.exe Java(TM) 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020} Java(TM) 6 Update 21-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF} Java(TM) 6 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030} Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050} Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070} JDownloader-->C:\Program Files (x86)\JDownloader\uninstall.exe Malwarebytes' Anti-Malware-->"C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.exe" Medieval II Total War-->C:\Program Files (x86)\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0007 -removeonly Microsoft AppLocale-->MsiExec.exe /I{394BE3D9-7F57-4638-A8D1-1D88671913B7} Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570} Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{8FB1B528-E260-451E-9B55-E9152F94B80B} Microsoft Games for Windows - LIVE-->MsiExec.exe /X{F97E3841-CA9D-4964-9D64-26066241D26F} Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC} Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110407-6000-11D3-8CFE-0150048383C9} Microsoft Office XP Professional mit FrontPage-->MsiExec.exe /I{90280407-6000-11D3-8CFE-0050048383C9} Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8} Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c} Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C} Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989} Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729-->MsiExec.exe /X{6AFCA4E1-9B78-3640-8F72-A7BF33448200} Microsoft XNA Framework Redistributable 3.0-->MsiExec.exe /I{3898934B-05AE-41CD-96BE-70DA9BFBCE1F} Mozilla Firefox (3.6.10)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94} MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF} MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF} MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71} MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC} MyMicroBalance-->MsiExec.exe /I{9B219133-CA46-47EF-98E1-AB12E32D53F9} Nero 8-->MsiExec.exe /X{5FCCD531-1B38-4A94-924C-127F722F1031} neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B} NVIDIA PhysX-->MsiExec.exe /X{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA} NVIDIA Stereoscopic 3D Driver-->"C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvStInst.exe" /uninstall /ask ODF Add-in for Microsoft Office-->MsiExec.exe /I{59D1195A-7E64-4120-BB37-F053D9FD45FB} OpenAL-->"C:\Program Files (x86)\OpenAL\oalinst.exe" /U PDF24 Creator-->"C:\Program Files (x86)\pdf24\unins000.exe" Portal-->"C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/400 PowerDVD-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall PunkBuster Services-->C:\Windows\system32\pbsvc.exe -u QuickTime-->MsiExec.exe /I{EB900AF8-CC61-4E15-871B-98D1EA3E8025} Realtek Ethernet Controller Driver For Windows Vista and Later-->C:\Program Files (x86)\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -removeonly Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -removeonly Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A} Shared Add-in Extensibility Update for Microsoft .NET Framework 2.0 (KB908002)-->MsiExec.exe /X{09959E11-AD5D-408E-96AF-E3346954D6B8} Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)-->MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B} Shockwave-->C:\Windows\System32\Macromed\SHOCKW~2\UNWISE.EXE C:\Windows\System32\Macromed\SHOCKW~2\Install.log Skype™ 4.2-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36} Source SDK Base - Orange Box-->"C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/218 Source SDK Base-->"C:\Program Files (x86)\Valve\Steam\steam.exe" steam://uninstall/215 Spelling Dictionaries Support For Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-900000000004} Steam(TM)-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3} Total Commander (Remove or Repair)-->c:\totalcmd\tcuninst.exe TuneUp Utilities-->C:\Program Files (x86)\TuneUp Utilities 2010\TUInstallHelper.exe --Trigger-Uninstall Tunngle beta-->"C:\Program Files (x86)\Tunngle\unins000.exe" TweakNow RegCleaner Standard-->"C:\Program Files (x86)\TweakNow RegCleaner Std\unins000.exe" Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->c:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT="" VCRedistSetup-->MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027} VLC media player 1.1.4-->C:\Program Files (x86)\VideoLAN\VLC\uninstall.exe Vuze-->C:\Program Files (x86)\Vuze\uninstall.exe Windows Live Anmelde-Assistent-->MsiExec.exe /I{83E2CFA9-E0EB-4E08-9F85-43E577FF3D60} Windows Live Call-->MsiExec.exe /I{5FC68772-6D56-41C6-9DF1-24E868198AE6} Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52} Windows Live Essentials-->C:\Program Files (x86)\Windows Live\Installer\wlarp.exe Windows Live Essentials-->MsiExec.exe /I{F8FF18EE-264A-43FD-B2F6-5EAD40798C2F} Windows Live Messenger-->MsiExec.exe /X{41E654A9-26D0-4EAC-854B-0FA824FFFABB} Windows Live Sync-->MsiExec.exe /X{ED636101-1959-4360-8BF7-209436E7DEE4} Windows Live-Uploadtool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238} Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4} WinRAR-->C:\Program Files (x86)\WinRAR\uninstall.exe WinSCP 4.0.7-->"C:\Program Files (x86)\WinSCP\unins000.exe" WinZip 11.1-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5} Wolfenstein(TM) 1.1 Patch-->C:\Program Files (x86)\InstallShield Installation Information\{E03B44A3-9237-4B55-B7A5-DB1DD46920D3}\setup.exe -runfromtemp -l0x0409 ZoneAlarm-->C:\Program Files (x86)\Zone Labs\ZoneAlarm\zauninst.exe ======Security center information====== AS: Avira AntiVir PersonalEdition AS: Windows-Defender ======System event log====== Computer Name: MUSTERMANN Event Code: 7036 Message: Dienst "Terminaldienstekonfiguration" befindet sich jetzt im Status "Ausgeführt". Record Number: 244374 Source Name: Service Control Manager Time Written: 20100304122620.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 7036 Message: Dienst "Zertifikatverteilung" befindet sich jetzt im Status "Ausgeführt". Record Number: 244373 Source Name: Service Control Manager Time Written: 20100304122620.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 7036 Message: Dienst "WinHTTP-Web Proxy Auto-Discovery-Dienst" befindet sich jetzt im Status "Ausgeführt". Record Number: 244372 Source Name: Service Control Manager Time Written: 20100304122620.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 7036 Message: Dienst "Intelligenter Hintergrundübertragungsdienst" befindet sich jetzt im Status "Ausgeführt". Record Number: 244371 Source Name: Service Control Manager Time Written: 20100304122620.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 7036 Message: Dienst "Diagnosesystemhost" befindet sich jetzt im Status "Ausgeführt". Record Number: 244370 Source Name: Service Control Manager Time Written: 20100304122620.000000-000 Event Type: Informationen User: =====Application event log===== Computer Name: MUSTERMANN Event Code: 9007 Message: Der Desktopfenster-Manager konnte nicht gestartet werden, da WDDM nicht verwendet wird. Record Number: 30503 Source Name: Desktop Window Manager Time Written: 20081126211111.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 9002 Message: Der Desktopfenster-Manager konnte nicht gestartet werden. Record Number: 30502 Source Name: Desktop Window Manager Time Written: 20081126211101.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 8194 Message: Der Wiederherstellungspunkt wurde erfolgreich erstellt (Prozess = C:\Windows\system32\DrvInst.exe "4" "0" "C:\Users\user\{2842e669-557a-4b93-a3bf-be394ce545c7}\nv_disp.inf" "9" "6cf3ca387" "00000000000002F4" "WinSta0\Default" "0000000000000524" "208" "c:\nvidia\winvista64\180.48\is"; Beschreibung = Gerätetreiber-Paketinstallation: NVIDIA Grafikkarte). Record Number: 30501 Source Name: System Restore Time Written: 20081126210921.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 8194 Message: Der Wiederherstellungspunkt wurde erfolgreich erstellt (Prozess = C:\Windows\system32\DrvInst.exe "4" "0" "C:\Users\user\{2842e669-557a-4b93-a3bf-be394ce545c7}\nv_disp.inf" "9" "6cf3ca387" "00000000000002F4" "WinSta0\Default" "0000000000000524" "208" "c:\nvidia\winvista64\180.48\is"; Beschreibung = Gerätetreiber-Paketinstallation: NVIDIA Grafikkarte). Record Number: 30500 Source Name: System Restore Time Written: 20081126210915.000000-000 Event Type: Informationen User: Computer Name: MUSTERMANN Event Code: 103 Message: msnmsgr (4688) \\.\C:\Users\user\AppData\Local\Microsoft\Messenger\mustermann@test.com\SharingMetadata\Working\database_D682_CA65_82CA_4A27\dfsr.db: Das Datenbankmodul hat die Instanz (0) beendet. Record Number: 30499 Source Name: ESENT Time Written: 20081126171017.000000-000 Event Type: Informationen User: =====Security event log===== Computer Name: MUSTERMANN Event Code: 4648 Message: Anmeldeversuch mit expliziten Anmeldeinformationen. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: MUSTERMANN$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Konto, dessen Anmeldeinformationen verwendet wurden: Kontoname: SYSTEM Kontodomäne: NT-AUTORITÄT Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Zielserver: Zielservername: localhost Weitere Informationen: localhost Prozessinformationen: Prozess-ID: 0x298 Prozessname: C:\Windows\System32\services.exe Netzwerkinformationen: Netzwerkadresse: - Port: - Dieses Ereignis wird bei einem Anmeldeversuch durch einen Prozess generiert, wenn ausdrücklich die Anmeldeinformationen des Kontos angegeben werden. Dies ist normalerweise der Fall in Batch-Konfigurationen, z. B. bei geplanten Aufgaben oder wenn der Befehl "runas" verwendet wird. Record Number: 83959 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090912105545.274939-000 Event Type: Überwachung erfolgreich User: Computer Name: MUSTERMANN Event Code: 4672 Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: SYSTEM Kontodomäne: NT-AUTORITÄT Anmelde-ID: 0x3e7 Berechtigungen: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege Record Number: 83958 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090912105545.093939-000 Event Type: Überwachung erfolgreich User: Computer Name: MUSTERMANN Event Code: 4624 Message: Ein Konto wurde erfolgreich angemeldet. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: MUSTERMANN$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Anmeldetyp: 5 Neue Anmeldung: Sicherheits-ID: S-1-5-18 Kontoname: SYSTEM Kontodomäne: NT-AUTORITÄT Anmelde-ID: 0x3e7 Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Prozessinformationen: Prozess-ID: 0x298 Prozessname: C:\Windows\System32\services.exe Netzwerkinformationen: Arbeitsstationsname: Quellnetzwerkadresse: - Quellport: - Detaillierte Authentifizierungsinformationen: Anmeldeprozess: Advapi Authentifizierungspaket: Negotiate Übertragene Dienste: - Paketname (nur NTLM): - Schlüssellänge: 0 Dieses Ereignis wird beim Erstellen einer Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den zugegriffen wurde. Die Antragstellerfelder geben das Konto auf dem lokalen System an, von dem die Anmeldung angefordert wurde. Dies ist meistens ein Dienst wie der Serverdienst oder ein lokaler Prozess wie "Winlogon.exe" oder "Services.exe". Das Anmeldetypfeld gibt den jeweiligen Anmeldetyp an. Die häufigsten Typen sind 2 (interaktiv) und 3 (Netzwerk). Die Felder für die neue Anmeldung geben das Konto an, für das die Anmeldung erstellt wurde, d. h. das angemeldete Konto. Die Netzwerkfelder geben die Quelle einer Remoteanmeldeanforderung an. der Arbeitsstationsname ist nicht immer verfügbar und kann in manchen Fällen leer bleiben. Die Felder für die Authentifizierungsinformationen enthalten detaillierte Informationen zu dieser speziellen Anmeldeanforderung. - Die Anmelde-GUID ist ein eindeutiger Bezeichner, der verwendet werden kann, um dieses Ereignis mit einem KDC-Ereignis zu korrelieren. - Die übertragenen Dienste geben an, welche Zwischendienste an der Anmeldeanforderung beteiligt waren. - Der Paketname gibt das in den NTLM-Protokollen verwendete Unterprotokoll an. - Die Schlüssellänge gibt die Länge des generierten Sitzungsschlüssels an. Wenn kein Sitzungsschlüssel angefordert wurde, ist dieser Wert 0. Record Number: 83957 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090912105545.093939-000 Event Type: Überwachung erfolgreich User: Computer Name: MUSTERMANN Event Code: 4648 Message: Anmeldeversuch mit expliziten Anmeldeinformationen. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: MUSTERMANN$ Kontodomäne: WORKGROUP Anmelde-ID: 0x3e7 Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Konto, dessen Anmeldeinformationen verwendet wurden: Kontoname: SYSTEM Kontodomäne: NT-AUTORITÄT Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Zielserver: Zielservername: localhost Weitere Informationen: localhost Prozessinformationen: Prozess-ID: 0x298 Prozessname: C:\Windows\System32\services.exe Netzwerkinformationen: Netzwerkadresse: - Port: - Dieses Ereignis wird bei einem Anmeldeversuch durch einen Prozess generiert, wenn ausdrücklich die Anmeldeinformationen des Kontos angegeben werden. Dies ist normalerweise der Fall in Batch-Konfigurationen, z. B. bei geplanten Aufgaben oder wenn der Befehl "runas" verwendet wird. Record Number: 83956 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090912105545.093939-000 Event Type: Überwachung erfolgreich User: Computer Name: MUSTERMANN Event Code: 4672 Message: Einer neuen Anmeldung wurden besondere Rechte zugewiesen. Antragsteller: Sicherheits-ID: S-1-5-21-3249559707-4023531275-2317400115-1000 Kontoname: user Kontodomäne: MUSTERMANN Anmelde-ID: 0x5e5e5 Berechtigungen: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege Record Number: 83955 Source Name: Microsoft-Windows-Security-Auditing Time Written: 20090912101751.284939-000 Event Type: Überwachung erfolgreich User: ======Environment variables====== "ComSpec"=%SystemRoot%\system32\cmd.exe "FP_NO_HOST_CHECK"=NO "OS"=Windows_NT "Path"=C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\QuickTime\QTSystem\ "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC "PROCESSOR_ARCHITECTURE"=AMD64 "TEMP"=%SystemRoot%\TEMP "TMP"=%SystemRoot%\TEMP "USERNAME"=SYSTEM "windir"=%SystemRoot% "PROCESSOR_LEVEL"=6 "PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 15 Stepping 11, GenuineIntel "PROCESSOR_REVISION"=0f0b "NUMBER_OF_PROCESSORS"=2 "asl.log"=Destination=file;OnFirstLog=command,environment "PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\ "CLASSPATH"=.;C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip "QTJAVA"=C:\Program Files (x86)\Java\jre6\lib\ext\QTJava.zip "tvdumpflags"=8 -----------------EOF----------------- RSIT Logfile: Code:
ATTFilter Logfile of random's system information tool 1.08 (written by random/random) Run by user at 2010-09-22 12:26:53 Microsoft® Windows Vista™ Home Premium Service Pack 2 System drive C: has 5 GB (2%) free of 238 GB Total RAM: 4094 MB (59% free) Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 12:26:55, on 22.09.2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18943) Boot mode: Normal Running processes: C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Users\user\Desktop\RSIT.exe C:\Program Files (x86)\trend micro\user.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mustermann.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.mustermann.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mustermann.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mustermann.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mustermann.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.mustermann.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - hxxp://www.mustermann.com O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - hxxp://www.mustermann.com O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - hxxp://www.mustermann.com O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553525700} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing) O23 - Service: Google Update Service (gupdate1c98d47b52ad115) (gupdate1c98d47b52ad115) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe (file missing) O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: @C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files (x86)\Tunngle\TnglCtrl.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 9119 bytes ======Scheduled tasks folder====== C:\Windows\tasks\GoogleUpdateTaskMachineCore.job C:\Windows\tasks\GoogleUpdateTaskMachineUA.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}] Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] Windows Live Anmelde-Hilfsprogramm - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-07-17 41760] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}] Hotspot Shield Class - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll [2010-06-23 230448] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "avgnt"=C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [2010-03-02 282792] "ZoneAlarm Client"=C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe [2010-06-28 1043968] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] "Policies"=C:\Program Files (x86)\Windows Update\Winserv.exe [] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "WMPNSCFG"=C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe [] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] "Policies"=C:\Program Files (x86)\Windows Update\Winserv.exe [] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "EnableLUA"=0 "dontdisplaylastusername"=0 "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 "EnableUIADesktopToggle"=0 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoActiveDesktop"=1 "NoActiveDesktopChanges"=1 "ForceActiveDesktopOn"=0 "BindDirectlyToPropertySetStorage"=0 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] ======File associations====== .js - edit - C:\Windows\SysWOW64\Notepad.exe %1 .js - open - C:\Windows\SysWOW64\WScript.exe "%1" %* ======List of files/folders created in the last 1 months====== 2010-09-21 22:21:48 ----D---- C:\rsit 2010-09-21 20:55:40 ----A---- C:\Windows\SysWOW64\drivers\mbamswissarmy.sys 2010-09-21 20:55:39 ----D---- C:\Program Files (x86)\Malwarebytes' Anti-Malware 2010-09-21 20:37:08 ----D---- C:\Program Files (x86)\FastStone Image Viewer 2010-09-21 19:34:45 ----A---- C:\Windows\SysWOW64\vsutil_loc0407.dll 2010-09-21 19:34:42 ----A---- C:\Windows\SysWOW64\vsregexp.dll 2010-09-21 19:33:47 ----A---- C:\Windows\SysWOW64\zlcommdb.dll 2010-09-21 19:33:47 ----A---- C:\Windows\SysWOW64\zlcomm.dll 2010-09-21 19:33:45 ----A---- C:\Windows\SysWOW64\vswmi.dll 2010-09-21 19:33:43 ----D---- C:\Windows\SysWOW64\ZoneLabs 2010-09-21 19:33:43 ----A---- C:\Windows\SysWOW64\zpeng25.dll 2010-09-21 19:33:43 ----A---- C:\Windows\SysWOW64\vsxml.dll 2010-09-21 19:33:43 ----A---- C:\Windows\SysWOW64\vspubapi.dll 2010-09-21 19:33:43 ----A---- C:\Windows\SysWOW64\vsmonapi.dll 2010-09-21 19:33:42 ----A---- C:\Windows\SysWOW64\vsdata.dll 2010-09-21 19:31:02 ----A---- C:\Windows\SysWOW64\vsutil.dll 2010-09-21 19:31:02 ----A---- C:\Windows\SysWOW64\vsinit.dll 2010-09-21 18:55:19 ----D---- C:\Program Files (x86)\Zone Labs 2010-09-21 18:55:12 ----D---- C:\Windows\Internet Logs 2010-09-21 18:55:12 ----D---- C:\ProgramData\CheckPoint 2010-09-21 18:35:53 ----D---- C:\Program Files (x86)\Trend Micro 2010-09-21 16:02:48 ----D---- C:\Users\user\AppData\Roaming\Malwarebytes 2010-09-21 16:02:35 ----D---- C:\ProgramData\Malwarebytes 2010-09-21 15:54:17 ----A---- C:\autoexec.bat 2010-09-21 15:53:30 ----D---- C:\Windows\95431C66CF9A4913BFFF6050785AFB65.TMP 2010-09-21 15:47:26 ----D---- C:\Users\user\AppData\Roaming\Uniblue 2010-09-18 11:15:29 ----D---- C:\Program Files (x86)\Amnesia - The Dark Descent Demo 2010-09-15 09:18:05 ----A---- C:\Windows\SysWOW64\MP4SDECD.DLL 2010-09-15 09:17:59 ----A---- C:\Windows\SysWOW64\inetcomm.dll 2010-09-15 09:17:58 ----A---- C:\Windows\SysWOW64\usp10.dll 2010-09-12 15:34:29 ----D---- C:\Users\user\AppData\Roaming\vlc 2010-09-12 10:53:13 ----D---- C:\Program Files (x86)\JoWooD 2010-09-08 13:19:33 ----D---- C:\Windows\usgwmt 2010-09-06 15:39:41 ----D---- C:\Hotspot Shield 2010-09-06 15:39:39 ----D---- C:\Program Files (x86)\Hotspot Shield 2010-08-29 18:02:35 ----D---- C:\Fraps 2010-08-27 11:33:29 ----A---- C:\Windows\SysWOW64\uxtuneup.dll 2010-08-27 11:33:24 ----A---- C:\Windows\SysWOW64\authuitu.dll 2010-08-26 22:45:40 ----D---- C:\Program Files (x86)\QuickTime ======List of files/folders modified in the last 1 months====== 2010-09-22 12:26:53 ----D---- C:\Windows\Temp 2010-09-22 12:26:53 ----D---- C:\Windows\Prefetch 2010-09-22 12:20:53 ----D---- C:\ProgramData\NVIDIA 2010-09-22 12:20:27 ----SHD---- C:\System Volume Information 2010-09-22 12:16:19 ----D---- C:\Program Files (x86) 2010-09-22 10:50:32 ----A---- C:\Windows\NeroDigital.ini 2010-09-21 23:46:17 ----D---- C:\Users\user\AppData\Roaming\Azureus 2010-09-21 20:55:40 ----D---- C:\Windows\SysWOW64\drivers 2010-09-21 20:02:48 ----D---- C:\Windows\System32 2010-09-21 20:02:48 ----D---- C:\Windows\inf 2010-09-21 19:34:47 ----D---- C:\Windows\SysWOW64 2010-09-21 19:34:39 ----D---- C:\Windows 2010-09-21 19:34:28 ----D---- C:\Windows\winsxs 2010-09-21 18:55:12 ----HD---- C:\ProgramData 2010-09-21 18:35:54 ----SHD---- C:\Windows\Installer 2010-09-21 18:22:14 ----D---- C:\Users\user\AppData\Roaming\Desktopicon 2010-09-21 16:07:40 ----D---- C:\Users\user\AppData\Roaming\uTorrent 2010-09-21 15:53:29 ----D---- C:\Program Files (x86)\Common Files\Wise Installation Wizard 2010-09-21 15:51:43 ----D---- C:\Windows\Tasks 2010-09-21 11:57:12 ----D---- C:\Windows\registration 2010-09-21 11:57:12 ----D---- C:\Users\user\AppData\Roaming\dvdcss 2010-09-21 11:57:12 ----D---- C:\Program Files (x86)\MyMicroBalance 2010-09-21 09:32:50 ----D---- C:\Users\user\AppData\Roaming\Skype 2010-09-21 09:08:50 ----D---- C:\Users\user\AppData\Roaming\skypePM 2010-09-20 15:20:20 ----RD---- C:\Users 2010-09-19 20:54:38 ----RD---- C:\Program Files 2010-09-19 14:19:44 ----RSD---- C:\Windows\assembly 2010-09-17 09:31:33 ----D---- C:\Program Files (x86)\Mozilla Firefox 2010-09-15 09:24:15 ----D---- C:\Program Files (x86)\Windows Mail 2010-09-15 09:23:44 ----A---- C:\Windows\win.ini 2010-09-11 21:07:53 ----D---- C:\ProgramData\Tunngle 2010-09-11 21:07:52 ----D---- C:\Users\user\AppData\Roaming\Tunngle 2010-09-08 11:34:11 ----D---- C:\Program Files (x86)\iTunes 2010-09-08 11:33:37 ----D---- C:\Program Files (x86)\Common Files\Apple 2010-09-08 11:32:55 ----D---- C:\Program Files (x86)\JDownloader 2010-09-06 14:42:13 ----D---- C:\Windows\AppPatch 2010-09-06 14:35:00 ----SHD---- C:\Boot 2010-09-06 14:12:50 ----D---- C:\ProgramData\NOS 2010-09-03 06:41:17 ----D---- C:\Program Files (x86)\Microsoft Silverlight 2010-08-29 20:34:11 ----A---- C:\Windows\SysWOW64\PnkBstrB.exe 2010-08-27 11:33:20 ----D---- C:\Program Files (x86)\TuneUp Utilities 2010 2010-08-26 16:52:59 ----A---- C:\Windows\SysWOW64\PerfStringBackup.INI 2010-08-25 21:40:07 ----SD---- C:\Windows\Downloaded Program Files ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R0 JGOGO;JMicron Hot-Plug Driver; C:\Windows\system32\DRIVERS\JGOGO.sys [] R0 JRAID;JRAID; C:\Windows\system32\DRIVERS\jraid.sys [] R0 sptd;sptd; C:\Windows\System32\Drivers\sptd.sys [] R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [] R1 Vsdatant;Zone Alarm Firewall Driver; C:\Windows\system32\DRIVERS\vsdatant.sys [] R2 atksgt;atksgt; C:\Windows\system32\DRIVERS\atksgt.sys [] R2 avgntflt;avgntflt; C:\Windows\system32\DRIVERS\avgntflt.sys [] R2 lirsgt;lirsgt; C:\Windows\system32\DRIVERS\lirsgt.sys [] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [] R3 HssDrv;Hotspot Shield Helper Miniport; C:\Windows\system32\DRIVERS\HssDrv.sys [] R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [] R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [] R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh64.sys [] R3 tap0901t;TAP-Win32 Adapter V9 (Tunngle); C:\Windows\system32\DRIVERS\tap0901t.sys [] R3 taphss;Anchorfree HSS Adapter; C:\Windows\system32\DRIVERS\taphss.sys [] R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv; \??\C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesDriver64.sys [2009-10-14 11856] R3 WmBEnum;Logitech Virtual Bus Enumerator Driver; C:\Windows\system32\drivers\WmBEnum.sys [] R3 WmXlCore;Logitech Translation Layer Driver; C:\Windows\system32\drivers\WmXlCore.sys [] S3 acmx01xs;acmx01xs; C:\Windows\SysWOW64\drivers\acmx01xs.sys [] S3 CrystalSysInfo;CrystalSysInfo; \??\C:\Program Files (x86)\MediaCoder\SysInfoX64.sys [] S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [] S3 ENTECH64;ENTECH64; \??\C:\Windows\system32\DRIVERS\ENTECH64.sys [] S3 esgiguard;esgiguard; \??\C:\Program Files (x86)\Enigma Software Group\SpyHunter\esgiguard.sys [] S3 gdrv;gdrv; \??\C:\Windows\gdrv.sys [2007-09-10 22336] S3 hamachi;Hamachi Network Interface; C:\Windows\system32\DRIVERS\hamachi.sys [] S3 HdAudAddService;Microsoft 1.1 UAA-Funktionstreiber für High Definition Audio-Dienst; C:\Windows\system32\drivers\HdAudio.sys [] S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [] S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [] S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [] S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [] S3 SANDRA;SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Sandra.sys [] S3 USBAAPL64;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl64.sys [] S3 vsdatant7;vsdatant7; C:\Windows\System32\drivers\vsdatant.win7.sys [] S3 WmFilter;Logitech Gaming HID Filter Driver; C:\Windows\system32\drivers\WmFilter.sys [] S3 WmVirHid;Logitech Virtual Hid Device Driver; C:\Windows\system32\drivers\WmVirHid.sys [] S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [] S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [] S3 xusb21;Xbox 360 Wireless Receiver Driver Service 21; C:\Windows\system32\DRIVERS\xusb21.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 AntiVirSchedulerService;Avira AntiVir Planer; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336] R2 AntiVirService;Avira AntiVir Guard; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-04-19 267432] R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-08-13 144672] R2 Bonjour Service;Dienst "Bonjour"; C:\Program Files (x86)\Bonjour\mDNSResponder.exe [2010-05-18 345376] R2 HssSrv;Hotspot Shield Routing Service; C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe [2010-06-23 348208] R2 HssWd;Hotspot Shield Monitoring Service; C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe [2010-06-23 322608] R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [] R2 PnkBstrA;PnkBstrA; C:\Windows\system32\PnkBstrA.exe [2010-07-29 75064] R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936] R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service; C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe [2010-08-26 1403200] R2 TunngleService;TunngleService; C:\Program Files (x86)\Tunngle\TnglCtrl.exe [2010-06-24 715512] R2 UxTuneUp;@%SystemRoot%\System32\uxtuneup.dll,-4096; C:\Windows\System32\svchost.exe [2008-01-19 21504] R2 vsmon;TrueVector Internet Monitor; C:\Windows\SysWOW64\ZoneLabs\vsmon.exe [2010-06-28 2435592] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384] S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576] S2 gupdate1c98d47b52ad115;Google Update Service (gupdate1c98d47b52ad115); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-02-12 133104] S2 HotspotShieldService;Hotspot Shield Service; C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe [] S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504] S3 HssTrayService;Hotspot Shield Tray Service; C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE [2010-07-27 57640] S3 iPod Service;iPod-Dienst; C:\Program Files\iPod\bin\iPodService.exe [2010-09-01 932640] S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-19 19968] S3 Steam Client Service;Steam Client Service; C:\Program Files (x86)\Common Files\Steam\SteamService.exe [2010-03-03 332720] S3 TuneUp.Defrag;@C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe,-1; C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe [2010-08-27 607040] S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768] S4 EPSON_PM_RPCV4_01;EPSON V3 Service4(01); C:\ProgramData\EPSON\EPW!3 SSRP\E_S30RP1.EXE [2006-04-18 102400] S4 IDriverT;InstallDriver Table Manager; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632] S4 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3; C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe [2007-12-03 869672] S4 NMIndexingService;NMIndexingService; C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe [2007-12-13 447784] S4 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe [2005-08-08 167936] -----------------EOF----------------- |
22.09.2010, 11:52 | #8 |
/// Helfer-Team | Trojaner "Winserv.exe" eingefangen Fixe mal diese zwei Einträge mit Hijackthis. Hijackthis öffnen, do a system scan, Einträge anklicken, auf fix checked klicken und anschließend Neustart. Bitte neues Logfile von HijackThis posten. Möchte nur sehen, ob sich der Prozess von selbst wiederherstellt. O4 - HKLM\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe O4 - HKCU\..\Policies\Explorer\Run: [Policies] C:\Program Files (x86)\Windows Update\Winserv.exe |
22.09.2010, 12:21 | #9 |
| Trojaner "Winserv.exe" eingefangen Scheint als wären sie jetzt weg... Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 13:18:04, on 22.09.2010 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.18943) Boot mode: Normal Running processes: C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mustermann.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.mustermann.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.mustermann.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.mustermann.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.mustermann.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.mustermann.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE.dll O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - hxxp://www.mustermann.com/ O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - hxxp://www.mustermann.com/ O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - hxxp://www.mustermann.com/ O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Updater) - https://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553525700} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing) O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing) O23 - Service: Google Update Service (gupdate1c98d47b52ad115) (gupdate1c98d47b52ad115) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\openvpnas.exe (file missing) O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files (x86)\Hotspot Shield\HssWPR\hsssrv.exe O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\HssTrayService.EXE O23 - Service: Hotspot Shield Monitoring Service (HssWd) - Unknown owner - C:\Program Files (x86)\Hotspot Shield\bin\hsswd.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing) O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing) O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing) O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing) O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing) O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing) O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing) O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe O23 - Service: @C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpDefragService.exe O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe O23 - Service: TunngleService - Tunngle.net GmbH - C:\Program Files (x86)\Tunngle\TnglCtrl.exe O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing) O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\SysWOW64\ZoneLabs\vsmon.exe O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing) O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing) O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing) -- End of file - 8908 bytes |
22.09.2010, 15:03 | #10 |
/// Helfer-Team | Trojaner "Winserv.exe" eingefangen Sieht so aus. Bitte nochmal beobachten und in ein paar Tagen nochmals scannen und nach den beiden Prozessen schauen. Wie sieht es mit den Problemen aus? |
22.09.2010, 15:33 | #11 |
| Trojaner "Winserv.exe" eingefangen Ok, mach ich. Grundsätzlich habe ich im Moment eigentlich keinerlei Probleme. Die Leistung scheint normal zu sein (Surfen, Spielen, Videos, etc.). Fährt auch normal hoch/runter. |
22.09.2010, 15:40 | #12 |
/// Helfer-Team | Trojaner "Winserv.exe" eingefangen OK, melde dich nochmal, wenn du Probleme bekommst. |
22.09.2010, 16:21 | #13 |
| Trojaner "Winserv.exe" eingefangen Mach ich und vielen Dank nochmal! |
22.09.2010, 16:23 | #14 |
/// Helfer-Team | Trojaner "Winserv.exe" eingefangen Nochmal Kommando zurück. Dem kleinen Drecks...den wir gefixt haben, müssen wir noch loswerden. Bitte SUPERAntiSpyware wie in der Anleitung laden und ausführen. Poste das Log. |
22.09.2010, 19:09 | #15 | |
| Trojaner "Winserv.exe" eingefangenZitat:
Code:
ATTFilter SUPERAntiSpyware Scan Log hxxp://www.superantispyware.com Generated 09/22/2010 at 07:57 PM Application Version : 4.43.1000 Core Rules Database Version : 5556 Trace Rules Database Version: 3368 Scan type : Complete Scan Total Scan Time : 02:11:56 Memory items scanned : 504 Memory threats detected : 0 Registry items scanned : 15149 Registry threats detected : 0 File items scanned : 211341 File threats detected : 75 Adware.Tracking Cookie C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@apmebf[1].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@atdmt[2].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@tradedoubler[2].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@doubleclick[1].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@adfarm1.adition[2].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@msnportal.112.2o7[1].txt C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\user@zanox[1].txt mustermann.com [ C:\Users\Gast\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\V57L4CSR ] mustermann.com [ C:\Users\Gast\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\V57L4CSR ] mustermann.com [ C:\Users\Gast\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\V57L4CSR ] mustermann.com [ C:\Users\Gast\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\V57L4CSR ] mustermann.com [ C:\Users\Gast\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\V57L4CSR ] mustermann.com [ C:\Users\Gast\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\V57L4CSR ] mustermann.com [ C:\Users\Gast\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\V57L4CSR ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] macromedia.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] mustermann.com [ C:\Users\user\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6BC8KB9E ] |
Themen zu Trojaner "Winserv.exe" eingefangen |
adobe, antivir, antivir guard, avg, avira, bho, bonjour, defender, desktop, excel, firefox, frage, hijack, hotspot, hotspot shield, infizierte datei, internet, internet explorer, logfile, mozilla, plug-in, prozesse, rundll, scan, software, system, syswow64, trojaner, vista |