Trojaner-Board - Upload nahezu nicht vorhanden, Surfen eine Plage

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Upload nahezu nicht vorhanden, Surfen eine Plage (https://www.trojaner-board.de/57150-upload-nahezu-vorhanden-surfen-plage.html)

Upload nahezu nicht vorhanden, Surfen eine Plage

Hallo!

Seit ein paar Tagen ist das Surfen im Internet teilweise extrem langsam und laut Speedtests der Upload völlig im Keller.
Ich dachte erst es liegt an der Hitze, aber hab dann mal Spybot laufen lassen und der hat ein paar kleine Sachen sowie einen Win32.Shark.af hinweis entdeckt, die Probleme wurden alle gelöscht und nach Neustart wuerde auch nichtsmehr gefunden, das Problem besteht aber weiterhin.

Hier mal ein LOG vom Deckard Scanner:

Deckard Scanner:

Code:

Deckard's System Scanner v20071014.68

Run by Ryan on 2008-08-02 14:40:27

Computer is in Normal Mode.

--------------------------------------------------------------------------------
 
 
 

-- HijackThis (run as Ryan.exe) ------------------------------------------------
 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:40:31, on 02.08.2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\WINDOWS\system32\Rundll32.exe

C:\Programme\FreePDF_XP\fpassist.exe

D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe

D:\TuneUp Utilities 2007\MemOptimizer.exe

C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe

C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexStoreSvr.exe

C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programme\Logitech\SetPoint\SetPoint.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\system32\svchost.exe

C:\Programme\Viewpoint\Common\ViewpointService.exe

C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe

C:\WINDOWS\System32\svchost.exe

C:\Dokumente und Einstellungen\a\Desktop\dss.exe

D:\Trend Micro\HijackThis\Ryan.exe
 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.de/webhp?hl=de

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favoriten

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE"

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AWMON] "D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

O4 - HKCU\..\Run: [TuneUp MemOptimizer] "D:\TuneUp Utilities 2007\MemOptimizer.exe" autostart

O4 - HKCU\..\Run: [StartCCC] C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-19\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2004\MemOptimizer.exe" autostart (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Logitech SetPoint.lnk = ?

O8 - Extra context menu item: An vorhandenes PDF anfügen - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Auswahl in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Auswahl in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: In Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Verknüpfungsziel in Adobe PDF konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - res://C:\Programme\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Programme\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)

O15 - Trusted Zone: http://www.gmx.de

O15 - Trusted Zone: http://www.gmx.net

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/a-UNO1/GAME_UNO1.cab

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab

O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{1D59F153-870D-4C80-A021-649D09D0A132}: NameServer = 192.168.0.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{1D59F153-870D-4C80-A021-649D09D0A132}: NameServer = 192.168.0.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{1D59F153-870D-4C80-A021-649D09D0A132}: NameServer = 192.168.0.1

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - D:\iPod\bin\iPodService.exe

O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programme\Viewpoint\Common\ViewpointService.exe
 

--

End of file - 11800 bytes
 

-- Files created between 2008-07-02 and 2008-08-02 -----------------------------
 

2008-07-02 11:24:12         0 d-------- C:\Programme\TiffSplitter

2008-07-02 11:21:24         0 d-------- C:\Programme\MainMedia
 
 

-- Find3M Report ---------------------------------------------------------------
 

2008-08-02 04:56:57         0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Malwarebytes

2008-08-02 04:06:50         0 d-------- C:\Programme\DivX

2008-08-02 04:06:50         0 d-------- C:\Programme\bfgclient

2008-08-02 04:06:50         0 d-------- C:\Programme\Avanquest update

2008-08-02 03:22:49         0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Skype

2008-07-26 16:35:29         0 d-------- C:\Programme\Wisdom-soft AutoScreenRecorder Free

2008-07-26 11:39:11         0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\uTorrent

2008-07-24 19:32:06         0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Adobe

2008-07-06 16:33:47         0 d--h----- C:\Programme\InstallShield Installation Information

2008-07-01 18:56:29         0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\Mozilla

2008-07-01 18:47:36         0 d-------- C:\Programme\ICQ6

2008-07-01 18:47:30         0 d-------- C:\Dokumente und Einstellungen\a\Anwendungsdaten\ICQ

2008-06-21 02:08:13         0 d-------- C:\Programme\AIM6

2008-06-06 22:00:24         0 d-------- C:\Programme\Gemeinsame Dateien

2008-06-06 22:00:24         0 d-------- C:\Programme\Gemeinsame Dateien\PlayOnline

2008-06-06 21:45:50         0 d-------- C:\Programme\PlayOnline

2008-06-06 18:45:36         0 d-------- C:\Programme\Gemeinsame Dateien\buhl data service

2008-06-06 17:18:52         0 d-------- C:\Programme\Gemeinsame Dateien\BioWare

2008-06-05 20:43:50         0 d-------- C:\Programme\Viewpoint
 
 

-- Registry Dump ---------------------------------------------------------------
 

*Note* empty entries & legit default entries are not shown
 
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [19.07.2005 18:32]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [19.07.2006 13:03 C:\WINDOWS\KHALMNPR.Exe]

"Logitech Hardware Abstraction Layer"="C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE" [19.07.2006 13:03]

"P17Helper"="P17.dll" [03.05.2005 19:38 C:\WINDOWS\system32\P17.dll]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11.05.2000 01:00]

"AtiPTA"="atiptaxx.exe" [22.02.2006 03:05 C:\WINDOWS\system32\atiptaxx.exe]

"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [12.01.2006 15:40]

"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [25.04.2007 21:05]

"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.01.2008 23:16]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [31.12.2002 14:00]

"AWMON"="D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [25.05.2005 12:12]

"TuneUp MemOptimizer"="D:\TuneUp Utilities 2007\MemOptimizer.exe" [26.04.2007 20:08]

"StartCCC"="C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [15.01.2007 16:14]
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]

"ICQ Lite"=C:\Programme\ICQLite\ICQLite.exe -trayboot
 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"TuneUp MemOptimizer"="C:\Programme\TuneUp Utilities 2004\MemOptimizer.exe" autostart
 

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\

Logitech SetPoint.lnk - C:\Programme\Logitech\SetPoint\SetPoint.exe [06.01.2007 19:10:51]
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"=0 (0x0)

"ForceClassicControlPanel"=1 (0x1)

"NoRecentDocsHistory"=1 (0x1)

"NoRecentDocsMenu"=1 (0x1)
 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"=0 (0x0)

"ForceClassicControlPanel"=1 (0x1)

"NoRecentDocsHistory"=1 (0x1)

"NoRecentDocsMenu"=1 (0x1)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=avgrsstx.dll
 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders        msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]

path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk

backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Dokumente und Einstellungen^a^Startmenü^Programme^Autostart^Adobe Gamma.lnk]

path=C:\Dokumente und Einstellungen\a\Startmenü\Programme\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]

atiptaxx.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"C:\Programme\DAEMON Tools\daemon.exe" -lang 1033
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

"C:\Programme\ICQLite\ICQLite.exe" -minimize
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Programme\iTunes\iTunesHelper.exe"
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]

C:\Programme\Logitech\Video\ManifestEngine.exe boot
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

C:\Programme\Logitech\Video\ISStart.exe 
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

C:\Programme\Logitech\Video\LogiTray.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Programme\QuickTime\qttask.exe" -atboottime
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"HostManager"=C:\Programme\Gemeinsame Dateien\AOL\1159212728\ee\AOLSoftware.exe

"IPHSend"=C:\Programme\Gemeinsame Dateien\AOL\IPHSend\IPHSend.exe

"MessengerPlus3"="C:\Programme\MessengerPlus! 3\MsgPlus.exe"

"iTunesHelper"="D:\iTunes\iTunesHelper.exe"

"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime

"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

"NeroFilterCheck"=C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe

"FreePDF Assistant"=C:\Programme\FreePDF_XP\fpassist.exe

"AtiPTA"=atiptaxx.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs        BthServ
 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

UxTuneUp
 
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bdb6542-a1ab-11da-b414-806d6172696f}]

AutoRun\command- E:\ASUSACPI.exe
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ce8efa-c862-11da-b1ec-0015f23c72ef}]

AutoRun\command- F:\BSAutoRun.exe
 

*Newly Created Service* - GMER

*Newly Created Service* - RKREVEAL150
 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F90F0706-E0C0-EF53-B7E4-CD62C00106D0}]

C:\WINDOWS\system32\winupdt.exe
 
 
 

-- End of Deckard's System Scanner: finished at 2008-08-02 14:40:50 ------------

Wäre euch sehr verbunden wenn mir jemand da weiterhelfen könnte.
Oder hilft da nur eine Formatierung?
An der Hardware vom Router usw. kann es eigentlich nicht liegen denke ich, da der Download auch voll funktioniert.

MfG

Hallo

Wo wurde der shark gefunden? Der shark ist ein Backdoor, d.h. wenn tatsächtlich ein solcher Befall vorliegt ist ein Neuaufsetzen angesagt.

Code:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F90F0706-E0C0-EF53-B7E4-CD62C00106D0}]

C:\WINDOWS\system32\winupdt.exe

Isses dieser Schnippsel? Werte mal C:\WINDOWS\system32\winupdt.exe bei Virustotal aus und poste die Ergebnisse.

Laß bitte auch mal zusätzlich dieses MBR-Tool durchlaufen und poste die Ausgabe.

Hallo root24

Leider hat Spybot das nicht angezeigt wo er den gefunden hat.
Daher keine Ahnung. Hab die Datei gesucht, gibts aber nicht mehr im system32 Ordner.

Und das Tool liefert dies:

Code:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
 

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

EDIT:

Das hab ich im Spybot Bericht gefunden:

Code:

Win32.Shark.af: [SBI $C9E79D2E] Benutzereinstellungen (Registrierungsdatenbank-Schlüssel, fixed)

  HKEY_USERS\S-1-5-21-507921405-1644491937-725345543-1003\Software\VB and VBA Program Settings\Windows Update

Ok. Da müssen wir weiter in Deinem System stöbern. Dein MBR ist anscheinend ok.

Mach mal bitte Durchläufe mit

1.) Blacklight
2.) Silentrunners
3.) Combofix (Anleitung unten, genau beachten!!!)
4.) Malwarebytes

Und poste die Logfile wieder mit Codetags umschlossen.

Anleitung ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Blacklight habe ich schon benutzt, hat nichts gefunden.
Silentrunners hab ich nicht zum Laufen bekommen weil das nur ne .vbs Datei war.
Malwarebytes hab ich auch schon gemacht hat 2 Sachen gefunden aber nicht den Shark.
Die 2 anderen kleineren Sachen wurden auch behoben.

Combofix mach ich dann jetzt mal.

Zitat:

Zitat von habla2k (Beitrag 359227)

Silentrunners hab ich nicht zum Laufen bekommen weil das nur ne .vbs Datei war.

Einfach doppelklicken.... :rolleyes:
Wenn das nicht funktioniert solltest Du zumindest die Fehlermeldung posten, sonst kann ich Dir nicht helfen.

Ja lief jetzt auch, Problem vorher war, dass Firefox die vbs Datei geöffnet hat anstatt runterzuladen.
Hier also die Ergebnisse:

Silentrunner:

Code:

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"
 
 

Startup items buried in registry:

---------------------------------
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"AWMON" = ""D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"" ["Lavasoft Sweden"]

"TuneUp MemOptimizer" = ""D:\TuneUp Utilities 2007\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]

"StartCCC" = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [file not found]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
 

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" [file not found]
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]

"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]

"Logitech Hardware Abstraction Layer" = ""C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE"" ["Logitech Inc."]

"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]

"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"NeroFilterCheck" = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" ["Nero AG"]

"FreePDF Assistant" = "C:\Programme\FreePDF_XP\fpassist.exe" [null data]

"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]

"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" [file not found]
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF Reader"

                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"

  -> {HKLM...CLSID} = "AVG Safe Search"

                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"

                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"

  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]

"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "Eigene Logitech-Bilder"

  -> {HKLM...CLSID} = "Eigene Logitech-Bilder"

                   \InProcServer32\(Default) = "C:\Programme\Logitech\Video\Namespc2.dll" ["Logitech Inc."]

"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"

  -> {HKLM...CLSID} = "KbLogiExt Class"

                   \InProcServer32\(Default) = "C:\Programme\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]

"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"

  -> {HKLM...CLSID} = "LogiExt Class"

                   \InProcServer32\(Default) = "C:\Programme\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Outlook File Icon Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"

  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"

                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"

  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"

                   \InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]

"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"

  -> {HKLM...CLSID} = "TuneUp Theme Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

  -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

                   \InProcServer32\(Default) = "C:\Programme\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

  -> {HKLM...CLSID} = "Meine freigegebenen Ordner"

                   \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = "D:\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
 

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\

<<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
 

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]
 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"

                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

  -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

                   \InProcServer32\(Default) = "C:\Programme\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

DaemonShellExtImage\(Default) = "{40966797-8FFE-46C8-9EF8-7003F33CCF0F}"

  -> {HKLM...CLSID} = "DaemonShellExtImage Class"

                   \InProcServer32\(Default) = "D:\DAEMON Tools Pro\imgshl32.dll" ["DT Soft Ltd."]

ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]

TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"

  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"

                   \InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"

  -> {HKLM...CLSID} = "MCLiteShellExt Class"

                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]

TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"

  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"

                   \InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"

                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

  -> {HKLM...CLSID} = "MBAMShlExt Class"

                   \InProcServer32\(Default) = "D:\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

  -> {HKLM...CLSID} = "MBAMShlExt Class"

                   \InProcServer32\(Default) = "D:\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
 
 

Default executables:

--------------------
 

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"

<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]
 
 

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------
 

Note: detected settings may not have any effect.
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 

"NoCDBurning" = (REG_DWORD) dword:0x00000001

{unrecognized setting}
 

"NoSMBalloonTip" = (REG_DWORD) dword:0x00000000

{unrecognized setting}
 

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001

{unrecognized setting}
 

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001

{unrecognized setting}
 

"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001

{unrecognized setting}
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}
 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}
 

"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001

{unrecognized setting}
 
 

Active Desktop and Wallpaper:

-----------------------------
 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Dokumente und Einstellungen\a\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
 
 

Windows Portable Device AutoPlay Handlers

-----------------------------------------
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
 

ImgBurnCDBurningOnArrival_BuildImage\

"Provider" = "ImgBurn"

"InvokeProgID" = "ImgBurn.AutoPlay.1"

"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage"

HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOBUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
 

ImgBurnCDBurningOnArrival_BurnImage\

"Provider" = "ImgBurn"

"InvokeProgID" = "ImgBurn.AutoPlay.1"

"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage"

HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOWRITE /DEST "%1"" ["LIGHTNING UK!"]
 

ImgBurnDVDBurningOnArrival_BuildImage\

"Provider" = "ImgBurn"

"InvokeProgID" = "ImgBurn.AutoPlay.1"

"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage"

HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOBUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
 

ImgBurnDVDBurningOnArrival_BurnImage\

"Provider" = "ImgBurn"

"InvokeProgID" = "ImgBurn.AutoPlay.1"

"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage"

HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOWRITE /DEST "%1"" ["LIGHTNING UK!"]
 

iTunesBurnCDOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.BurnCD"

"InvokeVerb" = "burn"

HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
 

iTunesImportSongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.ImportSongsOnCD"

"InvokeVerb" = "import"

HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
 

iTunesPlaySongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.PlaySongsOnCD"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
 

iTunesShowSongsOnArrival\

"Provider" = "iTunes"

"InvokeProgID" = "iTunes.ShowSongsOnCD"

"InvokeVerb" = "showsongs"

HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
 

LogitechQuickSync\

"Provider" = "Logitech QuickSync"

"InvokeProgID" = "Applications\QSync.exe"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\Applications\QSync.exe\shell\open\command\(Default) = "C:\Programme\Logitech\Video\QSync.exe" ["Logitech Inc."]
 

MSWPDShellNamespaceHandler\

"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = " "

  -> {HKLM...CLSID} = "WPDShextAutoplay"

                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
 

NeroAutoPlay7AudioToNeroDigital\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]
 

NeroAutoPlay7CDAudio\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe -w /New:AudioCD" ["Nero AG"]
 

NeroAutoPlay7CopyCD\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]
 

NeroAutoPlay7DataDisc\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "DataDisc_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe -w /New:ISODisc" ["Nero AG"]
 

NeroAutoPlay7LaunchNeroStartSmart\

"Provider" = "Nero StartSmart"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]
 

NeroAutoPlay7PlayAudioCD\

"Provider" = "Nero ShowTime"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]
 

NeroAutoPlay7PlayDVD\

"Provider" = "Nero ShowTime"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]
 

NeroAutoPlay7RipCD\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]
 

NeroAutoPlay7TranscodeVideo\

"Provider" = "Nero Recode"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]
 

NeroAutoPlay7VideoCapture\

"Provider" = "Nero Vision"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Programme\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"

                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
 

NeroAutoPlay7ViewPhotos\

"Provider" = "Nero PhotoSnap Viewer"

"InvokeProgID" = "Nero.AutoPlay7"

"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]
 

RPCDBurningOnArrival\

"Provider" = "RealPlayer"

"InvokeProgID" = "RealPlayer.CDBurn.6"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]
 

RPDeviceOnArrival\

"Provider" = "RealPlayer"

"ProgID" = "RealPlayer.HWEventHandler"

HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"

  -> {HKLM...CLSID} = "RealNetworks Scheduler"

                   \LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]
 

RPPlayCDAudioOnArrival\

"Provider" = "RealPlayer"

"InvokeProgID" = "RealPlayer.AudioCD.6"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /play %1 " ["RealNetworks, Inc."]
 

RPPlayDVDMovieOnArrival\

"Provider" = "RealPlayer"

"InvokeProgID" = "RealPlayer.DVD.6"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /dvd %1 " ["RealNetworks, Inc."]
 

RPPlayMediaOnArrival\

"Provider" = "RealPlayer"

"InvokeProgID" = "RealPlayer.AutoPlay.6"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]
 

VLCPlayCDAudioOnArrival\

"Provider" = "VideoLAN VLC media player"

"InvokeProgID" = "VLC.CDAudio"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]
 

VLCPlayDVDMovieOnArrival\

"Provider" = "VideoLAN VLC media player"

"InvokeProgID" = "VLC.DVDMovie"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]
 

WinampMTPHandler\

"Provider" = "Winamp"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "D:\Winamp\winamp.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"

                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
 
 

Startup items in "Ryan" & "All Users" startup folders:

------------------------------------------------------
 

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart

"Logitech SetPoint" -> shortcut to: "C:\Programme\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
 
 

Enabled Scheduled Tasks:

------------------------
 

"1-Klick-Wartung" -> launches: "D:\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
 
 

Winsock2 Service Provider DLLs:

-------------------------------
 

Namespace Service Providers
 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
 

Transport Service Providers
 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Sorry wegen Doppelpost aber die Logs sind zu groß und passen nicht in einen Beitrag:

Teil 2:

Code:

Toolbars, Explorer Bars, Extensions:

------------------------------------
 

Explorer Bars
 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]
 

Extensions (Tools menu items, main toolbar menu buttons)
 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Konsole"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in"

                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"
 

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\

"ButtonText" = "PartyPoker.com"

"MenuText" = "PartyPoker.com"

"Exec" = "D:\PartyGaming\PartyPoker\RunApp.exe" [empty string]
 

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\

"ButtonText" = "ICQ Lite"

"MenuText" = "ICQ Lite"

"Exec" = "C:\Programme\ICQLite\ICQLite.exe" [file not found]
 

{E59EB121-F339-4851-A3BA-FE49C35617C2}\

"ButtonText" = "ICQ6"

"MenuText" = "ICQ6"

"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]
 

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\

"ButtonText" = "Yahoo! Messenger"

"MenuText" = "Yahoo! Messenger"

"Exec" = "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]
 

{F4430FE8-2638-42E5-B849-800749B94EED}\

"ButtonText" = "PartyPoker.net"

"MenuText" = "PartyPoker.net"

"Exec" = "D:\PartyGaming.Net\PartyPokerNet\RunPF.exe" [file not found]
 
 

Miscellaneous IE Hijack Points

------------------------------
 

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]
 
 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------
 

Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

Capture Device Service, Capture Device Service, ""C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe"" ["InterVideo Inc."]

Messenger USN Journal Reader-Service für freigegebene Ordner, usnjsvc, ""C:\Programme\Windows Live\Messenger\usnsvc.exe"" [MS]

NMIndexingService, NMIndexingService, ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]

O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]

TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}

Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Programme\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]
 
 

Print Monitors:

---------------
 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Redirected Port\Driver = "redmonnt.dll" [null data]
 
 

---------- (launch time: 2008-08-02 16:24:19)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.
 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 35 seconds, including 11 seconds for message boxes)

Combofix:

Code:

ComboFix 08-08-01.04 - Ryan 2008-08-02 16:32:59.1 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.1356 [GMT 2:00]

ausgeführt von:: C:\Dokumente und Einstellungen\a\Desktop\ComboFix.exe

 * Neuer Wiederherstellungspunkt wurde erstellt
 
 Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!

.
  ADS - svchost.exe: deleted 68 bytes in 1 streams. 
 

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))

.
 

C:\Dokumente und Einstellungen\a\new.txt
 

.

(((((((((((((((((((((((   Dateien erstellt von 2008-07-02 bis 2008-08-02  ))))))))))))))))))))))))))))))

.
 

2008-08-02 14:08 . 2008-08-02 14:08        250        --a------        C:\WINDOWS\gmer.ini

2008-08-02 04:56 . 2008-08-02 04:56        <DIR>        d--------        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes

2008-08-02 04:56 . 2008-08-02 04:56        <DIR>        d--------        C:\Dokumente und Einstellungen\a\Anwendungsdaten\Malwarebytes

2008-08-02 04:56 . 2008-07-30 20:07        38,472        --a------        C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2008-08-02 04:56 . 2008-07-30 20:07        17,144        --a------        C:\WINDOWS\system32\drivers\mbam.sys

2008-08-02 04:47 . 2008-08-02 04:47        <DIR>        d--------        C:\Deckard

2008-08-01 11:31 . 2008-08-02 02:12        23,552        --ahs----        C:\WINDOWS\system32\Thumbs.db

2008-07-21 20:20 . 2008-03-05 15:56        3,786,760        --a------        C:\WINDOWS\system32\D3DX9_37.dll

2008-07-21 20:20 . 2007-10-12 15:14        3,734,536        --a------        C:\WINDOWS\system32\d3dx9_36.dll

2008-07-21 20:20 . 2008-03-05 15:56        1,420,824        --a------        C:\WINDOWS\system32\D3DCompiler_37.dll

2008-07-21 20:20 . 2007-10-12 15:14        1,374,232        --a------        C:\WINDOWS\system32\D3DCompiler_36.dll

2008-07-21 20:20 . 2008-03-05 16:03        479,752        --a------        C:\WINDOWS\system32\XAudio2_0.dll

2008-07-21 20:20 . 2008-02-05 23:07        462,864        --a------        C:\WINDOWS\system32\d3dx10_37.dll

2008-07-21 20:20 . 2007-10-02 09:56        444,776        --a------        C:\WINDOWS\system32\d3dx10_36.dll

2008-07-21 20:20 . 2007-10-22 03:39        267,272        --a------        C:\WINDOWS\system32\xactengine2_10.dll

2008-07-21 20:20 . 2008-03-05 16:03        238,088        --a------        C:\WINDOWS\system32\xactengine3_0.dll

2008-07-21 20:20 . 2008-03-05 16:00        25,608        --a------        C:\WINDOWS\system32\X3DAudio1_3.dll

2008-07-02 11:24 . 2008-07-02 11:24        <DIR>        d--------        C:\Programme\TiffSplitter

2008-07-02 11:21 . 2008-07-02 11:21        <DIR>        d--------        C:\Programme\MainMedia
 

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-08-02 14:29        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy

2008-08-02 02:06        ---------        d-----w        C:\Programme\DivX

2008-08-02 02:06        ---------        d-----w        C:\Programme\bfgclient

2008-08-02 02:06        ---------        d-----w        C:\Programme\Avanquest update

2008-08-02 01:22        ---------        d-----w        C:\Dokumente und Einstellungen\a\Anwendungsdaten\Skype

2008-07-26 14:35        ---------        d-----w        C:\Programme\Wisdom-soft AutoScreenRecorder Free

2008-07-26 09:39        ---------        d-----w        C:\Dokumente und Einstellungen\a\Anwendungsdaten\uTorrent

2008-07-18 17:20        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help

2008-07-06 14:33        ---------        d--h--w        C:\Programme\InstallShield Installation Information

2008-07-04 07:09        96,520        ----a-w        C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-04 07:09        10,520        ----a-w        C:\WINDOWS\system32\avgrsstx.dll

2008-07-01 16:47        ---------        d-----w        C:\Programme\ICQ6

2008-07-01 16:47        ---------        d-----w        C:\Dokumente und Einstellungen\a\Anwendungsdaten\ICQ

2008-06-21 00:08        ---------        d-----w        C:\Programme\AIM6

2008-06-20 17:39        247,296        ----a-w        C:\WINDOWS\system32\mswsock.dll

2008-06-20 10:45        360,320        ----a-w        C:\WINDOWS\system32\drivers\tcpip.sys

2008-06-20 10:44        138,368        ----a-w        C:\WINDOWS\system32\drivers\afd.sys

2008-06-20 09:52        225,920        ----a-w        C:\WINDOWS\system32\drivers\tcpip6.sys

2008-06-14 17:57        273,024        ----a-w        C:\WINDOWS\system32\drivers\bthport.sys

2008-06-06 20:00        ---------        d-----w        C:\Programme\Gemeinsame Dateien\PlayOnline

2008-06-06 19:45        ---------        d-----w        C:\Programme\PlayOnline

2008-06-06 16:45        ---------        d-----w        C:\Programme\Gemeinsame Dateien\buhl data service

2008-06-06 15:44        107,888        ----a-w        C:\WINDOWS\system32\CmdLineExt.dll

2008-06-06 15:18        ---------        d-----w        C:\Programme\Gemeinsame Dateien\BioWare

2008-06-05 18:45        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL OCP

2008-06-05 18:43        ---------        d-----w        C:\Programme\Viewpoint

2008-06-05 18:43        ---------        d-----w        C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Viewpoint

2008-05-07 05:14        1,293,312        ----a-w        C:\WINDOWS\system32\quartz.dll

.
 

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

REGEDIT4

*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]

"AWMON"="D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 12:12 517632]

"TuneUp MemOptimizer"="D:\TuneUp Utilities 2007\MemOptimizer.exe" [2007-04-26 20:08 313352]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]

"Logitech Hardware Abstraction Layer"="C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 13:03 94208]

"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]

"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]

"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-04-25 21:05 311296]

"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 13:03 94208 C:\WINDOWS\KHALMNPR.Exe]

"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]

"AtiPTA"="atiptaxx.exe" [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]
 

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\

Logitech SetPoint.lnk - C:\Programme\Logitech\SetPoint\SetPoint.exe [2007-01-06 19:10:51 671744]
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"= 0 (0x0)

"ForceClassicControlPanel"= 1 (0x1)
 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMBalloonTip"= 0 (0x0)

"ForceClassicControlPanel"= 1 (0x1)
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.DIVF"= DivX412.dll
 

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]

path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk

backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup
 

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^a^Startmenü^Programme^Autostart^Adobe Gamma.lnk]

path=C:\Dokumente und Einstellungen\a\Startmenü\Programme\Autostart\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]

--a------ 2005-06-08 15:44 196608 C:\Programme\Logitech\Video\ManifestEngine.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]

--a------ 2005-06-08 16:24 458752 C:\Programme\Logitech\Video\ISStart.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]

--a------ 2005-06-08 16:14 217088 C:\Programme\Logitech\Video\LogiTray.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-06-29 06:24 286720 C:\Programme\QuickTime\QTTask.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2005-11-10 14:03 36975 C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]

--a------ 2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

--a------ 2004-11-15 12:20 77824 C:\WINDOWS\SOUNDMAN.EXE
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"HostManager"=C:\Programme\Gemeinsame Dateien\AOL\1159212728\ee\AOLSoftware.exe

"IPHSend"=C:\Programme\Gemeinsame Dateien\AOL\IPHSend\IPHSend.exe

"MessengerPlus3"="C:\Programme\MessengerPlus! 3\MsgPlus.exe"

"iTunesHelper"="D:\iTunes\iTunesHelper.exe"

"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime

"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

"NeroFilterCheck"=C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe

"FreePDF Assistant"=C:\Programme\FreePDF_XP\fpassist.exe

"AtiPTA"=atiptaxx.exe
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Programme\\NetMeeting\\conf.exe"=

"D:\\Steam\\SteamApps\\son-goku@cs-maddogs.de\\counter-strike\\hl.exe"=

"D:\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

"C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"C:\\Programme\\Yahoo!\\Messenger\\YServer.exe"=

"C:\\Programme\\Gemeinsame Dateien\\AOL\\Loader\\aolload.exe"=

"C:\\Programme\\Gemeinsame Dateien\\AOL\\1159212728\\ee\\aolsoftware.exe"=

"C:\\Programme\\Gemeinsame Dateien\\AOL\\1159212728\\ee\\aim6.exe"=

"D:\\mIRC\\mirc.exe"=

"C:\\Programme\\Mozilla Firefox\\firefox.exe"=

"C:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Programme\\Gemeinsame Dateien\\Ahead\\Nero Web\\SetupX.exe"=

"D:\\downloads\\utorrent.exe"=

"D:\\iTunes\\iTunes.exe"=

"C:\\Programme\\Motorola\\Software Update\\msu.exe"=

"D:\\eMule\\emule.exe"=

"D:\\Codemasters\\Der Herr der Ringe Online\\lotroclient.exe"=

"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=

"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"=

"C:\\Programme\\AVG\\AVG8\\avgupd.exe"=

"D:\\Mass Effect\\Binaries\\MassEffect.exe"=

"D:\\Mass Effect\\MassEffectLauncher.exe"=

"C:\\Programme\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=

"C:\\Programme\\ICQ6\\ICQ.exe"=

"D:\\Skype\\Phone\\Skype.exe"=
 

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 09:09]

R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 09:09]

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 13:32]

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-03-11 13:58]

R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2002-12-31 14:00]

R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2004-11-14 13:01]

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Programme\Viewpoint\Common\ViewpointService.exe [2007-01-04 23:38]

S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys []

S3 npkycryp;npkycryp;D:\RO\npkycryp.sys []

S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 18:34]

S3 scramby_out;Scramby Output;C:\WINDOWS\system32\drivers\scramby_out.sys [2007-08-08 09:31]

S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []

S3 xlink;XLINK Driver (xlink.sys);C:\WINDOWS\system32\Drivers\xlink.sys [2003-01-31 19:41]
 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs

UxTuneUp
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bdb6542-a1ab-11da-b414-806d6172696f}]

\Shell\AutoRun\command - E:\ASUSACPI.exe
 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ce8efa-c862-11da-b1ec-0015f23c72ef}]

\Shell\AutoRun\command - F:\BSAutoRun.exe
 

*Newly Created Service* - CATCHME

*Newly Created Service* - GMER

*Newly Created Service* - MBR

*Newly Created Service* - PROCEXP90

*Newly Created Service* - RKREVEAL150
 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F90F0706-E0C0-EF53-B7E4-CD62C00106D0}]

C:\WINDOWS\system32\winupdt.exe

.

Inhalt des "geplante Tasks" Ordners
 

2008-08-01 C:\WINDOWS\Tasks\1-Klick-Wartung.job

- D:\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-26 20:08]
 

2008-05-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2007-07-25 13:15]

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -
 

HKCU-Run-StartCCC - C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

HKLM-Run-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

HKU-Default-Run-TuneUp MemOptimizer - C:\Programme\TuneUp Utilities 2004\MemOptimizer.exe

MSConfigStartUp-DAEMON Tools - C:\Programme\DAEMON Tools\daemon.exe

MSConfigStartUp-ICQ Lite - C:\Programme\ICQLite\ICQLite.exe

MSConfigStartUp-iTunesHelper - C:\Programme\iTunes\iTunesHelper.exe
 
 

.

------- Zusätzlicher Scan -------

.

FireFox -: Profile - C:\Dokumente und Einstellungen\a\Anwendungsdaten\Mozilla\Firefox\Profiles\0by4rerz.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/ig?hl=de

FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll

FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava11.dll

FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava12.dll

FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava13.dll

FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava14.dll

FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava32.dll

FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll

FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPOJI610.dll

FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npitunes.dll

FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npunagi2.dll

FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npViewpoint.dll

FF -: plugin - C:\Programme\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF -: plugin - C:\Programme\Yahoo!\Shared\npYState.dll

FF -: plugin - D:\DivX\DivX Content Uploader\npUpload.dll

FF -: plugin - D:\DivX\DivX Player\npDivxPlayerPlugin.dll

FF -: plugin - D:\DivX\DivX Web Player\npdivx32.dll
 
 

**************************************************************************
 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-08-02 16:34:00

Windows 5.1.2600 Service Pack 2 NTFS
 

Scanne versteckte Prozesse...
 

Scanne versteckte Autostart Einträge...
 

Scanne versteckte Dateien...
 

Scan erfolgreich abgeschlossen

versteckte Dateien: 0
 

**************************************************************************

.

Zeit der Fertigstellung: 2008-08-02 16:34:45

ComboFix-quarantined-files.txt  2008-08-02 14:34:30
 

Pre-Run: 5,237,829,632 Bytes frei

Post-Run: 5,225,406,464 Bytes frei
 

234        --- E O F ---        2008-07-18 17:20:31

Code:

C:\WINDOWS\system32\SVKP.sys

D:\RO\npkycryp.sys

C:\WINDOWS\system32\drivers\scramby_out.sys

C:\WINDOWS\system32\drivers\ScreamingBAudio.sys

Bitte mal zur Sicherheit bei virustotal.com auswerten lassen und alle Ergebnisse inkl. Dateigrößen und Prüfsummen posten!

Zitat:

C:\Programme\Java\jre1.5.0_06

Bitte dringends (!!) deinstallieren und die aktuelle Version einspielen!

ok also hier die dateien:

SVKP.sys:

Code:

AhnLab-V3        2008.7.29.1        2008.08.02        -

AntiVir        7.8.1.15        2008.08.01        -

Authentium        5.1.0.4        2008.08.01        -

Avast        4.8.1195.0        2008.08.02        -

AVG        8.0.0.156        2008.08.01        -

BitDefender        7.2        2008.08.02        -

CAT-QuickHeal        9.50        2008.08.02        TrojanSpy.Joiner.av

ClamAV        0.93.1        2008.08.02        -

DrWeb        4.44.0.09170        2008.08.02        -

eSafe        7.0.17.0        2008.07.29        -

eTrust-Vet        31.6.6002        2008.08.02        -

Ewido        4.0        2008.08.02        -

F-Prot        4.4.4.56        2008.08.01        -

F-Secure        7.60.13501.0        2008.08.02        -

Fortinet        3.14.0.0        2008.08.02        -

GData        2.0.7306.1023        2008.08.02        -

Ikarus        T3.1.1.34.0        2008.08.02        -

K7AntiVirus        7.10.402        2008.08.02        Backdoor.Win32.Hupigon.cvky

Kaspersky        7.0.0.125        2008.08.02        -

McAfee        5352        2008.08.01        -

Microsoft        1.3807        2008.08.02        -

NOD32v2        3318        2008.08.01        -

Norman        5.80.02        2008.08.01        -

Panda        9.0.0.4        2008.08.02        -

PCTools        4.4.2.0        2008.08.02        -

Prevx1        V2        2008.08.02        -

Rising        20.55.42.00        2008.08.02        -

Sophos        4.31.0        2008.08.02        -

Sunbelt        3.1.1537.1        2008.08.01        -

Symantec        10        2008.08.02        -

TheHacker        6.2.96.391        2008.07.31        -

TrendMicro        8.700.0.1004        2008.08.01        -

VBA32        3.12.8.2        2008.08.02        -

ViRobot        2008.8.1.1321        2008.08.01        Trojan.Win32.Joiner.2368

VirusBuster        4.5.11.0        2008.08.02        -

Webwasher-Gateway        6.6.2        2008.08.02        -

weitere Informationen

File size: 2368 bytes

MD5...: f05028b163b92c302a74409d683ac9b0

SHA1..: 74a943b9f3bf63f8de5c3175f96366b24a661067

SHA256: c43a744c18d12b8214e75f67c557974564f24ec318807bbe796b26619fce7154

SHA512: 6b03105a7ea5ae7ddd88ec83a4fbd12e495bbc21ab90484cfadf178583771ee9

a059823500b3d2c485600d0bc3b2455144ef5ffc651b44566c7f1b737a5d2cb5

PEiD..: -

PEInfo: PE Structure information
 

( base data )

entrypointaddress.: 0x1043c

timedatestamp.....: 0x3e6cafde (Mon Mar 10 15:31:42 2003)

machinetype.......: 0x14c (I386)
 

( 5 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x2a0 0x110 0x120 5.12 7dad7d6ca221d6725388d90f719d0c20

.data 0x3c0 0x28 0x40 1.74 e741cf2e01e1bea59fcfd4a89d4358ad

INIT 0x400 0x18a 0x1a0 5.03 7b36305b5ff4cad3eeaca307bbb0fd60

.rsrc 0x5a0 0x350 0x360 3.18 46fab0e7c9b34889fdfead1c6e17eae8

.reloc 0x900 0x34 0x40 3.39 a963ac053cb6e23a9fbf797befe868bb
 

( 1 imports )

> ntoskrnl.exe: IoCreateDevice, IoCreateSymbolicLink, IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, IoCompleteRequest
 

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=f05028b163b92c302a74409d683ac9b0

npkycryp.sys:
gibts nicht oder nichtmehr

scramby_out.sys:
nichts gefunden

File size: 23840 bytes
MD5...: ccb29acf557f7172367647b30fd21dbe
SHA1..: 854494bfdef1e64fd9182a0cf71e561d91f147b8
SHA256: af06d24a6908f9933597f436b743bbccce63618e2c715a4df4c054039f1c0341
SHA512: cfde7bf5cff79b04a4973c2b947058f3bc283e8510737ec75ca41b26e0ca67e1
a3c75da81399da9f00b5abbe791a45a84057928c97baa9a34e7afdc0d9c093f1
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x137c7
timedatestamp.....: 0x46b87f8f (Tue Aug 07 14:19:59 2007)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0xd98 0xe00 5.79 8b5a25e9311cf8ed17e99c89812b5367
.rdata 0x1280 0x627 0x680 5.59 a1369f461d679fdacf7001a2bdeeea39
.data 0x1900 0x670 0x680 2.64 cf11092ac8b0651f9af4ed4d17b8d53e
PAGE 0x1f80 0x17d6 0x1800 6.24 8ae4b2ef80a88a88b674626578980c3c
INIT 0x3780 0x3ea 0x400 5.37 7d646d5a3301861fbee0a90c94660690
.rsrc 0x3b80 0x440 0x480 3.16 11831da9775e0c0756548e339c96f4d9
.reloc 0x4000 0x2dc 0x300 5.79 35bd7704bcb40b3f98225fe69d5002a7

( 2 imports )
> ntoskrnl.exe: ExFreePool, IofCompleteRequest, ExAllocatePoolWithTag, KeQueryInterruptTime, KeInitializeMutex, _purecall, KeCancelTimer, _alldiv, _allmul, KeSetTimerEx, KeInitializeTimerEx, KeInitializeDpc, KeReleaseMutex, KeWaitForSingleObject, IoDeleteSymbolicLink, IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IoDeleteDevice, KeTickCount, RtlAssert, InterlockedIncrement, InterlockedDecrement
> portcls.sys: PcRegisterPhysicalConnection, PcRegisterAdapterPowerManagement, PcDispatchIrp, PcAddAdapterDevice, PcInitializeAdapterDriver, PcNewServiceGroup, PcNewMiniport, PcRegisterSubdevice, PcNewPort

( 0 exports )

ScreamingBAudio.sys:
gibts nicht oder nichtmehr

das mit der JRE wird erledigt

Löschen wir die beiden Objekte mit dem Avenger. Sind die wirklich nicht vorhanden wird der Avenger das protokollieren:

Anleitung Avenger (by swandog46)

Lade dir das Tool Avenger und speichere es auf dem Desktop:

Doppelklick auf das Avenger-Symbol http://saved.im/mzi3ntr4adf5/trert.jpg

Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"

Code:

files to delete:

C:\WINDOWS\system32\SVKP.sys

D:\RO\npkycryp.sys
 

folders to delete:

D:\RO

http://saved.im/mzi3ndg3nta0/aven.jpg

Schliesse nun alle Programme und Browser-Fenster

Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet

Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt

Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

ok ergebnis:

Code:

Logfile of The Avenger Version 2.0, (c) by Swandog46

http://swandog46.geekstogo.com
 

Platform:  Windows XP
 

*******************
 

Script file opened successfully.

Script file read successfully.
 

Backups directory opened successfully at C:\Avenger
 

*******************
 

Beginning to process script file:
 

Rootkit scan active.

No rootkits found!
 

File "C:\WINDOWS\system32\SVKP.sys" deleted successfully.
 

Error:  file "D:\RO\npkycryp.sys" not found!

Deletion of file "D:\RO\npkycryp.sys" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

  --> the object does not exist
 

Folder "D:\RO" deleted successfully.
 

Completed script processing.
 

*******************
 

Finished!  Terminate.

Situation hat sich übrigens nach wie vor nich geändert.
Bei speedtests, kein oder nahezu kein Upload.

Mir ist eben nach dem Reboot aufgefallen dass kurz das Auto-Update von Windows an war zumindest das Symbol da war aber direkt wieder weg und hat nichts getan. Ist das Normal?
Und eben hat der Rechner angefangen zu rattern da hab ich mir dir Prozesse angesehen und eine cmd.exe sowie einezip.exe gesehen.
Diese Prozesse sind nun aber auch schonwieder weg und scheinbar auch nirgends zu finden.

Zitat:

Zitat von habla2k (Beitrag 359289)

Situation hat sich übrigens nach wie vor nich geändert.
Bei speedtests, kein oder nahezu kein Upload.

Wenn Du *nix* machst....blinken die Traffic-LEDs vom Modem/Router trotzdem?

Zitat:

Mir ist eben nach dem Reboot aufgefallen dass kurz das Auto-Update von Windows an war zumindest das Symbol da war aber direkt wieder weg und hat nichts getan. Ist das Normal?

Besuch mal manuell die Windows-Updateseite mit dem IE.

Zitat:

Und eben hat der Rechner angefangen zu rattern da hab ich mir dir Prozesse angesehen und eine cmd.exe sowie einezip.exe gesehen.
Diese Prozesse sind nun aber auch schonwieder weg und scheinbar auch nirgends zu finden.

Die müßten vom avenger gewesen sein. Der erstellt nämlich gezippte Backups der gelöschten Objekte, dazu benutzt er m.W. die zip.exe.

Nein wenn ich nichts tue, werden weder Pakete gesendet im Verbindungsstatus, noch blinkt der Router oder das Modem.

Alles sehr seltsam, vielleicht doch ein Verbdinungsporblem?
Ich werde morgen die Upload speedtests mal vom anderen Rechner aus versuchen und mal sehen ob das Rechner abhängig ist das Problem.

So neue Erkenntnisse, scheinbar liegt es am Router, habe nämlich eben mal den Rechner direkt am Modem angeschlossen und da läuft alles super.