Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   @!# >> Storageprotector (https://www.trojaner-board.de/49229-storageprotector.html)

Antrax 08.02.2008 10:08
@!# >> Storageprotector
 
Hallo zusammen.

[1] Ich habe "Help & Supportcenter" und "Windows Update" auf meinem Rechner mit dem Link nach "storageprotector.c*m" Wenn man es löscht kommt es automatisch wieder.

[2] Ich kann keine Ordner und den I-Explorer nicht mehr öffnen. Zum glück hatte ich auf meinem Stick noch Firefox drauf. Mit dem Funktionierts.

[3] Mein Computer lauft langsamer, was früher nicht so war...

>>> Bitte mitteilen wie ich vorgehen muss und welche Logs ich posten soll.
>>> Ein Link zu einer Beschreibung, mit der ich meinen PC in zukunft Extrem schützen kann. Wäre nice ;)

MFG Antrax

nOOb@pc 08.02.2008 10:31
habe das selbe problem...:schmoll:
kan dir nur sagen, das ich im Task Manager die explorer.exe beende und direkt danach wieder ausführe... dan kann man wenigstens die ordner wieder öffnen...

Chris4You 08.02.2008 11:12
Hi,

have a lock here:
Fix Slow Computer: spyware, trojan horse, virus removals » Blog Archive » StorageProtector Removal Instructions - StorageProtector Remover
Wenn ihr das Ding runterladen solltet, dann scanned er zwar, will aber zum Entfernen einen Lizenzkey, also -> die manuellen Entfernungsinstruktionen oder einfach mit combofix weiter machen

Bitte noch Combofix und HJ-Log gemäß Signatur:

Combofix:
Lade es von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.

chris

Antrax 08.02.2008 15:15
Hallo zusammen, ich bins wieder...

Hier ist mein Log:
Code:
ComboFix 08-02.05.3 - ### 2008-02-08 14:27:18.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.1160 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\###\Desktop\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((  Weitere L”schungen  ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\opnliih.dll
C:\Programme\Temporary
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\ixbwmkbv.ini
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\kdywqptw.dll
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\njfsxbrm.dll
C:\WINDOWS\system32\njfsxbrm.dll . . . . Nicht in der Lage zu löschen
C:\WINDOWS\system32\njfsxbrm.dllbox
C:\WINDOWS\system32\oeeiedxt.dll
C:\WINDOWS\system32\opnliih.dll
C:\WINDOWS\system32\qhjqflhu.dll
C:\WINDOWS\system32\tcmhwhbr.dll
C:\WINDOWS\system32\ttngfnxu.dll
C:\WINDOWS\system32\uxnfgntt.ini
C:\WINDOWS\system32\vbkmwbxi.dll
C:\WINDOWS\system32\vmuykfdy.dll
C:\WINDOWS\system32\vwjpnlhm.dll
C:\WINDOWS\Fonts\'

.
(((((((((((((((((((((((  Dateien erstellt von 2008-01-08 bis 2008-02-08  ))))))))))))))))))))))))))))))
.

2008-02-08 14:44 . 2008-02-08 14:44        163,904        --a------        C:\WINDOWS\system32\njfsxbrm.dll
2008-02-07 09:43 . 2008-02-07 09:43        <DIR>        d--------        C:\Programme\Ventrilo
2008-02-07 09:43 . 2008-02-07 09:43        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-02-07 09:43 . 2008-02-07 09:44        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\Ventrilo
2008-02-07 08:16 . 2008-02-08 08:16        1,202,268        ---hs----        C:\WINDOWS\system32\uqdjlpns.ini
2008-02-06 13:46 . 2008-02-06 13:46        <DIR>        d--------        C:\Programme\1A Bildsauger
2008-02-06 13:46 . 2008-02-06 13:46        <DIR>        d--------        C:\Dokumente und Einstellungen\###\.vwsoft.de
2008-02-06 08:19 . 2008-02-06 08:19        1,194,375        ---hs----        C:\WINDOWS\system32\vcbubbao.ini
2008-02-05 15:51 . 2008-02-05 23:23        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\HLSW
2008-02-05 15:23 . 2008-02-05 15:51        <DIR>        d---s----        C:\Programme\HLSW
2008-02-05 08:15 . 2008-02-06 08:15        1,194,315        ---hs----        C:\WINDOWS\system32\ninrsfef.ini
2008-02-04 08:15 . 2008-02-04 08:15        1,192,152        ---hs----        C:\WINDOWS\system32\vucjmqmi.ini
2008-02-04 02:07 . 2008-02-04 02:07        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\Publish Providers
2008-02-04 02:07 . 2008-02-04 20:29        156        --a------        C:\WINDOWS\Twunk001.MTX
2008-02-04 02:07 . 2008-02-04 20:29        2        --a------        C:\WINDOWS\Twain001.Mtx
2008-02-04 02:07 . 2008-02-04 02:07        0        --a------        C:\WINDOWS\Twunk002.MTX
2008-02-04 01:56 . 2002-12-17 17:23        33,340        ---------        C:\WINDOWS\system32\dbmsqlgc.dll
2008-02-04 01:56 . 2002-10-20 15:00        24,576        ---------        C:\WINDOWS\system32\dbmsgnet.dll
2008-02-04 01:55 . 1998-10-29 16:45        306,688        --a------        C:\WINDOWS\IsUninst.exe
2008-02-04 01:53 . 2008-02-04 01:53        <DIR>        d--------        C:\Programme\Microsoft SQL Server
2008-02-04 01:52 . 2008-02-04 02:05        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\Sony
2008-02-04 01:50 . 2008-02-04 01:50        <DIR>        d--------        C:\Programme\Sony
2008-02-04 01:50 . 2008-02-04 01:52        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony
2008-02-04 01:46 . 2008-02-04 01:46        <DIR>        d--------        C:\Programme\Sony Setup
2008-02-03 23:38 . 2008-02-03 23:38        <DIR>        d--------        C:\Program Files
2008-02-03 23:24 . 2008-02-03 23:24        <DIR>        d--------        C:\Programme\Bonjour
2008-02-03 23:02 . 2008-02-03 23:02        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\Macrovision Shared
2008-02-03 21:42 . 2008-02-07 11:12        <DIR>        d--------        C:\WINDOWS\SxsCaPendDel
2008-02-03 19:10 . 2008-02-03 19:11        <DIR>        d--------        C:\Programme\VirtualDJ
2008-02-03 16:24 . 2008-02-03 16:35        91,700        --a------        C:\WINDOWS\system32\drivers\klin.dat
2008-02-03 16:24 . 2008-02-03 16:35        85,860        --a------        C:\WINDOWS\system32\drivers\klick.dat
2008-02-03 16:11 . 2008-02-03 16:11        <DIR>        d--------        C:\Programme\Kaspersky Lab
2008-02-03 16:11 . 2008-02-08 14:16        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-02-03 16:10 . 2008-02-08 14:55        13,468,704        --ahs----        C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-03 16:10 . 2008-02-08 14:53        656,416        --ahs----        C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-03 16:10 . 2008-02-08 14:52        179,612        --ahs----        C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-03 16:10 . 2008-02-08 14:52        62,516        --ahs----        C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-03 16:09 . 2008-02-03 16:09        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab Setup Files
2008-02-03 15:24 . 2008-02-08 14:40        163,904        --a------        C:\WINDOWS\system32\okrfdsye.dll
2008-02-03 15:21 . 2008-02-03 18:04        <DIR>        d--------        C:\Programme\Dot1XCfg
2008-02-03 15:21 . 2008-02-03 15:21        147,456        --a------        C:\WINDOWS\system32\vbzip10.dll
2008-01-31 12:38 . 2008-01-31 12:38        7,680        --ahs----        C:\WINDOWS\Thumbs.db
2008-01-30 22:51 . 2008-01-30 22:51        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\Styler
2008-01-28 13:19 . 2008-01-28 13:19        <DIR>        d--h-----        C:\WINDOWS\PIF
2008-01-28 02:43 . 2008-01-28 02:45        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\ViStart
2008-01-28 02:36 . 2007-02-28 17:06        2,140,160        --a------        C:\WINDOWS\system32\ntoskrnl.exe.zottel
2008-01-28 02:36 . 2007-02-28 17:06        2,019,840        --a------        C:\WINDOWS\system32\ntkrnlpa.exe.zottel
2008-01-25 12:35 . 2008-02-03 16:01        <DIR>        d--------        C:\Programme\FreePDF
2008-01-21 23:24 . 2008-01-21 23:24        <DIR>        d--------        C:\Programme\SourceTec
2008-01-21 23:24 . 2008-01-21 23:24        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\SourceTec
2008-01-20 20:30 . 2008-02-05 23:27        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\X-Chat 2
2008-01-20 20:29 . 2008-01-20 20:29        <DIR>        d--------        C:\Programme\X-Chat 2
2008-01-18 19:00 . 2008-01-18 19:00        <DIR>        d--------        C:\Programme\UseNeXT
2008-01-18 19:00 . 2008-01-18 20:22        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\UseNeXT
2008-01-17 21:42 . 2008-01-17 21:42        34        --a------        C:\splist.ini
2008-01-17 21:41 . 2008-01-17 22:37        <DIR>        d--------        C:\Dokumente und Einstellungen\###\Anwendungsdaten\afterbeep
2008-01-09 14:24 . 2008-01-09 14:24        <DIR>        d--------        C:\Programme\Gemeinsame Dateien\NSV
2008-01-08 17:47 . 2008-02-05 00:14        125        --a------        C:\WINDOWS\fd3.INI
2008-01-08 17:46 . 2008-02-05 00:14        <DIR>        d-a------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-01-08 17:44 . 2008-01-08 17:44        <DIR>        d--------        C:\Programme\Eltima Software
2008-01-08 10:56 . 2008-02-03 16:30        <DIR>        d--------        C:\Programme\Hardcopy
2008-01-08 10:55 . 2007-06-01 06:20        503,808        --a------        C:\WINDOWS\SwSetupu.exe

.
((((((((((((((((((((((((((((((((((((  Find3M Bericht  ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-08 13:52        ---------        d-----w        C:\Programme\BOINC
2008-02-08 13:37        ---------        d-----w        C:\Dokumente und Einstellungen\###\Anwendungsdaten\Skype
2008-02-08 13:18        ---------        d-----w        C:\Programme\Winamp Remote
2008-02-08 13:18        ---------        d-----w        C:\Dokumente und Einstellungen\###\Anwendungsdaten\skypePM
2008-02-08 13:17        ---------        d-----w        C:\Programme\Steam
2008-02-08 08:20        ---------        d-----w        C:\Dokumente und Einstellungen\###\Anwendungsdaten\LimeWire
2008-02-08 07:38        ---------        d-----w        C:\Dokumente und Einstellungen\###\Anwendungsdaten\teamspeak2
2008-02-07 10:16        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\OrbNetworks
2008-02-04 00:50        ---------        d-----w        C:\Programme\VstPlugins
2008-02-03 23:27        ---------        d-----w        C:\Programme\Octoshape Streaming Services
2008-02-03 22:22        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Adobe
2008-02-03 15:30        ---------        d-----w        C:\Programme\Windows Desktop Search
2008-02-03 15:01        ---------        d-----w        C:\Programme\Winamp
2008-02-03 14:53        ---------        d-----w        C:\Programme\SWiSHpresenter
2008-02-03 14:53        ---------        d-----w        C:\Programme\SWiSH Video3
2008-02-03 14:52        ---------        d--h--w        C:\Programme\InstallShield Installation Information
2008-01-01 14:17        ---------        d-----w        C:\Programme\SRK Corp
2007-12-31 20:58        ---------        d-----w        C:\Programme\Digimarc
2007-12-30 13:34        ---------        d-----w        C:\Programme\SprayR
2007-12-25 20:14        ---------        d-----w        C:\Programme\LimeWire
2007-12-23 14:56        ---------        d-----w        C:\Programme\TechSmith
2007-12-23 14:56        ---------        d-----w        C:\Programme\Gemeinsame Dateien\TechSmith Shared
2007-12-23 14:56        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TechSmith
2007-12-18 16:16        ---------        d-----w        C:\Programme\Real
2007-12-18 16:16        ---------        d-----w        C:\Programme\Gemeinsame Dateien\xing shared
2007-12-18 16:16        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Real
2007-12-17 20:11        ---------        d-----r        C:\Dokumente und Einstellungen\###\Anwendungsdaten\Brother
2007-12-10 21:51        ---------        d-----w        C:\Programme\SmartFTP Client
2007-12-10 21:51        ---------        d-----w        C:\Dokumente und Einstellungen\###\Anwendungsdaten\SmartFTP
2007-12-08 17:46        ---------        d-----w        C:\Programme\Java
2007-12-08 17:46        ---------        d-----w        C:\Programme\Gemeinsame Dateien\Java
2007-12-08 11:45        ---------        d-----w        C:\Programme\Image-Line
2007-11-22 11:13        32        ----a-w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2007-11-20 03:52        806,106        ----a-w        C:\Programme\MXP61A05.EXE
2007-11-19 20:29        155,995        ----a-w        C:\WINDOWS\java\Packages\61NVH7BZ.ZIP
.

((((((((((((((((((((((((((((  Autostart Punkte der Registrierung  ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 21:06        1135968        --a------        C:\Programme\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-08 14:44        163904        --a------        C:\WINDOWS\system32\njfsxbrm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{A5899B52-3AF9-4F56-85FE-AD7B3BE8490F}
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Programme\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"Steam"="c:\programme\steam\steam.exe" [2008-01-22 22:50 1266936]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]
"MsnMsgr"="C:\Programme\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Orb"="C:\Programme\Winamp Remote\bin\OrbTray.exe" [2008-01-07 21:02 495616]
"ICQ"="C:\Programme\ICQ6\ICQ.exe" [2007-11-21 01:47 172280]
"MSMSGS"="C:\Programme\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"Octoshape Streaming Services"="C:\Programme\Octoshape Streaming Services\###\OctoshapeClient.exe" [2006-02-13 17:33 214648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BtHidUi"="C:\Programme\Bluetooth\HidSwitchService\BtHidUi.exe" [2006-06-02 14:15 1298432]
"Dell QuickSet"="C:\Programme\Dell\QuickSet\quickset.exe" [2006-04-06 14:58 1032192]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-12-20 16:38 28160 C:\WINDOWS\KHALMNPR.Exe]
"ISUSPM Startup"="C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-05-04 08:59 237568]
"LogitechCameraAssistant"="C:\Programme\Logitech\Video\CameraAssistant.exe" [2006-05-04 08:24 489472]
"LogitechVideo[inspector]"="C:\Programme\Logitech\Video\InstallHelper.exe" [2006-05-04 08:32 73728]
"SSBkgdUpdate"="C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22 155648]
"PaperPort PTD"="C:\Programme\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 16:39 57393]
"IndexSearch"="C:\Programme\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 17:01 40960]
"BrMfcWnd"="C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 15:48 622592]
"SetDefPrt"="C:\Programme\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 18:02 49152]
"ControlCenter3"="C:\Programme\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 14:58 61440]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-12-18 17:16 185896]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"FreePDFAssistent"="C:\Programme\FreePDF\FreePDFA.exe" [ ]
"AVP"="C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-05-19 22:36 218640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 11:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\njfsxbrm]
njfsxbrm.dll 2008-02-08 14:44 163904 C:\WINDOWS\system32\njfsxbrm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

R3 ACPIFnKeys;Driver for Function Keys ACPI Device;C:\WINDOWS\system32\DRIVERS\ACPIFnKy.sys [2006-02-07 21:41]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-05-04 01:07]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2006-05-04 09:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{439705c4-9c74-11dc-b766-000fcce528d5}]
\Shell\1\Command - F:\autorun.pif
\Shell\2\Command - F:\autorun.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{636964ba-9708-11dc-b752-000fcce528d5}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 14:56:08
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\njfsxbrm.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-02-08 15:00:47 - machine was rebooted
ComboFix-quarantined-files.txt  2008-02-08 14:00:41
.
2008-01-09 08:46:35        --- E O F ---
Wie geht es jetzt weiter?

MFG Antrax :schrei: :snyper:

Antrax 08.02.2008 15:26
Und das ist der HJT Log:

Code:
Logfile of HijackThis v1.99.1
Scan saved at 15:19:18, on 08.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Dokumente und Einstellungen\###\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ne-clan.ch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://sam.sso.bluewin.ch/the/service/PWCForget?lang=de&mode=index_pwchannel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\njfsxbrm.dll
O3 - Toolbar: SYSTRAN Web Translator 5.0  - {A5899B52-3AF9-4F56-85FE-AD7B3BE8490F} - C:\Programme\SYSTRAN\5.0\Personal\IEPlugIn.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [BtHidUi] C:\Programme\Bluetooth\HidSwitchService\BtHidUi.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Programme\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Programme\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Programme\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Programme\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [FreePDFAssistent] C:\Programme\FreePDF\FreePDFA.exe
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\programme\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Programme\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Programme\Octoshape Streaming Services\###\OctoshapeClient.exe" -inv:bootrun
O4 - Startup: Verknüpfung mit Neu Textdokument.lnk = C:\Dokumente und Einstellungen\###\Desktop\Locher.txt
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: BOINC Manager.lnk = C:\Programme\BOINC\boincmgr.exe
O4 - Global Startup: Dienst-Manager.lnk = C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: SetPoint.lnk = ?
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Programme\Gemeinsame Dateien\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programme\Gemeinsame Dateien\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Programme\Gemeinsame Dateien\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\programme\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-CH/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1195673209484
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Programme\Windows Live\Mail\mailcomm.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: njfsxbrm - C:\WINDOWS\SYSTEM32\njfsxbrm.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\stacsv.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

Chris4You 08.02.2008 15:58
Hi,

Bitte folgende Files prüfen:
Zitat:
C:\WINDOWS\system32\njfsxbrm.dll
C:\WINDOWS\system32\okrfdsye.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\SwSetupu.exe
E:\LaunchU3.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\stacsv.exe
VirusTotal - Free Online Virus and Malware Scan
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen
Poste die Ergebnisse mit Filename...
Falls ein File nicht erkannt worde, unten rauslöschen.
Die Winlogon.exe nur scannen (auf keinen Fall löschen lassen), sie lädt nur die Datei "njfsxbrm.dll" nach und ich will wissen ob die winlogon geändert wurde (njfsxbrm.dll ist wohl noch was "böses").



Also:
Avenger
The Avenger
Input script manually (anhaken)
kopiere in: View/edit script

Zitat:
registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\njfsxbrm

Files to delete:
C:\WINDOWS\system32\njfsxbrm.dll
C:\WINDOWS\system32\uqdjlpns.ini
C:\WINDOWS\system32\vcbubbao.ini
C:\WINDOWS\system32\ninrsfef.ini
C:\WINDOWS\system32\vucjmqmi.ini
C:\WINDOWS\system32\okrfdsye.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\SwSetupu.exe
F:\autorun.pif
C:\autorun.pif
E:\LaunchU3.exe
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

Hijackthis, fixen (F8, abgesicherter Modus):
öffne das HijackThis -- Button "scan" -- vor den nachfolgenden Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten
Beim fixen müssen alle Programme geschlossen sein!
Zitat:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://sam.sso.bluewin.ch/the/servi...ndex_pwchannel
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\njfsxbrm.dll
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O20 - Winlogon Notify: njfsxbrm - C:\WINDOWS\SYSTEM32\njfsxbrm.dll
Danach neues HJ-Log und poste die Logs von Avenger und HJ beim lösche bzw. fixen...

Chris

Ps.: ComboFix hat einige sehr unschöne Sachen gekillt, z. B.:
MROFINU1188.EXE, Prevx
(Und damit bist Du einer der ersten in Deutschland, nach PrevX).

Antrax 08.02.2008 16:35
Also:

C:\WINDOWS\system32\njfsxbrm.dll
Code:
Datei njfsxbrm.dll empfangen 2008.02.08 16:17:01 (CET)
Status: Beendet
Ergebnis: 27/32 (84.38%)
C:\WINDOWS\system32\okrfdsye.dll
Code:
Datei njfsxbrm.dll empfangen 2008.02.08 16:17:01 (CET)
Status: Beendet
Ergebnis: 27/32 (84.38%)
C:\WINDOWS\system32\vbzip10.dll
Code:
Backdoor.IRCBot.E96F
ABER: (NUR: 3% Potenziell)
C:\WINDOWS\SwSetupu.exe
Code:
OK
E:\LaunchU3.exe
Code:
OK
C:\WINDOWS\system32\winlogon.exe
Code:
OK
C:\WINDOWS\system32\stacsv.exe
Code:
OK
OK... Ich starte jetzt mein PC neu im abgesicherten Modus und fixe die Einträge... THX ;)

Chris4You 08.02.2008 16:42
Hi,

zuerst Avenger durchführen (bei den zu löschenden Files die ab "C:\WINDOWS\SwSetupu.exe" rausnehmen!), eventuell auch im abgesicherten Modus, das Log von Avenger dann auch posten,
danach dann mit HJ fixen...
Dann weiter wie beschrieben...
Falls alles gekillt worden ist, dann Scannen mit Prevx, falls sich die Datei ""njfsxbrm.dll" wieder nicht löschen lässt, dann weiter mit Silentrunner!

Chris

PrevX:
Prevx CSI - FREE Malware Scanner

SilentRunner:
Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen.
Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten.
http://www.silentrunners.org/Silent%20Runners.zip

Ps.: So, bin jetzt dann offline (gehe nach hause...) -> falls also einer weitermachen will ;o)

Antrax 08.02.2008 17:21
Avenger: ist OK.
Habe die Log einem Kumpel gesendet. (Ohne "SWSetup.exe")

HJT:
Gefixt.

PREVX CSI:
Folgender ERROR kommt: "Error: C106 Detection Licence is not transferable"
ABER: er schreibt > "0 Bad Files found"

Silent Runners:
Code:
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Steam" = ""c:\programme\steam\steam.exe" -silent" ["Valve Corporation"]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"MsnMsgr" = ""C:\Programme\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]
"Orb" = ""C:\Programme\Winamp Remote\bin\OrbTray.exe" /background" ["Orb Networks"]
"ICQ" = ""C:\Programme\ICQ6\ICQ.exe" silent" ["ICQ, Inc."]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]
"Octoshape Streaming Services" = ""C:\Programme\Octoshape Streaming Services\###\OctoshapeClient.exe" -inv:bootrun" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BtHidUi" = "C:\Programme\Bluetooth\HidSwitchService\BtHidUi.exe" ["Cambridge Silicon Radio"]
"Dell QuickSet" = "C:\Programme\Dell\QuickSet\quickset.exe" ["Dell Inc"]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"ISUSPM Startup" = "C:\PROGRA~1\GEMEIN~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"ATICCC" = ""C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SigmatelSysTrayApp" = "stsystra.exe" ["SigmaTel, Inc."]
"IntelZeroConfig" = ""C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"" ["Intel Corporation"]
"IntelWireless" = ""C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless" ["Intel Corporation"]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechCameraAssistant" = "C:\Programme\Logitech\Video\CameraAssistant.exe" ["Logitech Inc."]
"LogitechVideo[inspector]" = "C:\Programme\Logitech\Video\InstallHelper.exe /inspect" ["Logitech Inc."]
"SSBkgdUpdate" = ""C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"PaperPort PTD" = "C:\Programme\ScanSoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]
"IndexSearch" = "C:\Programme\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]
"BrMfcWnd" = "C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN" [empty string]
"SetDefPrt" = "C:\Programme\Brother\Brmfl06a\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter3" = "C:\Programme\Brother\ControlCenter3\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot" ["RealNetworks, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"FreePDFAssistent" = "C:\Programme\FreePDF\FreePDFA.exe" [file not found]
"AVP" = ""C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"" ["Kaspersky Lab"]
"naddnadx" = "C:\onelswxp.bat" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
  -> {HKLM...CLSID} = "Skype add-on (mastermind)"
                  \InProcServer32\(Default) = "C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar BHO"
  -> {HKLM...CLSID} = "Winamp Toolbar BHO"
                  \InProcServer32\(Default) = "C:\Programme\Winamp Toolbar\winamptb.dll" ["AOL LLC"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
                  \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{A95B2816-1D7E-4561-A202-68C0DE02353A}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\njfsxbrm.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                  \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
  -> {HKLM...CLSID} = "Meine freigegebenen Ordner"
                  \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{0563DB41-F538-4B37-A92D-4659049B7766}" = "WLMD Message Handler"
  -> {HKLM...CLSID} = "CLSID_WLMCMimeFilter"
                  \InProcServer32\(Default) = "C:\Programme\Windows Live\Mail\mailcomm.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                  \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
                  \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Copy Hook"
  -> {HKLM...CLSID} = "SmartFTP Copy Hook"
                  \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\smarthook.dll" ["SmartSoft Ltd."]
"{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}" = "SmartFTP ContextMenu"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{40FDFA48-5F4E-4627-A78E-6A49A3D4492F}" = "SmartFTP ShellDropHandler"
  -> {HKLM...CLSID} = "SmartFTP ShellDropHandler Class"
                  \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}" = "SmartFTP Drop ShellIconOverlayHandler"
  -> {HKLM...CLSID} = "SmartFTP Drop ShellIconOverlayHandler"
                  \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{39DD67E0-73B6-4a11-AF55-49E1EBBF72BE}" = "SmartFTP Favorites Namespace"
  -> {HKLM...CLSID} = "FavoritesShellFolder Class"
                  \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFavoritesShellExtension.dll" ["SmartSoft Ltd."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                  \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statistik für Web-Anti-Virus"
  -> {HKLM...CLSID} = "Statistik für Web-Anti-Virus"
                  \InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]
"{45C6AFA5-2C13-402f-BC5D-45CC8172EF6B}" = "Bluetooth"
  -> {HKLM...CLSID} = "Bluetooth Information Exchanger"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\TosBtExt.dll" ["TOSHIBA"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
tosBtShllExt\(Default) = "{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}"
  -> {HKLM...CLSID} = "Bluetooth File Extenstion"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\TosBtShell.dll" ["TOSHIBA"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                  \InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
tosBtShllExt\(Default) = "{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}"
  -> {HKLM...CLSID} = "Bluetooth File Extenstion"
                  \InProcServer32\(Default) = "C:\WINDOWS\system32\TosBtShell.dll" ["TOSHIBA"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
  -> {HKLM...CLSID} = (no title provided)
                  \InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                  \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%SystemRoot%\Web\Wallpaper\vista_wide.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\vista_wide"


Startup items in "###" & "All Users" startup folders:
------------------------------------------------------------------

C:\Dokumente und Einstellungen\###\Startmenü\Programme\Autostart
"PrevxCSI" -> shortcut to: "C:\Programme\PrevxCSI\prevxcsi.exe" ["Prevx"]
"Verknüpfung mit Neu Textdokument" -> shortcut to: "C:\Dokumente und Einstellungen\###\Desktop\Locher.txt" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Bluetooth Manager" -> shortcut to: "C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe" [null data]
"BOINC Manager" -> shortcut to: "C:\Programme\BOINC\boincmgr.exe /s" ["Space Sciences Laboratory"]
"Dienst-Manager" -> shortcut to: "C:\Programme\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]
"SetPoint" -> shortcut to: "C:\Programme\SetPoint\SetPoint.exe" ["Logitech Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"
  -> {HKLM...CLSID} = "Winamp Toolbar"
                  \InProcServer32\(Default) = "C:\Programme\Winamp Toolbar\winamptb.dll" ["AOL LLC"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{A5899B52-3AF9-4F56-85FE-AD7B3BE8490F}" = (no title provided)
  -> {HKLM...CLSID} = "SYSTRAN Web Translator 5.0 "
                  \InProcServer32\(Default) = "C:\Programme\SYSTRAN\5.0\Personal\IEPlugIn.dll" ["SYSTRAN"]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar"
  -> {HKLM...CLSID} = "Winamp Toolbar"
                  \InProcServer32\(Default) = "C:\Programme\Winamp Toolbar\winamptb.dll" ["AOL LLC"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{F7E0096A-951B-41D3-9B35-EA2AA5AB0840}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SYSTRAN Web Translator 5.0 "
                  \InProcServer32\(Default) = "C:\Programme\SYSTRAN\5.0\Personal\IEPlugIn.dll" ["SYSTRAN"]

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statistik für Web-Anti-Virus"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
                  \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statistik für Web-Anti-Virus"

{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
  -> {HKLM...CLSID} = "Skype add-on (button)"
                  \InProcServer32\(Default) = "C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{E19ADC6E-3909-43E4-9A89-B7B676377EE3}\
"ButtonText" = "Sothink SWF Catcher"
"MenuText" = "Sothink SWF Catcher"
"Script" = "C:\Programme\Gemeinsame Dateien\SourceTec\SWF Catcher\InternetExplorer.htm" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Computer, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Intel(R) PROSet/Wireless Event Log, EvtEng, "C:\Programme\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Registry Service, RegSrvc, "C:\Programme\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]
Intel(R) PROSet/Wireless Service, S24EventMonitor, "C:\Programme\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]
Intel(R) PROSet/Wireless SSO Service, WLANKEEPER, "C:\Programme\Intel\Wireless\Bin\WLKeeper.exe" ["Intel(R) Corporation"]
Kaspersky Internet Security 7.0, AVP, ""C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r" ["Kaspersky Lab"]
Logitech Process Monitor, LVPrcSrv, "c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe" ["Logitech Inc."]
Messenger USN Journal Reader-Service für freigegebene Ordner, usnjsvc, ""C:\Programme\Windows Live\Messenger\usnsvc.exe"" [MS]
NICCONFIGSVC, NICCONFIGSVC, "C:\Programme\Dell\QuickSet\NICCONFIGSVC.exe" ["Dell Inc."]
SigmaTel Audio Service, STacSV, "C:\WINDOWS\system32\stacsv.exe" ["SigmaTel, Inc."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]


---------- (launch time: 2008-02-08 17:19:00)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 32 seconds, including 4 seconds for message boxes)

MFG Antrax

Chris4You 11.02.2008 07:51
Hi,

da ist noch was:

Bitte folgende Files prüfen:
Zitat:
C:\onelswxp.bat
C:\WINDOWS\system32\njfsxbrm.dll
http://www.virustotal.com/flash/index_en.html
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen
Poste das Log beider Dateien mit Filename;
Falls eine Datei nicht erkannt wird (in die bat kannst Du mit "bearbeiten" reinschauen (im Ediotr öffnen),
dann lösche Sie aus dem Avengerscript raus!

Also:
Avenger
http://filepony.de/download-the_avenger/
Input script manually (anhaken)
kopiere in: View/edit script

Zitat:

Files to delete:
C:\onelswxp.bat
C:\WINDOWS\system32\njfsxbrm.dll
Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

Danach bitte ein neues HJ-Log und Scanne mit Dr. web:
Anleitung: Anleitung: DrWeb - CureIt - Trojaner-Board
Aber bitte den Download von hier nutzen http://freedrweb.com/?lng=de
Poste auch diese Log (die Funde)

chris


Alle Zeitangaben in WEZ +1. Es ist jetzt 06:54 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19