Trojaner-Board - Vundo.FUL.9a und CryptX.Pack.Gen

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Vundo.FUL.9a und CryptX.Pack.Gen (https://www.trojaner-board.de/65306-vundo-ful-9a-cryptx-pack-gen.html)

Vundo.FUL.9a und CryptX.Pack.Gen

Hallo Forum,

habe mir letzte Woche die Trojaner CryptXPACK.Gen und Vundo.FUL.9a eingefangen.

Nach einer Systemprüfung mit AntiVir mit Löschen wurden lt. Protokoll des AntiVir 2 Dateien gelöscht:

C:\System Volume \ Information \ _restore {63542A00....\ A0040740.dll
Vundo.FUL.9a gelöscht

C:\Dokumente und Einstellungen\Uwe\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ HE.. \[0[1].gif
CryptXPACK.Gen gelöscht

(habe mir die Pfade nicht vollständig aufgeschrieben, wenn gebraucht hole ich es nach)

Die AntiVir Guard meldet den VUndo.FUL.9a weiter.

Habe nun lt. Anleitung in diesem Forum Folgendes durchgeführt:

1. den CCleaner laufen lassen

2. mit Avenger gelöscht (im abgesicherten Modus):

C:\Windows\system32\.066e7b2a4429443c\066e7b2a4429443c.exe

(exe für core.dll)

Avenger meldet ... deleted succesfully.

3. Die Einträge in der Registry gelöscht. Ein Ordner mit dem Name 066e7...
war unter ... ControlSet001 und ... ControlSet003.

Der nächste Scan mit AntiVir findet den Vundo.FUL.9a immer noch. Diesmal
hat die Datei die Endung "VIR", also

C:\Windows\system32\.0066e7b2a4429443c\066e7b2a4429443c.core.VIR

Die Datei kann mit AntiVir gelöscht werden, im Protokoll des AntiVir steht
.. Datei gelöscht.

Zwei weitere Scans mit AntiVir (einer im abgesicherten Modus) melden
"Kein Fund".

Sind die Trojaner jetzt tatsächlich weg? Gibt es einen Onlinescan mit dem ich eine zuverlässliche Prüfung durchführen kann?

Mit freundlichen Grüßen
Guenter_V

Hallo und :hallo:

Acker diese Punkte für weitere Analysen ab:

1.) Poste ein (neues) Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!

2.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des System durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde.

3.) Führe dieses MBR-Tool aus und poste die Ausgabe

4.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten. Vor dem Ausführen von Malwarebytes den Wächter Deines Virenscanners abschalten!!

5.) Führe Silentrunners nach dieser Anleitung aus und poste das Logfile (mit Codetags umschlossen), falls es zu groß sein sollte kannst Du es (gezippt) bei file-upload.net hochladen und hier verlinken.

6.) ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:

[code] Hier das Logfile rein! [/code]

7.) Mach auch ein Filelisting mit diesem script:

Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
Doppelklick auf listing8.cmd auf dem Desktop
nach kurzer Zeit erscheint eine listing.txt auf dem Desktop

Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.

Danke für die Antwort.

Eine Scan mit einem Onlinescanner wie z.B. von PandaSecurity hilft also nicht?

Muß ich wirklich all die oben genannten Protokolle erstellen und auswerten?

Gruß
Guenter_V

Ja, einfach die Liste abackern.

Versuche die Liste abzuarbeiten, scheitere aber schon bei Punkt 1:

Das Herunterladen von HJT (egal ob Version als Installer, als zip-Datei oder als ausführbare Datei) stoppt nach 99%.

Beim Herunterladen über den LINK "diese umbenannte hijackthis.exe" wird die Datei qlketzd.com heruntergeladen. Beim Ausführen erhalte ich die Fehlermeldung: .. ist keine Win32 Anwendung.

Gruß

hi,
kannst vllt hier noch versuchen highjackthis zu laden (als prüfung.com)

http://www.trojaner-board.de/51130-anleitung-hijackthis.html

lg

Hallo,

nachdem ich PandaSecurity abgeschaltet habe, konnte ich HJ T runterladen.

Hier das erstellte LOG-File:

Code:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:34:50, on 05.12.2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal
 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Programme\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\eEBSVC.exe

C:\Programme\AntiVir PersonalEdition Premium\sched.exe

C:\Programme\AntiVir PersonalEdition Premium\avguard.exe

C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Programme\AntiVir PersonalEdition Premium\avesvc.exe

C:\Programme\Bonjour\mDNSResponder.exe

C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe

C:\Programme\Norton GoBack\GBPoll.exe

C:\WINDOWS\system32\svchost.exe

C:\Programme\AntiVir PersonalEdition Premium\avmailc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Programme\QuickTime\QTTask.exe

C:\Programme\Synaptics\SynTP\SynTPLpr.exe

C:\Programme\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Programme\CyberLink\PowerDVD\PDVDServ.exe

C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Programme\inKline Global\PC Booster\pcbooster.exe

C:\Programme\Ahead\InCD\InCD.exe

C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Programme\AntiVir PersonalEdition Premium\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\CyberLink\Power2Go\Power2GoExpress.exe

C:\Programme\Messenger\msmsgs.exe

C:\Programme\Mozilla1.7.7\Mozilla.exe

C:\Programme\mozilla.org\SeaMonkey\SeaMonkey.exe

C:\Programme\Nikon\PictureProject\NkbMonitor.exe

C:\Programme\Norton GoBack\GBTray.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\explorer.exe

C:\Programme\Trend Micro\HijackThis\HijackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.seekgoode.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programme\MegauploadToolbar\megauploadtoolbar.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Programme\MegauploadToolbar\megauploadtoolbar.dll

O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PC Booster] C:\Programme\inKline Global\PC Booster\pcbooster.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay

O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL

O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"

O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"

O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Premium\avgnt.exe" /min

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Power2GoExpress] "C:\Programme\CyberLink\Power2Go\Power2GoExpress.exe" /Startup

O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programme\Mozilla1.7.7\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "C:\Programme\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - S-1-5-18 Startup: DSL-Manager.lnk = C:\Programme\T-Online\DSL-Manager\DslMgr.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: DSL-Manager.lnk = C:\Programme\T-Online\DSL-Manager\DslMgr.exe (User 'Default user')

O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Programme\Nikon\PictureProject\NkbMonitor.exe

O4 - Global Startup: Norton GoBack.lnk = C:\Programme\Norton GoBack\GBTray.exe

O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll

O23 - Service: AntiVir PersonalEdition Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Premium\avmailc.exe

O23 - Service: AntiVir PersonalEdition Premium Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Premium\sched.exe

O23 - Service: AntiVir PersonalEdition Premium Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Premium\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AntiVir PersonalEdition Premium MailGuard Hilfsdienst (AVEService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Premium\avesvc.exe

O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe

O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Programme\Norton GoBack\GBPoll.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Ahead\InCD\InCDsrv.exe

O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

--

End of file - 8601 bytes

Werde versuchen das LOG-File auszuwerten. Bin aber für jeden Hinweis dankbar.

Ist CTFMON.EXE ein Schädling?

Gruß

Hier das nächste LOG-File - von MBR Tool:

Code:

GMER 1.0.14.14536 - http://www.gmer.net

Rootkit scan 2008-12-05 19:00:47

Windows 5.1.2600 Service Pack 3
 
 

---- System - GMER 1.0.14 ----
 

SSDT            GoBack2K.sys (Norton GoBack Engine Driver/Symantec Corporation)                                                            ZwClose [0xF8665EC0]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwConnectPort [0xF3DA8040]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwCreateFile [0xF3DA4930]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwCreateKey [0xF3DAFA80]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwCreatePort [0xF3DA8510]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwCreateProcess [0xF3DAE870]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwCreateProcessEx [0xF3DAEAA0]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwCreateSection [0xF3DB1FD0]

SSDT            F8DBDCCC                                                                                                                   ZwCreateThread

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwCreateWaitablePort [0xF3DA8600]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwDeleteFile [0xF3DA4F20]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwDeleteKey [0xF3DB06E0]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwDeleteValueKey [0xF3DB0440]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwDuplicateObject [0xF3DAE580]

SSDT            GoBack2K.sys (Norton GoBack Engine Driver/Symantec Corporation)                                                            ZwFsControlFile [0xF8665F50]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwLoadDriver [0xF3DA23F0]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwLoadKey [0xF3DB08B0]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwMapViewOfSection [0xF3DB2270]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwOpenFile [0xF3DA4D70]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwOpenProcess [0xF3DAE350]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwOpenThread [0xF3DAE150]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwRenameKey [0xF3DB1250]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwReplaceKey [0xF3DB0CB0]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwRequestWaitReplyPort [0xF3DA7C00]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwRestoreKey [0xF3DB1080]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwSecureConnectPort [0xF3DA8220]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwSetInformationFile [0xF3DA5120]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwSetSystemInformation [0xF3DA21C0]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwSetValueKey [0xF3DB0140]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwTerminateProcess [0xF3DAECD0]

SSDT            \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)                                                ZwUnloadDriver [0xF3DA25F0]

SSDT            F8DBDCC2                                                                                                                   ZwWriteVirtualMemory
 

---- Kernel code sections - GMER 1.0.14 ----
 

.text           ntoskrnl.exe!ZwYieldExecution + 133                                                                                        804E496D 7 Bytes  CALL 6AEF3D4C 

?               srescan.sys                                                                                                                Das System kann die angegebene Datei nicht finden. !
 

---- Kernel IAT/EAT - GMER 1.0.14 ----
 

IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol]                                                   [F3DACCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter]                                                        [F3DAD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter]                                                       [F3DAD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol]                                                 [F3DACE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol]                                                   [F3DACE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol]                                                     [F3DACCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter]                                                          [F3DAD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter]                                                         [F3DAD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol]                                                    [F3DACCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol]                                                  [F3DACE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter]                                                        [F3DAD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter]                                                         [F3DAD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter]                                                          [F3DAD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter]                                                           [F3DAD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol]                                                      [F3DACCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol]                                                   [F3DACE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol]                                                     [F3DACCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter]                                                          [F3DAD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter]                                                         [F3DAD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter]                                                        [F3DAD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter]                                                         [F3DAD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol]                                                  [F3DACE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol]                                                    [F3DACCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile]                                                            [F3DBA330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol]                                                    [F3DACCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol]                                                  [F3DACE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter]                                                        [F3DAD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter]                                                         [F3DAD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisRegisterProtocol]                                                     [F3DACCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisOpenAdapter]                                                          [F3DAD1C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisDeregisterProtocol]                                                   [F3DACE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\rspndr.sys[NDIS.SYS!NdisCloseAdapter]                                                         [F3DAD320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile]                                                    [F3DA55C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile]                                                            [F3DA5770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile]                                                            [F3DA52D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

IAT             \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile]                                                              [F3DA5670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
 

---- User IAT/EAT - GMER 1.0.14 ----
 

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]  [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]                 [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA]                   [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA]                  [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA]                   [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA]                  [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA]                   [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]    [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]     [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA]                    [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA]                  [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter]   [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA]                  [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA]                    [01117376] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

IAT             C:\Programme\Mozilla1.7.7\Mozilla.exe[2372] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]     [011173CC] C:\Programme\Mozilla1.7.7\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
 

---- Devices - GMER 1.0.14 ----
 

Device                                                                                                                                     Ntfs.sys (NT File System Driver/Microsoft Corporation)

Device          \Driver\Tcpip \Device\Ip                                                                                                   vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
 

AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                                                    SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass1                                                                                    SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
 

Device          \Driver\Tcpip \Device\Tcp                                                                                                  vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device                                                                                                                                     ACPI.sys (ACPI-Treiber für NT/Microsoft Corporation)

Device          \Driver\Tcpip \Device\Udp                                                                                                  vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device          \Driver\Disk \Device\Harddisk0\DR0                                                                                         GoBack2K.sys (Norton GoBack Engine Driver/Symantec Corporation)

Device          \Driver\Tcpip \Device\RawIp                                                                                                vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device          \Driver\Tcpip \Device\IPMULTICAST                                                                                          vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

Device                                                                                                                                     mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device                                                                                                                                     InCDfs.SYS (InCD File System Driver/Nero AG)

Device                                                                                                                                     Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
 

---- Disk sectors - GMER 1.0.14 ----
 

Disk            \Device\Harddisk0\DR0                                                                                                      sector 00: rootkit-like behavior; 
 

---- EOF - GMER 1.0.14 ----

Gruß
Guenter_V

Hier die Ergebnisse weiterer Scans:

Blacklight meldet:

Scan complete. No hidden items found.

M.E. wird kein Log-File erstellt.

Malwarebytes Antimalware:

Im LOG-File steht in allen Sectionen: Keine bösartigen Objekte gefunden.

Hier das Log-File von Silentrunners:

Code:

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"
 
 

Startup items buried in registry:

---------------------------------
 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Power2GoExpress" = ""C:\Programme\CyberLink\Power2Go\Power2GoExpress.exe" /Startup" ["Cyberlink"]

"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]

"Mozilla Quick Launch" = ""C:\Programme\Mozilla1.7.7\Mozilla.exe" -turbo" ["Mozilla Foundation"]

"SeaMonkey Quick Launch" = ""C:\Programme\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo" ["mozilla.org"]
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"QuickTime Task" = ""C:\Programme\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

"SynTPLpr" = "C:\Programme\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]

"SynTPEnh" = "C:\Programme\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"RemoteControl" = "C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" ["Cyberlink Corp."]

"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"PC Booster" = "C:\Programme\inKline Global\PC Booster\pcbooster.exe" ["inKline Software Labs"]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"InCD" = "C:\Programme\Ahead\InCD\InCD.exe" ["Nero AG"]

"CloneDVDElbyDelay" = ""C:\Programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay" ["Elaborate Bytes AG"]

"CloneCDElbyCDFL" = ""C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL" ["Elaborate Bytes"]

"CloneCDTray" = ""C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe"" ["Elaborate Bytes"]

"EPSON Stylus C82 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"" ["SEIKO EPSON CORPORATION"]

"avgnt" = ""C:\Programme\AntiVir PersonalEdition Premium\avgnt.exe" /min" ["Avira GmbH"]

"ZoneAlarm Client" = ""C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\Programme\MegauploadToolbar\megauploadtoolbar.dll" ["MEGAUPLOAD"]
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"

  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Programme\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\Install\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\Install\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\Install\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"

  -> {HKLM...CLSID} = "Shell Extension for CDRW"

                   \InProcServer32\(Default) = "C:\Programme\Ahead\InCD\incdshx.dll" ["Nero AG"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]

"{5EC3EA89-4453-4416-A78B-65F689DC2048}" = "Goback Drives"

  -> {HKLM...CLSID} = "Goback Drives"

                   \InProcServer32\(Default) = "C:\Programme\Norton GoBack\GBDrvShX.dll" [null data]

"{6809E580-A3A7-11D1-9A00-00A0C945B006}" = "GoBack Shell Extension"

  -> {HKLM...CLSID} = "GoBack Shell Extension"

                   \InProcServer32\(Default) = "C:\Programme\Norton GoBack\ShellExt.dll" ["Symantec Corporation"]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"

                   \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Premium\shlext.dll" ["Avira GmbH"]

"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"

  -> {HKLM...CLSID} = "ZLAVShExt Class"

                   \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]
 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

GoBack\(Default) = "{6809E580-A3A7-11D1-9A00-00A0C945B006}"

  -> {HKLM...CLSID} = "GoBack Shell Extension"

                   \InProcServer32\(Default) = "C:\Programme\Norton GoBack\ShellExt.dll" ["Symantec Corporation"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"

                   \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Premium\shlext.dll" ["Avira GmbH"]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\Install\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"

  -> {HKLM...CLSID} = "ZLAVShExt Class"

                   \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\Install\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

  -> {HKLM...CLSID} = "MBAMShlExt Class"

                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"

                   \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Premium\shlext.dll" ["Avira GmbH"]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\Install\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"

  -> {HKLM...CLSID} = "ZLAVShExt Class"

                   \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
 

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"

  -> {HKLM...CLSID} = "MBAMShlExt Class"

                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
 
 

Group Policies {policy setting}:

--------------------------------
 

Note: detected settings may not have any effect.
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}
 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}
 
 

Active Desktop and Wallpaper:

-----------------------------
 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Dokumente und Einstellungen\Uwe\Anwendungsdaten\Mozilla\SeaMonkey-Hintergrundbild.bmp"
 
 

Enabled Screen Saver:

---------------------
 

HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssflwbox.scr" [MS]
 
 

Windows Portable Device AutoPlay Handlers

-----------------------------------------
 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
 

MSWPDShellNamespaceHandler\

"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = " "

  -> {HKLM...CLSID} = "WPDShextAutoplay"

                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
 

NeroAutoPlay2AudioToNeroDigital\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayCDAudioOnArrival_AudioToNeroDigital"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_AudioToNeroDigital\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /Dialog:SaveTracksND  /Drive:%L" ["Ahead Software AG"]
 

NeroAutoPlay2CopyCD\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]
 

NeroAutoPlay2PlayAudioCD\

"Provider" = "Nero Media Player"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayMusicFilesOnArrival_PlayAudioCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayMusicFilesOnArrival_PlayAudioCD\command\(Default) = "C:\Programme\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe /Play %L" ["Ahead software"]
 

NeroAutoPlay2PlayDVD\

"Provider" = "Nero ShowTime"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayVideoFilesOnArrival_PlayDVD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayVideoFilesOnArrival_PlayDVD\command\(Default) = "C:\Programme\Ahead\Nero ShowTime\ShowTime.exe /Play %L" ["Nero Software AG"]
 

NeroAutoPlay2RipCD\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayCDAudioOnArrival_RipCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_RipCD\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /Dialog:SaveTracks  /Drive:%L" ["Ahead Software AG"]
 

NeroAutoPlay2VideoCapture\

"Provider" = "NeroVision Express"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Programme\Ahead\NeroVision\NeroVision.exe" /New:VideoCapture"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"

                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
 

P2GCDBurningOnArrival\

"Provider" = "Power2Go"

"InvokeProgID" = "Picture"

"InvokeVerb" = "OpenWithPower2Go"

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPower2Go\Command\(Default) = ""C:\Programme\CyberLink\Power2Go\Power2Go.exe"" ["Cyberlink"]
 

PDirXDVArrival\

"Provider" = "PowerDirector Express"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Programme\CyberLink\PowerDirector Express\PowerDirector.exe" /DV"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"

                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
 

PDVDPlayDVDMovieOnArrival\

"Provider" = "PowerDVD"

"InvokeProgID" = "DVD"

"InvokeVerb" = "PlayWithPowerDVD"

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."]
 

PictureProject\

"Provider" = "PictureProject"

"InvokeProgID" = "PictureProject"

"InvokeVerb" = "open"

HKLM\SOFTWARE\Classes\PictureProject\shell\open\command\(Default) = "C:\Programme\Nikon\PictureProject\NkbTransfer.exe /D=%L" ["Nikon Corporation"]
 

PPCDBurningOnArrival\

"Provider" = "PowerProducer"

"InvokeProgID" = "Picture"

"InvokeVerb" = "OpenWithPowerProducer"

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Programme\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]
 

PPDCameraArrival\

"Provider" = "PowerProducer"

"InvokeProgID" = "Picture"

"InvokeVerb" = "OpenWithPowerProducer"

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Programme\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]
 

PPDVArrival\

"Provider" = "PowerProducer"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "C:\Programme\CyberLink\PowerProducer\Producer.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"

                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
 

PStarterBlankCDArrival\

"Provider" = "PowerStarter"

"InvokeProgID" = "Picture"

"InvokeVerb" = "OpenWithPowerStarter"

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Programme\CyberLink\PowerStarter\PowerStarter.exe"" [empty string]
 

PStarterMixedCDArrival\

"Provider" = "PowerStarter"

"InvokeProgID" = "MixedContent"

"InvokeVerb" = "OpenWithPowerStarter"

HKLM\SOFTWARE\Classes\MixedContent\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Programme\CyberLink\PowerStarter\PowerStarter.exe"" [empty string]
 

PStarterMusicFilesArrival\

"Provider" = "PowerStarter"

"InvokeProgID" = "MusicFiles"

"InvokeVerb" = "OpenWithPowerStarter"

HKLM\SOFTWARE\Classes\MusicFiles\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Programme\CyberLink\PowerStarter\PowerStarter.exe"" [empty string]
 

PStarterPicturesArrival\

"Provider" = "PowerStarter"

"InvokeProgID" = "Picture"

"InvokeVerb" = "OpenWithPowerStarter"

HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Programme\CyberLink\PowerStarter\PowerStarter.exe"" [empty string]
 

PStarterPlayCDAudioOnArrival\

"Provider" = "PowerStarter"

"InvokeProgID" = "AudioCD"

"InvokeVerb" = "PlayWithPowerStarter"

HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerStarter\Command\(Default) = ""C:\Programme\CyberLink\PowerStarter\PowerStarter.exe" "%L"" [empty string]
 

PStarterPlayDVDMovieOnArrival\

"Provider" = "PowerStarter"

"InvokeProgID" = "DVD"

"InvokeVerb" = "PlayWithPowerStarter"

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerStarter\Command\(Default) = ""C:\Programme\CyberLink\PowerStarter\PowerStarter.exe" "%L"" [empty string]
 

PStarterVideoFilesArrival\

"Provider" = "PowerStarter"

"InvokeProgID" = "VideoFiles"

"InvokeVerb" = "OpenWithPowerStarter"

HKLM\SOFTWARE\Classes\VideoFiles\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Programme\CyberLink\PowerStarter\PowerStarter.exe"" [empty string]
 

VLCPlayCDAudioOnArrival\

"Provider" = "VideoLAN VLC media player"

"InvokeProgID" = "VLC.CDAudio"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]
 

VLCPlayDVDMovieOnArrival\

"Provider" = "VideoLAN VLC media player"

"InvokeProgID" = "VLC.DVDMovie"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]
 
 

Startup items in "Uwe" & "All Users" startup folders:

-----------------------------------------------------
 

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart

"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

"NkbMonitor.exe" -> shortcut to: "C:\Programme\Nikon\PictureProject\NkbMonitor.exe" ["Nikon Corporation"]

"Norton GoBack" -> shortcut to: "C:\Programme\Norton GoBack\GBTray.exe" ["Symantec Corporation"]
 
 

Enabled Scheduled Tasks:

------------------------
 

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
 
 

Winsock2 Service Provider DLLs:

-------------------------------
 

Namespace Service Providers
 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."]
 

Transport Service Providers
 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

avsda.dll ["Avira GmbH"], 01 - 02, 28

%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 27

%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07
 
 

Toolbars, Explorer Bars, Extensions:

------------------------------------
 

Toolbars
 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\Programme\MegauploadToolbar\megauploadtoolbar.dll" ["MEGAUPLOAD"]
 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\Programme\MegauploadToolbar\megauploadtoolbar.dll" ["MEGAUPLOAD"]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"

                   \InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
 

Explorer Bars
 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Real.com"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
 

Extensions (Tools menu items, main toolbar menu buttons)
 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\

"ButtonText" = "Real.com"
 

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
 
 

Miscellaneous IE Hijack Points

------------------------------
 

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"

                   \InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
 

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<<H>> "Tabs" = "C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\MEGAUPLOADTOOLBAR\tabwelcome.html" [null data]
 
 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------
 

AntiVir PersonalEdition Premium Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Premium\avguard.exe" ["Avira GmbH"]

AntiVir PersonalEdition Premium MailGuard, AntiVirMailService, "C:\Programme\AntiVir PersonalEdition Premium\avmailc.exe" ["Avira GmbH"]

AntiVir PersonalEdition Premium MailGuard Hilfsdienst, AVEService, "C:\Programme\AntiVir PersonalEdition Premium\avesvc.exe" ["Avira GmbH"]

AntiVir PersonalEdition Premium Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Premium\sched.exe" ["Avira GmbH"]

Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."]

EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]

EpsonBidirectionalService, EpsonBidirectionalService, "C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\eEBSVC.exe" [null data]

GoBack Polling Service, GBPoll, ""C:\Programme\Norton GoBack\GBPoll.exe"" ["Symantec Corporation"]

InCD Helper, InCDsrv, "C:\Programme\Ahead\InCD\InCDsrv.exe" ["Nero AG"]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
 
 

Print Monitors:

---------------
 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
 
 

---------- (launch time: 2008-12-06 18:06:38)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.
 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 266 seconds.

---------- (total run time: 419 seconds)

Gruß
Guenter_V

Und hier das Logfile von ComboFix:

Code:

ComboFix 08-12-05.06 - Uwe 2008-12-06 19:09:13.1 - NTFSx86

Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1031.18.245 [GMT 1:00]

ausgeführt von:: c:\dokumente und einstellungen\Uwe\Desktop\ComboFix.exe

 * Neuer Wiederherstellungspunkt wurde erstellt
 
 Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!

.
 

(((((((((((((((((((((((   Dateien erstellt von 2008-11-06 bis 2008-12-06  ))))))))))))))))))))))))))))))

.
 

2008-12-06 12:37 . 2008-12-06 12:37        <DIR>        d--------        c:\dokumente und einstellungen\Uwe\Anwendungsdaten\Malwarebytes

2008-12-06 12:37 . 2008-12-06 12:37        <DIR>        d--------        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes

2008-12-06 12:37 . 2008-12-03 19:59        38,496        --a------        c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-06 12:37 . 2008-12-03 19:59        15,504        --a------        c:\windows\system32\drivers\mbam.sys

2008-12-06 12:36 . 2008-12-06 12:37        <DIR>        d--------        c:\programme\Malwarebytes' Anti-Malware

2008-12-05 18:42 . 2008-12-05 18:42        250        --a------        c:\windows\gmer.ini

2008-12-05 16:26 . 2008-12-05 16:26        <DIR>        d--------        c:\programme\Trend Micro

2008-11-27 21:33 . 2008-12-06 18:22        959        --a------        C:\rollback.ini

2008-11-27 19:33 . 2008-11-27 19:33        0        --a------        c:\windows\MusicEditor.INI

2008-11-27 18:57 . 2008-11-27 18:57        <DIR>        d--------        c:\dokumente und einstellungen\Internet Surfer\Anwendungsdaten\MEGAUPLOADTOOLBAR

2008-11-27 18:26 . 2008-11-27 18:26        <DIR>        d--------        c:\programme\JAM Software

2008-11-27 15:02 . 2008-11-27 15:02        <DIR>        d--------        c:\dokumente und einstellungen\Internet Surfer\Anwendungsdaten\MailFrontier

2008-11-27 14:59 . 2005-03-26 20:03        <DIR>        d--------        c:\dokumente und einstellungen\Internet Surfer\WINDOWS

2008-11-27 14:59 . 2005-03-26 19:47        <DIR>        d--h-----        c:\dokumente und einstellungen\Internet Surfer\Vorlagen

2008-11-27 14:59 . 2005-03-26 02:56        <DIR>        d---s----        c:\dokumente und einstellungen\Internet Surfer\UserData

2008-11-27 14:59 . 2005-03-26 19:38        <DIR>        dr-------        c:\dokumente und einstellungen\Internet Surfer\Startmenü

2008-11-27 14:59 . 2005-03-26 19:38        <DIR>        d--h-----        c:\dokumente und einstellungen\Internet Surfer\Netzwerkumgebung

2008-11-27 14:59 . 2008-12-06 19:14        <DIR>        d--h-----        c:\dokumente und einstellungen\Internet Surfer\Lokale Einstellungen

2008-11-27 14:59 . 2008-11-27 15:00        <DIR>        dr-------        c:\dokumente und einstellungen\Internet Surfer\Favoriten

2008-11-27 14:59 . 2008-11-27 15:00        <DIR>        dr-------        c:\dokumente und einstellungen\Internet Surfer\Eigene Dateien

2008-11-27 14:59 . 2005-03-26 19:38        <DIR>        d--h-----        c:\dokumente und einstellungen\Internet Surfer\Druckumgebung

2008-11-27 14:59 . 2005-03-26 20:53        <DIR>        d--------        c:\dokumente und einstellungen\Internet Surfer\Anwendungsdaten\You've Got Pictures Screensaver

2008-11-27 14:59 . 2005-07-08 05:56        <DIR>        d--------        c:\dokumente und einstellungen\Internet Surfer\Anwendungsdaten\CyberLink

2008-11-27 14:59 . 2005-10-03 09:23        <DIR>        d--------        c:\dokumente und einstellungen\Internet Surfer\Anwendungsdaten\AOL

2008-11-27 14:59 . 2008-11-27 20:00        <DIR>        dr-h-----        c:\dokumente und einstellungen\Internet Surfer\Anwendungsdaten

2008-11-27 14:59 . 2008-11-27 14:59        <DIR>        d--------        c:\dokumente und einstellungen\Internet Surfer

2008-11-27 08:38 . 2005-03-26 20:03        <DIR>        d--------        c:\dokumente und einstellungen\Administrator\WINDOWS

2008-11-27 08:38 . 2005-03-26 19:47        <DIR>        d--h-----        c:\dokumente und einstellungen\Administrator\Vorlagen

2008-11-27 08:38 . 2005-03-26 02:56        <DIR>        d---s----        c:\dokumente und einstellungen\Administrator\UserData

2008-11-27 08:38 . 2005-03-26 19:38        <DIR>        dr-------        c:\dokumente und einstellungen\Administrator\Startmenü

2008-11-27 08:38 . 2005-03-26 19:38        <DIR>        d--h-----        c:\dokumente und einstellungen\Administrator\Netzwerkumgebung

2008-11-27 08:38 . 2008-12-06 19:14        <DIR>        d--h-----        c:\dokumente und einstellungen\Administrator\Lokale Einstellungen

2008-11-27 08:38 . 2005-03-26 20:52        <DIR>        dr-------        c:\dokumente und einstellungen\Administrator\Favoriten

2008-11-27 08:38 . 2005-07-08 08:46        <DIR>        dr-------        c:\dokumente und einstellungen\Administrator\Eigene Dateien

2008-11-27 08:38 . 2005-03-26 19:38        <DIR>        d--h-----        c:\dokumente und einstellungen\Administrator\Druckumgebung

2008-11-27 08:38 . 2005-03-26 20:53        <DIR>        d--------        c:\dokumente und einstellungen\Administrator\Anwendungsdaten\You've Got Pictures Screensaver

2008-11-27 08:38 . 2005-07-08 05:56        <DIR>        d--------        c:\dokumente und einstellungen\Administrator\Anwendungsdaten\CyberLink

2008-11-27 08:38 . 2005-10-03 09:23        <DIR>        d--------        c:\dokumente und einstellungen\Administrator\Anwendungsdaten\AOL

2008-11-27 08:38 . 2005-03-26 20:53        <DIR>        dr-h-----        c:\dokumente und einstellungen\Administrator\Anwendungsdaten

2008-11-27 08:38 . 2008-11-27 08:38        <DIR>        d--------        c:\dokumente und einstellungen\Administrator

2008-11-27 08:36 . 2008-11-27 08:36        <DIR>        dr-------        c:\dokumente und einstellungen\NetworkService\Favoriten

2008-11-27 08:00 . 2008-11-27 08:00        <DIR>        d--------        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Yahoo! Companion

2008-11-26 21:21 . 2008-11-26 21:21        <DIR>        d--------        c:\programme\Yahoo!

2008-11-26 21:21 . 2008-11-26 21:21        <DIR>        d--------        c:\programme\CCleaner

2008-11-23 18:05 . 2008-11-23 18:05        <DIR>        d--------        c:\dokumente und einstellungen\Uwe\Anwendungsdaten\MailFrontier

2008-11-16 18:59 . 2008-11-19 22:28        <DIR>        d--------        c:\dokumente und einstellungen\LocalService\Anwendungsdaten\MEGAUPLOADTOOLBAR

2008-11-16 18:48 . 2008-11-27 10:42        <DIR>        d--h-----        c:\windows\system32\.066e7b2a4429443c

2008-11-16 18:48 . 2008-11-16 18:48        <DIR>        dr-------        c:\dokumente und einstellungen\LocalService\Favoriten

2008-11-14 17:22 . 2008-10-24 12:21        455,296        -----c---        c:\windows\system32\dllcache\mrxsmb.sys

2008-11-14 17:21 . 2008-09-04 18:15        1,106,944        -----c---        c:\windows\system32\dllcache\msxml3.dll

2008-11-08 19:34 . 2008-11-27 19:37        <DIR>        d--------        c:\dokumente und einstellungen\Uwe\Anwendungsdaten\Apple Computer

2008-11-08 19:30 . 2008-11-08 19:30        <DIR>        d--------        c:\programme\Bonjour

2008-11-08 19:29 . 2008-11-08 19:30        <DIR>        d--------        c:\programme\QuickTime

2008-11-08 19:29 . 2008-11-08 19:30        <DIR>        d--------        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple Computer

2008-11-08 19:28 . 2008-11-08 19:28        <DIR>        d--------        c:\programme\Apple Software Update

2008-11-08 19:27 . 2008-11-19 21:55        <DIR>        d----c---        c:\windows\system32\DRVSTORE

2008-11-08 19:26 . 2008-11-08 19:29        <DIR>        d--------        c:\programme\Gemeinsame Dateien\Apple

2008-11-08 19:26 . 2008-11-08 19:26        <DIR>        d--------        c:\dokumente und einstellungen\All Users\Anwendungsdaten\Apple
 

.

((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-06 18:16        4,202,272        --sha-w        c:\windows\system32\drivers\fidbox.dat

2008-12-06 17:51        ---------        d-----w        c:\dokumente und einstellungen\Uwe\Anwendungsdaten\MegauploadToolbar

2008-12-06 15:27        56,444        --sha-w        c:\windows\system32\drivers\fidbox.idx

2008-12-06 11:26        ---------        d-----w        c:\programme\AntiVir PersonalEdition Premium

2008-12-06 11:06        ---------        d-----w        c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Premium

2008-11-27 07:04        ---------        d-----w        c:\dokumente und einstellungen\All Users\Anwendungsdaten\MailFrontier

2008-11-23 18:19        1,420,800        ----a-w        c:\windows\Internet Logs\xDB3.tmp

2008-10-26 13:31        30,464        ----a-w        c:\dokumente und einstellungen\Uwe\Anwendungsdaten\GDIPFONTCACHEV1.DAT

2008-10-24 11:21        455,296        ----a-w        c:\windows\system32\drivers\mrxsmb.sys

2008-10-16 13:13        202,776        ----a-w        c:\windows\system32\wuweb.dll

2008-10-16 13:13        1,809,944        ----a-w        c:\windows\system32\wuaueng.dll

2008-10-16 13:12        561,688        ----a-w        c:\windows\system32\wuapi.dll

2008-10-16 13:12        323,608        ----a-w        c:\windows\system32\wucltui.dll

2008-10-16 13:09        92,696        ----a-w        c:\windows\system32\cdm.dll

2008-10-16 13:09        51,224        ----a-w        c:\windows\system32\wuauclt.exe

2008-10-16 13:09        43,544        ----a-w        c:\windows\system32\wups2.dll

2008-10-16 13:08        34,328        ----a-w        c:\windows\system32\wups.dll

2008-09-15 15:24        1,846,528        ----a-w        c:\windows\system32\win32k.sys

2008-09-10 01:13        1,307,648        ------w        c:\windows\system32\msxml6.dll

2008-09-08 15:27        11,392,067        ----a-w        c:\windows\Internet Logs\tvDebug.zip

2007-12-31 11:25        168,110        ----a-w        c:\dokumente und einstellungen\All Users\Anwendungsdaten\mainlsp.reg.dat

2007-01-09 20:10        168,110        ----a-w        c:\dokumente und einstellungen\All Users\Anwendungsdaten\firstlsp.reg.dat

2001-11-23 04:08        712,704        -c--a-r        c:\windows\inf\OTHER\AUDIO3D.DLL

2000-09-21 12:34        460        ----a-w        c:\programme\VC.INI

2005-03-26 20:08        8        -csh--r        c:\windows\system32\57EA1797A1.sys

2005-03-26 20:08        2,828        -csha-w        c:\windows\system32\KGyGaAvL.sys

.
 

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))

.

.

*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.

REGEDIT4
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Power2GoExpress"="c:\programme\CyberLink\Power2Go\Power2GoExpress.exe" [2005-03-23 1630303]

"MSMSGS"="c:\programme\Messenger\msmsgs.exe" [2008-04-14 1695232]

"Mozilla Quick Launch"="c:\programme\Mozilla1.7.7\Mozilla.exe" [2005-04-14 98192]

"SeaMonkey Quick Launch"="c:\programme\mozilla.org\SeaMonkey\SeaMonkey.exe" [2008-03-13 106496]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2008-09-06 413696]

"SynTPLpr"="c:\programme\Synaptics\SynTP\SynTPLpr.exe" [2005-07-05 98304]

"SynTPEnh"="c:\programme\Synaptics\SynTP\SynTPEnh.exe" [2005-07-05 495616]

"RemoteControl"="c:\programme\CyberLink\PowerDVD\PDVDServ.exe" [2004-07-15 32768]

"ATIPTA"="c:\programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-26 344064]

"PC Booster"="c:\programme\inKline Global\PC Booster\pcbooster.exe" [2003-09-17 5537861]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"InCD"="c:\programme\Ahead\InCD\InCD.exe" [2005-04-12 1383936]

"CloneDVDElbyDelay"="c:\programme\Elaborate Bytes\CloneDVD\ElbyCheck.exe" [2002-11-02 45056]

"CloneCDElbyCDFL"="c:\programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" [2001-12-06 45056]

"CloneCDTray"="c:\programme\Elaborate Bytes\CloneCD\CloneCDTray.exe" [2002-03-30 57344]

"EPSON Stylus C82 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-07-01 74752]

"avgnt"="c:\programme\AntiVir PersonalEdition Premium\avgnt.exe" [2008-07-22 266497]

"ZoneAlarm Client"="c:\programme\Zone Labs\ZoneAlarm\zlclient.exe" [2007-12-13 919016]

"AGRSMMSG"="AGRSMMSG.exe" [2005-07-05 c:\windows\AGRSMMSG.exe]
 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
 

c:\dokumente und einstellungen\Default User\Startmen\Programme\Autostart\

DSL-Manager.lnk - c:\programme\T-Online\DSL-Manager\DslMgr.exe [2008-07-22 1085440]
 

c:\dokumente und einstellungen\Administrator\Startmen\Programme\Autostart\

DSL-Manager.lnk - c:\programme\T-Online\DSL-Manager\DslMgr.exe [2008-07-22 1085440]
 

c:\dokumente und einstellungen\Internet Surfer\Startmen\Programme\Autostart\

DSL-Manager.lnk - c:\programme\T-Online\DSL-Manager\DslMgr.exe [2008-07-22 1085440]
 

c:\dokumente und einstellungen\Sylvia\Startmen\Programme\Autostart\

DSL-Manager.lnk - c:\programme\T-Online\DSL-Manager\DslMgr.exe [2008-07-22 1085440]
 

c:\dokumente und einstellungen\Default User\Startmen\Programme\Autostart\

DSL-Manager.lnk - c:\programme\T-Online\DSL-Manager\DslMgr.exe [2008-07-22 1085440]
 

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\

Adobe Reader - Schnellstart.lnk - c:\programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

NkbMonitor.exe.lnk - c:\programme\Nikon\PictureProject\NkbMonitor.exe [2005-09-25 118784]

Norton GoBack.lnk - c:\programme\Norton GoBack\GBTray.exe [2004-12-01 804456]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
 

R2 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;c:\programme\AntiVir PersonalEdition Premium\avmailc.exe [2007-01-09 164097]

R2 AVEService;AntiVir PersonalEdition Premium MailGuard Hilfsdienst;c:\programme\AntiVir PersonalEdition Premium\avesvc.exe [2007-01-09 41217]

R3 TSMPacket;DSL-Manager Service;c:\windows\system32\DRIVERS\tsmpkt.sys [2008-07-22 13824]

S3 TDslMgrService;DSL-Manager;"c:\programme\T-Online\DSL-Manager\DslMgrSvc.exe" [2008-07-22 290816]

S3 UMSSSTOR;C-Media Storage;c:\windows\system32\DRIVERS\UMSS.SYS []
 

*Newly Created Service* - PROCEXP90

.

Inhalt des "geplante Tasks" Ordners
 

2008-11-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - Entfernte verwaiste Registrierungseinträge - - - -
 

HKLM-Run-Cmaudio - cmicnfg.cpl

SafeBoot-066e7b2a4429443c
 
 
 

**************************************************************************
 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-06 19:15:14

Windows 5.1.2600 Service Pack 3 NTFS
 

Scanne versteckte Prozesse...
 

Scanne versteckte Autostarteinträge...
 

Scanne versteckte Dateien...
 

Scan erfolgreich abgeschlossen

versteckte Dateien: 0
 

**************************************************************************

.

--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
 

- - - - - - - > 'winlogon.exe'(1100)

c:\windows\system32\Ati2evxx.dll
 

- - - - - - - > 'lsass.exe'(1160)

c:\windows\system32\avsda.dll

.

Zeit der Fertigstellung: 2008-12-06 19:18:04

ComboFix-quarantined-files.txt  2008-12-06 18:17:54
 

Vor Suchlauf: 15 Verzeichnis(se), 19.040.743.424 Bytes frei

Nach Suchlauf: 15 Verzeichnis(se), 27,409,645,568 Bytes frei
 

185        --- E O F ---        2008-11-14 17:28:29

Unter "Dateien erstellt" wird der Virus aufgeführt:

C:\Windows\System32\.066e7b2a4429443c

Hat Avenger den Virus doch nicht gelöscht?

Ich hoffe, dass der nachfolgende Eintragauf ein Löschen aus der Registry bedeutet:

- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
SafeBoot-066e7b2a4429443c

Gruß
Guenter_V

Und hier auch der Link zum Filelisting:

http://www.file-upload.net/download-1299902/listing.txt.html

Auch in dieser Liste wird der Virus-Ordner .066e7b2a4429443c aufgeführt.

Wie kann dieser gelöscht werden?

Vielen Dank für die bisherige Hilfe, ich hoffe ihr konnt mir mit guten Tipps weiterhelfen, damit alle vorhandenen noch Viren-Einträge gelöscht werden können.

Gruß
Guenter_V

Habe gerade mit dem Avenger mit FOLDERS TO DELETE den Eintrag c:\Windows\system32\.0066e... gelöscht

Avenger meldet:

Rootkit scan active.
No rootkits found!

Folder "c:\WINDOWS\system32\.066e7b2a4429443c" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Muß ich sonst noch etwas tun? Kann die Systemwiederherstellung wieder aktiviert werden?

Gruß
Guenter_V

Das sieht soweit ok aus. Oder gibts noch Virenmeldungen von AntiVir?
Die SWH kannst Du wieder anstellen, ist aber kein Muss. Meistens frisst sie nur unnötig Speicher von der Festplatte, im Ernstfall hilft sie aber nur selten.

AntiVir bringt keine Virenmeldungen mehr.

Danke nochmals für die Hilfe.

Gruß
Guenter_V