Trojaner-Board - HJT Log und EScan log

Ah, Danke. Die Find.bat ist nicht zufällig die selbe, wie beim Vundo Tool?

Ich habe das HJT als normaler User angewendet, ich weiß ja nicht, ob es wichtig ist, es als Admin laufen zu lassen (System et.)

Wegen der find.bat schaue ich nochmal unter eScan im Forum nach

Malewarebytes auch als Admin oder als normaler User?

Hab hier vom Dr. Web Link Checker eine Warnmeldung bekommen, als ich den Downloadlink von Silentrunner.vbs checkte.. probably Virus Batch.virus suspicious - hm....

Hier hab ich noch das Combofix Log von gestern (als Admin)

Code:

ComboFix 08-06-01.6 - Administrator 11.06.2008 19:43:54.5 - NTFSx86

ausgeführt von:: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe
 
 WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.
 

(((((((((((((((((((((((   Dateien erstellt von 2008-05-11 bis 2008-06-11  ))))))))))))))))))))))))))))))

.
 

2008-06-11 19:44 . 11.06.08 19:44         16,384        --a----t-        C:\WINNT\system32\Perflib_Perfdata_404.dat

2008-06-11 18:58 . 11.06.08 18:58         <DIR>        d--------        C:\Dokumente und 
 

Einstellungen\Administrator\Anwendungsdaten\Thunderbird

2008-06-06 20:05 . 06.06.08 20:05         16,384        --a----t-        C:\WINNT\system32\Perflib_Perfdata_448.dat

2008-06-06 20:02 . 06.06.08 20:02         <DIR>        d--------        C:\Programme\Digital Camera

2008-06-06 20:02 . 17.03.04 07:00         114,688        --a------        C:\WINNT\system32\JpegCode.dll

2008-06-06 20:02 . 17.03.04 06:59         46,944        --a------        C:\WINNT\system32\drivers\CoachUsb.sys

2008-06-06 20:02 . 17.03.04 07:00         44,256        --a------        C:\WINNT\system32\drivers\CoachVc.sys

2008-06-06 20:02 . 17.03.04 06:59         16,896        --a------        C:\WINNT\system32\CoachDlg.dll

2008-06-06 20:02 . 17.03.04 07:00         8,192        --a------        C:\WINNT\system32\CoachWrp.dll

2008-06-06 20:02 . 17.03.04 06:59         5,632        --a------        C:\WINNT\system32\CoachSti.dll

2008-06-06 19:54 . 06.06.08 19:54         8,192        --a------        C:\WINNT\REGLOCS.OLD

2008-06-02 03:19 . 11.06.08 17:37         919,528        ---h-----        C:\WINNT\ShellIconCache

2008-05-31 03:51 . 31.05.08 03:51         <DIR>        d--------        C:\Dokumente und Einstellungen\All 
 

Users\Anwendungsdaten\Downloaded Installations

2008-05-26 22:23 . 26.05.08 22:23         <DIR>        d--------        C:\Dokumente und 
 

Einstellungen\user\Anwendungsdaten\Malwarebytes

2008-05-23 04:30 . 23.05.08 04:30         <DIR>        d--------        C:\Dokumente und 
 

Einstellungen\Administrator\Anwendungsdaten\Malwarebytes

2008-05-23 04:26 . 23.05.08 04:26         <DIR>        d--------        C:\Dokumente und Einstellungen\All 
 

Users\Anwendungsdaten\Malwarebytes

2008-05-23 04:26 . 10.06.08 19:02         34,296        --a------        C:\WINNT\system32\drivers\mbamcatchme.sys

2008-05-23 04:26 . 10.06.08 19:02         15,864        --a------        C:\WINNT\system32\drivers\mbam.sys

2008-05-22 16:42 . 22.05.08 16:42         <DIR>        d--------        C:\Programme\Trend Micro

2008-05-16 04:31 . 16.05.08 04:31         <DIR>        d--------        C:\Dokumente und 
 

Einstellungen\Administrator\Anwendungsdaten\ArcSoft
 

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-06 19:46        ---------        d-----w        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\OpenOffice.org2

2008-06-04 20:07        ---------        d-----w        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Canon

2008-06-02 00:12        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Wise Installation Wizard

2008-06-01 18:01        ---------        d-----w        C:\Dokumente und Einstellungen\user\Anwendungsdaten\OpenOffice.org2

2008-05-30 20:10        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SiteAdvisor

2008-05-28 18:30        ---------        d-----w        C:\Dokumente und Einstellungen\user\Anwendungsdaten\Canon

2008-05-23 02:17        ---------        d-----w        C:\Programme\Sierra On-Line

2008-05-23 02:17        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\fssg

2008-05-16 01:58        ---------        d--h--w        C:\Programme\InstallShield Installation Information

2008-05-16 01:20        ---------        d-----w        C:\Programme\Gemeinsame Dateien\InstallShield

2008-05-07 21:01        ---------        d-----w        C:\Programme\Java

2008-04-30 20:33        1,228,288        ----a-w        C:\WINNT\system32\quartz.dll

2008-04-21 17:01        ---------        d-----w        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\wcpuid

2008-04-21 00:48        ---------        d-----w        C:\Programme\Paragon Software

2008-04-18 08:00        582,144        ----a-w        C:\WINNT\system32\WININET.DLL

2008-03-30 19:11        21,840        ----atw        C:\WINNT\system32\SIntfNT.dll

2008-03-30 19:11        17,212        ----atw        C:\WINNT\system32\SIntf32.dll

2008-03-30 19:11        12,067        ----atw        C:\WINNT\system32\SIntf16.dll

2008-03-27 07:06        355,104        ----a-w        C:\WINNT\system32\msxbde40.dll

2008-03-27 07:05        838,432        ----a-w        C:\WINNT\system32\mswdat10.dll

2008-03-27 07:05        264,992        ----a-w        C:\WINNT\system32\mstext40.dll

2008-03-27 07:04        559,904        ----a-w        C:\WINNT\system32\msrepl40.dll

2008-03-27 07:04        432,928        ----a-w        C:\WINNT\system32\msrd2x40.dll

2008-03-27 07:04        322,336        ----a-w        C:\WINNT\system32\msrd3x40.dll

2008-03-27 07:03        355,104        ----a-w        C:\WINNT\system32\mspbde40.dll

2008-03-27 07:03        248,608        ----a-w        C:\WINNT\system32\msjtes40.dll

2008-03-27 07:03        219,936        ----a-w        C:\WINNT\system32\msltus40.dll

2008-03-27 07:02        60,192        ----a-w        C:\WINNT\system32\msjter40.dll

2008-03-27 07:02        355,112        ----a-w        C:\WINNT\system32\msjetoledb40.dll

2008-03-27 07:01        1,516,568        ----a-w        C:\WINNT\system32\msjet40.dll

2008-03-27 07:00        518,944        ----a-w        C:\WINNT\system32\msexch40.dll

2008-03-27 07:00        326,432        ----a-w        C:\WINNT\system32\msexcl40.dll

2008-03-27 06:59        621,344        ----a-w        C:\WINNT\system32\mswstr10.dll

2008-03-27 06:59        187,168        ----a-w        C:\WINNT\system32\msjint40.dll

2008-03-20 10:22        1,644,240        ----a-w        C:\WINNT\system32\WIN32K.SYS

2008-01-19 17:08        47,360        ----a-w        C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\pcouffin.sys

2006-02-22 20:39        271        ---h--w        C:\Programme\desktop.ini

2006-02-22 20:39        22,080        -c-h--w        C:\Programme\folder.htt

2001-11-23 04:08        712,704        -c--a-w        C:\WINNT\inf\OTHER\AUDIO3D.DLL

1999-12-10 12:00        32,528        ----a-w        C:\WINNT\inf\wbfirdma.sys

.
 

------- Sigcheck -------
 

10.12.99 14:00   7952  094f0e779faecb9452ce5cda48e6fedf        C:\WINNT\system32\svchost.exe

10.12.99 14:00   7952  094f0e779faecb9452ce5cda48e6fedf        C:\WINNT\system32\dllcache\svchost.exe
 

06.03.07 13:17   381712  3ae4fac4d8fc34f75d7cffb20cf1ec55        C:\WINNT\system32\USER32.DLL

06.03.07 13:17   381712  3ae4fac4d8fc34f75d7cffb20cf1ec55        C:\WINNT\system32\dllcache\USER32.DLL
 

19.06.03 21:05   69904  ab896539533a697d7e8de7099855b6be        C:\WINNT\system32\ws2_32.dll
 

13.04.07 10:31   582144  59197144fd1dda211ba18f2eb4b33ec9        
 

C:\WINNT\$NtUninstallKB942615-IE6SP1-20071029.120000$\wininet.dll

11.10.07 17:12   582144  b0c136a49d5a35d08c06771ee2e0324f        
 

C:\WINNT\$NtUninstallKB944533-IE6SP1-20071210.120000$\wininet.dll

10.12.07 19:08   582144  716e24da1edcbb353bcf7cbb0de8f44e        
 

C:\WINNT\$NtUninstallKB947864-IE6SP1-20080215.120000$\wininet.dll

15.02.08 16:18   582144  47bf7ae60925b3f477b7c5ff9ecb65aa        
 

C:\WINNT\$NtUninstallKB950759-IE6SP1-20080418.120000$\wininet.dll

18.04.08 10:00   582144  f51423b65ccc1d7a68233713019d7be8        
 

C:\WINNT\SoftwareDistribution\Download\7450d635164387a9fafbb00cef894b8a\rtmgdr\wininet.dll

18.04.08 19:01   594432  83c93de045d2c2bf0f39348808926a9a        
 

C:\WINNT\SoftwareDistribution\Download\7450d635164387a9fafbb00cef894b8a\RTMQFE\wininet.dll

18.04.08 10:00   582144  f51423b65ccc1d7a68233713019d7be8        C:\WINNT\system32\WININET.DLL

18.04.08 10:00   582144  f51423b65ccc1d7a68233713019d7be8        C:\WINNT\system32\dllcache\WININET.DLL
 

12.05.05 12:25   320176  4800519c7b6a6fa2212f1f14781430a6        C:\WINNT\$NtUninstallKB917953$\tcpip.sys

25.04.06 15:38   320336  0f62ffcd1c136103d7ea57e5b2b30994        C:\WINNT\$NtUninstallKB941644$\tcpip.sys

05.10.07 08:54   320368  ba4fb02d2149e12c87f24e6700b060d4        C:\WINNT\system32\dllcache\tcpip.sys

05.10.07 08:54   320368  ba4fb02d2149e12c87f24e6700b060d4        C:\WINNT\system32\drivers\tcpip.sys
 

03.06.05 08:37   190224  56e6fe4ded78ffd01679d467746a16f3        C:\WINNT\system32\WINLOGON.EXE

03.06.05 08:37   190224  56e6fe4ded78ffd01679d467746a16f3        C:\WINNT\system32\dllcache\WINLOGON.EXE
 

19.06.03 21:05   170928  fb4f2d0595bd3546a4dd915e4a9b4809        C:\WINNT\system32\drivers\ndis.sys
 
 

06.03.07 06:02   1715776  2ab5aad167fdaf224605d0000757024c        C:\WINNT\Driver Cache\i386\ntkrnlpa.exe

06.03.07 06:02   1715776  2ab5aad167fdaf224605d0000757024c        C:\WINNT\system32\NTKRNLPA.EXE

06.03.07 06:02   1715776  2ab5aad167fdaf224605d0000757024c        C:\WINNT\system32\dllcache\ntkrnlpa.exe
 

06.03.07 06:02   1693120  9e622f1c521db8eb45043e85a5dc5b12        C:\WINNT\Driver Cache\i386\ntoskrnl.exe

06.03.07 06:02   1693120  9e622f1c521db8eb45043e85a5dc5b12        C:\WINNT\system32\NTOSKRNL.EXE

06.03.07 06:02   1693120  9e622f1c521db8eb45043e85a5dc5b12        C:\WINNT\system32\dllcache\ntoskrnl.exe
 

19.06.03 21:05   245008  9a067872f0a9dc15e93dbefc9e1453a7        C:\WINNT\explorer.exe
 

03.06.05 08:37   92944  7ee4620bcf2d2fcf6ab535bf805caf96        C:\WINNT\system32\SERVICES.EXE

03.06.05 08:37   92944  7ee4620bcf2d2fcf6ab535bf805caf96        C:\WINNT\system32\dllcache\services.exe
 

03.06.05 08:36   39184  664aa4a6ef3cf6416bc571847830f58d        C:\WINNT\system32\LSASS.EXE

03.06.05 08:36   39184  664aa4a6ef3cf6416bc571847830f58d        C:\WINNT\system32\dllcache\lsass.exe
 

.

(((((((((((((((((((((((((((((   snapshot@Do 05.06.2008_ 2.44.04,50   )))))))))))))))))))))))))))))))))))))))))

.

- 2008-02-15 14:18:08        1,018,368        ----a-w        C:\WINNT\system32\BROWSEUI.DLL

+ 2008-04-18 07:59:34        1,018,368        ----a-w        C:\WINNT\system32\BROWSEUI.DLL

- 2008-02-15 14:18:12        144,384        ----a-w        C:\WINNT\system32\CDFVIEW.DLL

+ 2008-04-18 07:59:38        144,384        ----a-w        C:\WINNT\system32\CDFVIEW.DLL

- 2007-12-06 15:06:06        1,056,256        ----a-w        C:\WINNT\system32\DANIM.DLL

+ 2008-02-15 23:59:22        1,056,256        ----a-w        C:\WINNT\system32\DANIM.DLL

- 2008-02-15 14:18:08        1,018,368        -c--a-w        C:\WINNT\system32\dllcache\BROWSEUI.DLL

+ 2008-04-18 07:59:34        1,018,368        -c--a-w        C:\WINNT\system32\dllcache\BROWSEUI.DLL

- 2008-02-15 14:18:12        144,384        -c--a-w        C:\WINNT\system32\dllcache\CDFVIEW.DLL

+ 2008-04-18 07:59:38        144,384        -c--a-w        C:\WINNT\system32\dllcache\CDFVIEW.DLL

- 2007-12-06 15:06:06        1,056,256        -c--a-w        C:\WINNT\system32\dllcache\DANIM.DLL

+ 2008-02-15 23:59:22        1,056,256        -c--a-w        C:\WINNT\system32\dllcache\DANIM.DLL

- 2008-02-15 09:16:30        351,744        -c--a-w        C:\WINNT\system32\dllcache\DXTMSFT.DLL

+ 2008-04-18 06:54:54        351,744        -c--a-w        C:\WINNT\system32\dllcache\DXTMSFT.DLL

- 2008-02-15 09:16:28        192,512        -c--a-w        C:\WINNT\system32\dllcache\DXTRANS.DLL

+ 2008-04-18 06:54:52        192,512        -c--a-w        C:\WINNT\system32\dllcache\DXTRANS.DLL

- 2008-02-15 14:18:16        236,032        -c--a-w        C:\WINNT\system32\dllcache\IEPEERS.DLL

+ 2008-04-18 07:59:42        236,032        -c--a-w        C:\WINNT\system32\dllcache\IEPEERS.DLL

- 2008-02-15 14:18:16        70,144        -c--a-w        C:\WINNT\system32\dllcache\INSENG.DLL

+ 2008-04-18 07:59:44        70,144        -c--a-w        C:\WINNT\system32\dllcache\INSENG.DLL

- 2008-02-15 09:16:56        12,288        -c--a-w        C:\WINNT\system32\dllcache\JSPROXY.DLL

+ 2008-04-18 06:55:22        12,288        -c--a-w        C:\WINNT\system32\dllcache\JSPROXY.DLL

- 2008-02-15 14:18:20        2,705,408        -c--a-w        C:\WINNT\system32\dllcache\MSHTML.DLL

+ 2008-04-18 07:59:48        2,705,408        -c--a-w        C:\WINNT\system32\dllcache\MSHTML.DLL

- 2008-02-15 14:18:24        132,096        -c--a-w        C:\WINNT\system32\dllcache\MSRATING.DLL

+ 2008-04-18 07:59:52        132,096        -c--a-w        C:\WINNT\system32\dllcache\MSRATING.DLL

- 2008-02-15 14:18:24        498,176        -c--a-w        C:\WINNT\system32\dllcache\MSTIME.DLL

+ 2008-04-18 07:59:54        498,176        -c--a-w        C:\WINNT\system32\dllcache\MSTIME.DLL

- 2008-02-15 09:16:32        34,816        -c--a-w        C:\WINNT\system32\dllcache\PNGFILT.DLL

+ 2008-04-18 06:55:02        34,816        -c--a-w        C:\WINNT\system32\dllcache\PNGFILT.DLL

- 2007-10-27 19:33:28        1,228,288        -c--a-w        C:\WINNT\system32\dllcache\quartz.dll

+ 2008-04-30 20:33:52        1,228,288        -c--a-w        C:\WINNT\system32\dllcache\quartz.dll

- 2008-02-15 14:18:28        1,340,416        -c--a-w        C:\WINNT\system32\dllcache\SHDOCVW.DLL

+ 2008-04-18 07:59:58        1,340,416        -c--a-w        C:\WINNT\system32\dllcache\SHDOCVW.DLL

- 2008-02-15 14:18:30        403,456        -c--a-w        C:\WINNT\system32\dllcache\SHLWAPI.DLL

+ 2008-04-18 07:59:58        403,456        -c--a-w        C:\WINNT\system32\dllcache\SHLWAPI.DLL

- 2008-02-15 14:18:30        464,384        -c--a-w        C:\WINNT\system32\dllcache\URLMON.DLL

+ 2008-04-18 08:00:00        464,384        -c--a-w        C:\WINNT\system32\dllcache\URLMON.DLL

- 2008-02-15 09:16:30        351,744        ----a-w        C:\WINNT\system32\DXTMSFT.DLL

+ 2008-04-18 06:54:54        351,744        ----a-w        C:\WINNT\system32\DXTMSFT.DLL

- 2008-02-15 09:16:28        192,512        ----a-w        C:\WINNT\system32\DXTRANS.DLL

+ 2008-04-18 06:54:52        192,512        ----a-w        C:\WINNT\system32\DXTRANS.DLL

- 2008-02-15 14:18:16        236,032        ----a-w        C:\WINNT\system32\IEPEERS.DLL

+ 2008-04-18 07:59:42        236,032        ----a-w        C:\WINNT\system32\IEPEERS.DLL

- 2008-02-15 14:18:16        70,144        ----a-w        C:\WINNT\system32\INSENG.DLL

+ 2008-04-18 07:59:44        70,144        ----a-w        C:\WINNT\system32\INSENG.DLL

- 2008-02-15 09:16:56        12,288        ----a-w        C:\WINNT\system32\JSPROXY.DLL

+ 2008-04-18 06:55:22        12,288        ----a-w        C:\WINNT\system32\JSPROXY.DLL

- 2008-05-09 21:35:04        16,863,864        ----a-w        C:\WINNT\system32\MRT.exe

+ 2008-05-29 23:35:11        17,486,968        ----a-w        C:\WINNT\system32\MRT.exe

- 2008-02-15 14:18:20        2,705,408        ----a-w        C:\WINNT\system32\MSHTML.DLL

+ 2008-04-18 07:59:48        2,705,408        ----a-w        C:\WINNT\system32\MSHTML.DLL

- 2008-02-15 14:18:24        132,096        ----a-w        C:\WINNT\system32\MSRATING.DLL

+ 2008-04-18 07:59:52        132,096        ----a-w        C:\WINNT\system32\MSRATING.DLL

- 2008-02-15 14:18:24        498,176        ----a-w        C:\WINNT\system32\MSTIME.DLL

+ 2008-04-18 07:59:54        498,176        ----a-w        C:\WINNT\system32\MSTIME.DLL

- 2008-02-15 09:16:32        34,816        ----a-w        C:\WINNT\system32\PNGFILT.DLL

+ 2008-04-18 06:55:02        34,816        ----a-w        C:\WINNT\system32\PNGFILT.DLL

- 2008-02-15 14:18:28        1,340,416        ----a-w        C:\WINNT\system32\SHDOCVW.DLL

+ 2008-04-18 07:59:58        1,340,416        ----a-w        C:\WINNT\system32\SHDOCVW.DLL

- 2008-02-15 14:18:30        403,456        ----a-w        C:\WINNT\system32\SHLWAPI.DLL

+ 2008-04-18 07:59:58        403,456        ----a-w        C:\WINNT\system32\SHLWAPI.DLL

- 2008-03-27 18:13:12        15,072        ------w        C:\WINNT\system32\spmsg.dll

+ 2007-07-27 08:41:40        16,760        ------w        C:\WINNT\system32\spmsg.dll

- 2008-02-15 14:18:30        464,384        ----a-w        C:\WINNT\system32\URLMON.DLL

+ 2008-04-18 08:00:00        464,384        ----a-w        C:\WINNT\system32\URLMON.DLL

+ 2004-03-17 04:59:32        2,560        ----a-w        C:\WINNT\twain_32\CoachTW\CoachTW.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"internat.exe"="internat.exe" [10.12.99 14:00  20752 C:\WINNT\system32\internat.exe]

"SpybotSD TeaTimer"="F:\Programme\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe" [28.01.08 12:43  2097488]

"WebWasher"="G:\Programme\WebWasher\wwasher.exe" [ ]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe" [19.06.03 21:05  112400 C:\WINNT\system32\mobsync.exe]

"Cmaudio"="cmicnfg.cpl" []

"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [22.10.06 13:22  7700480]

"nwiz"="nwiz.exe" [22.10.06 13:22  1622016 C:\WINNT\system32\nwiz.exe]

"F-Secure Manager"="C:\Programme\F-Secure Internet Security\Common\FSM32.exe" [28.05.07 11:19  183208]

"F-Secure TNB"="C:\Programme\F-Secure Internet Security\FSGUI\TNBUtil.exe" [28.05.07 11:18  740208]

"!AVG Anti-Spyware"="C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [13.09.07 01:38  6731312]

"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [22.10.06 13:22  86016]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Programme\Internet Explorer\Connection Wizard\icwconn1.exe" [19.06.03 21:05  189712]
 

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\

Adobe Reader - Schnellstart.lnk - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= mmdrv.dll

"VIDC.ZMBV"= zmbv.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"

"Omnipage"=G:\omnipage\opware32.exe

"NvMediaCenter"=RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit

"NvCplDaemon"=RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
 

R0 FSFW;F-Secure Firewall Driver;C:\WINNT\system32\drivers\fsdfw.sys [02.09.07 19:09 ]

R0 hotcore;hotcore;C:\WINNT\system32\drivers\hotcore.sys [21.10.05 09:04 ]

R0 hotcore3;hotcore3;C:\WINNT\system32\drivers\hotcore3.sys [10.10.07 12:29 ]

R1 F-Secure HIPS;F-Secure HIPS;C:\Programme\F-Secure Internet Security\HIPS\fshs.sys [13.02.08 20:35 ]

R2 NPF;NetGroup Packet Filter Driver;C:\WINNT\system32\drivers\npf.sys [25.01.07 19:31 ]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Programme\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys [28.05.07 
 

11:15 ]

R3 openhci;Microsoft USB-Open Host-Controllertreiber;C:\WINNT\system32\DRIVERS\openhci.sys [19.06.03 21:05 ]

R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [19.06.03 21:05 ]

S3 FWLANUSB;AVM FRITZ!WLAN;C:\WINNT\system32\DRIVERS\fwlanusb.sys [06.04.06 02:06 ]

S3 MEMSWEEP2;MEMSWEEP2;J:\Programme\Sophos\MEMSWEEP.SYS [22.02.07 12:44 ]

S3 UCORESYS;UCORESYS;C:\Dokumente und Einstellungen\Administrator\UCORESYS.SYS []

S4 F-Secure Filter;F-Secure File System Filter;C:\Programme\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys 
 

[28.05.07 11:15 ]

S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Programme\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys 
 

[28.05.07 11:15 ]
 

.

**************************************************************************
 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-11 19:45:21

Windows 5.0.2195 Service Pack 4 NTFS
 

Scanne versteckte Prozesse...
 

Scanne versteckte Autostart Einträge...
 

Scanne versteckte Dateien...
 

Scan erfolgreich abgeschlossen

versteckte Dateien: 0
 

**************************************************************************
 

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vsdatant]

"ImagePath"=""

.

Zeit der Fertigstellung: 11.06.2008 19:46:13

ComboFix-quarantined-files.txt  2008-06-11 17:46:10

ComboFix2.txt  2008-06-06 18:22:45

ComboFix3.txt  2008-06-06 18:08:03

ComboFix4.txt  2008-06-05 00:51:58

ComboFix5.txt  2008-06-05 00:44:30
 

              12 Verzeichnis(se),     482,869,248 Bytes frei

              14 Verzeichnis(se),     478,818,304 Bytes frei
 

241        --- E O F ---        2008-06-11 15:54:11

Silentrunner Log (als User)

Zitat:

"Silent Runners.vbs", revision 58, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"SpybotSD TeaTimer" = "F:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"F-Secure Manager" = ""C:\Programme\F-Secure Internet Security\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]
"F-Secure TNB" = ""C:\Programme\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]
"!AVG Anti-Spyware" = ""C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "F:\PROGRA~1\Spybot - Search & Destroy\Spybot - Search & Destroy\SDHelper.dll"

["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "G:\Spiele\toasten\ALCOHO~1\axshlex.dll" [file not found]
"{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}" = "CopyToCD shell extension"
-> {HKLM...CLSID} = "CopyToCD shell extension"
\InProcServer32\(Default) = "F:\Programme\C2DVD\copytodvd\CtcdShell.dll" ["VSO Software"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems,

Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems,

Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems,

Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems,

Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT

s.r.o."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems,

Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"
-> {HKLM...CLSID} = "CopyToCD shell extension"
\InProcServer32\(Default) = "F:\Programme\C2DVD\copytodvd\CtcdShell.dll" ["VSO Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Programme\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"
-> {HKLM...CLSID} = "CopyToCD shell extension"
\InProcServer32\(Default) = "F:\Programme\C2DVD\copytodvd\CtcdShell.dll" ["VSO Software"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
CopyToCD\(Default) = "{2AA59FC0-31E8-42DA-9D3C-E9A52953853B}"
-> {HKLM...CLSID} = "CopyToCD shell extension"
\InProcServer32\(Default) = "F:\Programme\C2DVD\copytodvd\CtcdShell.dll" ["VSO Software"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "J:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "J:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"CDRAutoRun" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Dokumente und Einstellungen\Default User\Desktop\Bild-3-08-schnuffel.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "(Kein)"

Startup items in "user" & "All Users" startup folders:
--------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems

Incorporated"]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Programme\F-Secure Internet Security\FSPS\program\FSLSP.DLL ["F-Secure Corporation"], 01 - 11, 25
%SystemRoot%\system32\msafd.dll [MS], 12 - 14, 17 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 15 - 16

Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "F:\PROGRA~1\Spybot - Search & Destroy\Spybot - Search & Destroy\SDHelper.dll"

["Safer Networking Limited"]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, "G:\Ad-aware\aawservice.exe" ["Lavasoft"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
COM+-Ereignissystem, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}
F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Programme\F-Secure Internet Security\FWES\Program\fsdfwd.exe"" ["F-Secure

Corporation"]
F-Secure Management Agent, FSMA, ""C:\Programme\F-Secure Internet Security\Common\FSMA32.EXE"" ["F-Secure Corporation"]
FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Programme\F-Secure Internet Security\Anti-Virus\fsgk32st.exe"" ["F-Secure

Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Accessibility Tools:
--------------------

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Narrator\
"Application Path" = (empty string) [file not found]
"Display Name" = "Narrator"
"Start with Utility Manager" = dword:0x00000001

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
avm:\Driver = "avmprmon.dll" ["AVM Berlin GmbH"]

---------- (launch time: 2008-06-12 22:08:03)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 396 seconds, including 18 seconds for message boxes)

Zitat:

Malwarebytes Log (als User)

Malwarebytes' Anti-Malware 1.17
Datenbank Version: 848

22:31:04 12.06.2008
mbam-log-6-12-2008 (22-30-58).txt

Scan Art: Schnell Scan
Objekte gescannt: 31228
Scan Dauer: 10 minute(s), 27 second(s)

Infizierte Speicher Prozesse: 0
Infizierte Speicher Module: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Datei Objekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1

Infizierte Speicher Prozesse:
(Keine Malware Objekte gefunden)

Infizierte Speicher Module:
(Keine Malware Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine Malware Objekte gefunden)

Infizierte Registrierungswerte:
(Keine Malware Objekte gefunden)

Infizierte Datei Objekte der Registrierung:
(Keine Malware Objekte gefunden)

Infizierte Verzeichnisse:
(Keine Malware Objekte gefunden)

Infizierte Dateien:
C:\WINNT\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.