Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Virenproblem ? - Pc Extremst Verlangsamt (https://www.trojaner-board.de/66014-virenproblem-pc-extremst-verlangsamt.html)

DigitalDeath 07.12.2008 18:36
Virenproblem ? - Pc Extremst Verlangsamt
 
hi, da mir bereits hier schonmal hervorragend - kompetent und hilfreich geholfen wurde, würde ich diesen dienst gerne erneut in anspruch nehmen :-)

es geht um folgendes - mein pc ist teilweise sehr verlangsamt - und ad aware findet manchmal infekte und manchmal nicht - ich lad mal ein paar logfiles hoch wäre nett wenn ihr das überprüfen könntet.

ist ein privater und sehr teurer pc :)


--------------------------------------------------------------------------
--------------------------------------------------------------------------

Zitat:
hijack log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30:11, on 07.12.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Primärordner\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Primärordner\ICQ6\ICQ.exe
C:\Primärordner\DAEMON Tools Lite\daemon.exe
C:\Program Files (x86)\DNA\btdna.exe
C:\Sekundärordner\Xfire\Xfire.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\Primärordner\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Primärordner\Razer\Lachesis\razerhid.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Primärordner\Razer\Lachesis\OSD.exe
C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Primärordner\Logitech\QuickCam\Quickcam.exe
C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Primärordner\Razer\Lachesis\razertra.exe
C:\Primärordner\Razer\Lachesis\razerofa.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Primärordner\Hamachi\hamachi.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PRIMRO~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Primärordner\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\PROGRA~2\AUTOLO~1\AL2DLL.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [avgnt] "C:\Primärordner\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Lachesis] C:\Primärordner\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Primärordner\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [RemoteControl8] C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PDVD8Serv.exe
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\Language\Language.exe
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Primärordner\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Primärordner\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ICQ] "C:\Primärordner\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Primärordner\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATICDE.EXE /FU "C:\Windows\TEMP\E_S97A.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files (x86)\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'Default user')
O4 - Startup: Xfire.lnk = ?
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PRIMRO~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PRIMRO~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PRIMRO~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PRIMRO~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PRIMRO~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PRIMRO~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Primärordner\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Primärordner\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshel...onGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Primärordner\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~2\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Primärordner\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Primärordner\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Primärordner\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVCSer64.exe
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\Sekundärordner\Stardock\MyColors\VistaSrv.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11967 bytes

-------------------------------------
-------------------------------------


Zitat:
mbr :

device: opened successfully
user: MBR read successfully
kernel: error reading mbr
-------------------------------------
-------------------------------------

DigitalDeath 07.12.2008 18:37
----------------------------------------------------------------------------------------

Silent Runner Log :

----------------------------------------------------------------------------------------

Zitat:
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Primärordner\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"MsnMsgr" = ""C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]
"Skype" = ""C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"ICQ" = ""C:\Primärordner\ICQ6\ICQ.exe" silent" ["ICQ, Inc."]
"DAEMON Tools Lite" = ""C:\Primärordner\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"]
"EPSON Stylus DX7400 Series" = "C:\Windows\system32\spool\DRIVERS\x64\3\E_IATICDE.EXE /FU "C:\Windows\TEMP\E_S97A.tmp" /EF "HKCU"" ["SEIKO EPSON CORPORATION"]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"BitTorrent DNA" = ""C:\Program Files (x86)\DNA\btdna.exe"" ["BitTorrent, Inc."]
"WMPNSCFG" = "C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"Launch LCDMon" = ""C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"" ["Logitech Inc."]
"Launch LGDCore" = ""C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE" ["Logitech Inc."]
"NvSvc" = "RUNDLL32.EXE C:\Windows\system32\nvsvc64.dll,nvsvcStart" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Primärordner\Avira\AntiVir PersonalEdition Classic\shlext64.dll" ["Avira GmbH"]
"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\Windows\system32\erasext.dll" ["-"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MSOHEVI.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{40FDFA48-5F4E-4627-A78E-6A49A3D4492F}" = "SmartFTP ShellDropHandler"
-> {HKLM...CLSID} = "SmartFTP ShellDropHandler Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}" = "SmartFTP Drop ShellIconOverlayHandler"
-> {HKLM...CLSID} = "SmartFTP Drop ShellIconOverlayHandler"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}" = "SmartFTP ContextMenu"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{EB5EE1F3-041A-4c03-9D51-2BEC6715FB00}" = "SmartFTP Search Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderSearchRoot Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{2ED7FD81-CBA6-45E5-A49A-5E84889A94E2}" = "SmartFTP Drop Handler"
-> {HKLM...CLSID} = "ShellFolderDragDropHandler Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{119310E6-5FB7-4eeb-BEDB-9E229E76B9B4}" = "SmartFTP MultiUpload Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderMultiUploadDestination Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{3B164627-7060-47BB-A1BE-DF5540B02821}" = "SmartFTP MultiUpload Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderMultiUploadSource Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{82AA9188-44E0-40B9-B956-43A10C315B4F}" = "SmartFTP Shell Namespace Extension"
-> {HKLM...CLSID} = "RootShellFolder Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{39DD67E0-73B6-4a11-AF55-49E1EBBF72BE}" = "SmartFTP Favorites Namespace"
-> {HKLM...CLSID} = "SmartFTP FavoritesShellFolder Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFavoritesShellExtension.dll" ["SmartSoft Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{E31004D1-A431-41B8-826F-E902F9D95C81}" = "Windows DreamScene"
-> {HKLM...CLSID} = "Windows DreamScene"
\InProcServer32\(Default) = "C:\Windows\System32\DreamScene.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\Windows\system32\erasext.dll" ["-"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Primärordner\Avira\AntiVir PersonalEdition Classic\shlext64.dll" ["Avira GmbH"]
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\Windows\system32\erasext.dll" ["-"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Primärordner\Avira\AntiVir PersonalEdition Classic\shlext64.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]


Default executables:
--------------------

HKLM\SOFTWARE\Classes\.hta\(Default) = "htafile"
<<!>> HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "C:\Windows\SysWOW64\mshta.exe "%1" %*" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ForceActiveDesktopOn" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Progamer\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\DREAMA~2.SCR" (DreamAquarium.scr) [null data]


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

F:\
<<!>> F:\AUTORUN.INF -> "Open="Launch.exe" /run" [file not found]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSPlayCDAudioOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.AudioCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"" [MS]

MSPlayDVDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.DVD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"" [MS]

MSPlaySuperVideoCDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.VCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]

MSPlayVideoCDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.VCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]

MSRipCDAudioOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.RipCD"
"InvokeVerb" = "Rip"
HKLM\SOFTWARE\Classes\WMP.RipCD\shell\Rip\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /RipAudioCD "%L" " [MS]

MSWMPBurnCDOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.BurnCD"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L" " [MS]

MSWMPBurnDataDVDArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.BurnDVD"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\WMP.BurnDVD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:DVDWrite /Device:"%L" " [MS]

PDVD8PlayBluRayOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "BluRay"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\BluRay\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlayCDAudioOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlayDVDMovieOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlayHDDVDOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "HDDVD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\HDDVD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlaySVCDOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "SVCD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\SVCD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlayVCDMovieOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

WIA_{7DAB822B-80F0-465A-85D9-46FFFBCE6CAD}\
"Provider" = "ABBYY FineReader 6.0 Sprint"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files (x86)\ABBYY FineReader 6.0 Sprint\Sprint.exe /StiDevice:%1 /StiEvent:%2;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

WIA_{A481DBE1-6FAE-41B6-AF2A-D295089509D4}\
"Provider" = "Microsoft Office Word"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Primärordner\Microsoft Office\Office12\WINWORD.EXE /IMG_WIA;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]


Startup items in "Progamer" & "All Users" startup folders:
----------------------------------------------------------

C:\Users\Progamer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
"Xfire" -> shortcut to: "C:\Sekundärordner\Xfire\Xfire.exe" ["Xfire Inc."]


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"User_Feed_Synchronization-{32DB3217-A3AD-4EE9-9FAF-3DEEEA87E541}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS]

C:\Windows\System32\Tasks\Apple
"AppleSoftwareUpdate" -> launches: "C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic
"Microsoft-Windows-DiskDiagnosticDataCollector" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART" [MS]

DigitalDeath 07.12.2008 18:39
Zitat:
c:\windows\system32\tasks\microsoft\windows\media center
"ehdrminit" -> launches: "%systemroot%\ehome\ehprivjob.exe /drminit" [ms]
"mcupdate" -> launches: "%systemroot%\ehome\mcupdate $(arg0) -gc" [ms]
"ocuractivate" -> launches: "%systemroot%\ehome\ehprivjob.exe /ocuractivate" [ms]
"ocurdiscovery" -> launches: "%systemroot%\ehome\ehprivjob.exe /ocurdiscovery" [ms]
"updaterecordpath" -> launches: "%systemroot%\ehome\ehprivjob.exe /doupdaterecordpath $(arg0)" [ms]

c:\windows\system32\tasks\microsoft\windows\mobilepc
"hotstart" -> launches: "{06da0625-9701-43da-bfd7-fbeea2180a1e}"
-> {hklm...clsid} = "hotstart user agent"
\inprocserver32\(default) = "c:\windows\system32\hotstartuseragent.dll" [ms]
"tmm" -> launches: "{35ef4182-f900-4632-b072-8639e4478a61}"
-> {hklm...clsid} = "transient multi-monitor manager"
\inprocserver32\(default) = "c:\windows\system32\tmm.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\mui
"lpremove" -> launches: "%windir%\system32\lpremove.exe" [ms]

c:\windows\system32\tasks\microsoft\windows\multimedia
"systemsoundsservice" -> launches: "{2dea658f-54c1-4227-af9b-260ab5fc3543}"
-> {hklm...clsid} = "microsoft playsoundservice class"
\inprocserver32\(default) = "c:\windows\system32\playsndsrv.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\networkaccessprotection
"napstatus ui" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"
-> {hklm...clsid} = "nap itask handler implementation"
\inprocserver32\(default) = "c:\windows\system32\qagent.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\pla\system
"convertlogentries" -> (hidden!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,placonvertlogentries" [ms]

c:\windows\system32\tasks\microsoft\windows\rac
"racagent" -> (hidden!) launches: "%windir%\system32\racagent.exe" [ms]

c:\windows\system32\tasks\microsoft\windows\remoteassistance
"remoteassistancetask" -> (hidden!) launches: "%windir%\system32\raserver.exe /offerraupdate" [ms]

c:\windows\system32\tasks\microsoft\windows\shell
"crawlstartpages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"
-> {hklm...clsid} = "crawlstartpages task handler"
\inprocserver32\(default) = "c:\windows\system32\srchadmin.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\sideshow
"gadgetmanager" -> launches: "{ff87090d-4a9a-4f47-879b-29a80c355d61}"
-> {hklm...clsid} = "gadgetsmanager class"
\inprocserver32\(default) = "c:\windows\system32\auxiliarydisplayservices.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\systemrestore
"sr" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,executescheduledsppcreation" [ms]

c:\windows\system32\tasks\microsoft\windows\tcpip
"ipaddressconflict1" -> launches: "rundll32 ndfapi.dll,ndfrundllduplicateipoffendingsystem" [ms]
"ipaddressconflict2" -> launches: "rundll32 ndfapi.dll,ndfrundllduplicateipdefendingsystem" [ms]

c:\windows\system32\tasks\microsoft\windows\textservicesframework
"msctfmonitor" -> (hidden!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {hklm...clsid} = "msctfmonitor task handler"
\inprocserver32\(default) = "c:\windows\system32\msctfmonitor.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\upnp
"upnphostconfig" -> launches: "sc.exe config upnphost start= auto" [ms]

c:\windows\system32\tasks\microsoft\windows\wdi
"resolutionhost" -> (hidden!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {hklm...clsid} = "diagnosticinfrastructurecustomhandler"
\inprocserver32\(default) = "c:\windows\system32\wdi.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\windows error reporting
"queuereporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [ms]

c:\windows\system32\tasks\microsoft\windows\wired
"gatherwiredinfo" -> launches: "%windir%\system32\gatherwiredinfo.vbs" [null data]

c:\windows\system32\tasks\microsoft\windows\wireless
"gatherwirelessinfo" -> launches: "%windir%\system32\gatherwirelessinfo.vbs" [null data]

c:\windows\system32\tasks\microsoft\windows defender
"mp scheduled scan" -> (hidden!) launches: "c:\program files\windows defender\mpcmdrun.exe scan -restrictprivileges" [ms]


winsock2 service provider dlls:
-------------------------------

namespace service providers

hklm\system\currentcontrolset\services\winsock2\parameters\namespace_catalog5\catalog_entries\ {++}
000000000001\librarypath = "%systemroot%\system32\nlaapi.dll" [ms]
000000000002\librarypath = "%systemroot%\system32\napinsp.dll" [ms]
000000000003\librarypath = "%systemroot%\system32\pnrpnsp.dll" [ms]
000000000004\librarypath = "%systemroot%\system32\pnrpnsp.dll" [ms]
000000000005\librarypath = "%systemroot%\system32\mswsock.dll" [ms]
000000000006\librarypath = "%systemroot%\system32\winrnr.dll" [ms]

transport service providers

hklm\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries\ {++}
0000000000##\packedcatalogitem (contains) dll [company name], (at) ## range:
%systemroot%\system32\mswsock.dll [ms], 01 - 10


running services (display name, service name, path {service dll}):
------------------------------------------------------------------

anschlussumleitung für terminaldienst im benutzermodus, umrdpservice, "c:\windows\system32\svchost.exe -k localsystemnetworkrestricted" {"c:\windows\system32\umrdp.dll" [ms]}
avira antivir personal - free antivirus guard, antivirservice, ""c:\primärordner\avira\antivir personaledition classic\avguard.exe"" ["avira gmbh"]
avira antivir personal - free antivirus planer, antivirscheduler, ""c:\primärordner\avira\antivir personaledition classic\sched.exe"" ["avira gmbh"]
bonjour-dienst, bonjour service, ""c:\program files (x86)\bonjour\mdnsresponder.exe"" ["apple inc."]
creative audio service, ctaudsvcservice, "c:\program files (x86)\creative\shared files\ctaudsvc.exe" ["creative technology ltd"]
cyberlink richvideo service(crvs), richvideo, ""c:\program files (x86)\cyberlink\shared files\richvideo.exe"" [empty string]
lavasoft ad-aware service, aawservice, "c:\primärordner\lavasoft\ad-aware\aawservice.exe" ["lavasoft"]
lvcomser, lvcomser, ""c:\program files\common files\logishrd\lvcomser\lvcser64.exe"" ["logitech inc."]
messenger usn journal reader-service für freigegebene ordner, usnjsvc, ""c:\program files (x86)\windows live\messenger\usnsvc.exe"" [ms]
nvidia display driver service, nvsvc, "c:\windows\system32\nvvsvc.exe" ["nvidia corporation"]
peer name resolution-protokoll, pnrpsvc, "c:\windows\system32\svchost.exe -k localservicenetworkrestricted" {"c:\windows\system32\p2psvc.dll" [ms]}
peernetzwerkidentitäts-manager, p2pimsvc, "c:\windows\system32\svchost.exe -k localservicenetworkrestricted" {"c:\windows\system32\p2psvc.dll" [ms]}
pnkbstra, pnkbstra, "c:\windows\system32\pnkbstra.exe" [file not found]
pnp-x-ip-busauflistung, ipbusenum, "c:\windows\system32\svchost.exe -k localsystemnetworkrestricted" {"c:\windows\system32\ipbusenum.dll" [ms]}
process monitor, lvprcs64, ""c:\program files\common files\logishrd\lvmvfm\lvprcsrv.exe"" ["logitech inc."]
sstp-dienst, sstpsvc, "c:\windows\system32\svchost.exe -k localservice" {"c:\windows\system32\sstpsvc.dll" [ms]}
stardock windowblinds, windowblinds, "c:\sekundärordner\stardock\mycolors\vistasrv.exe" ["stardock corporation"]
terminaldienstekonfiguration, sessionenv, "c:\windows\system32\svchost.exe -k netsvcs" {"c:\windows\system32\sessenv.dll" [ms]}
windows driver foundation - benutzermodus-treiberframework, wudfsvc, "c:\windows\system32\svchost.exe -k localsystemnetworkrestricted" {"c:\windows\system32\wudfsvc.dll" [ms]}
windows media center extender-dienst, mcx2svc, "c:\windows\system32\svchost.exe -k localservice" {"c:\windows\system32\mcx2svc.dll" [ms]}
windows media player-netzwerkfreigabedienst, wmpnetworksvc, ""c:\program files\windows media player\wmpnetwk.exe"" [ms]
windows-bilderfassung, stisvc, "c:\windows\system32\svchost.exe -k imgsvc" {"c:\windows\system32\wiaservc.dll" [ms]}
zertifikatverteilung, certpropsvc, "c:\windows\system32\svchost.exe -k netsvcs" {"c:\windows\system32\certprop.dll" [ms]}
zugriff auf eingabegeräte, hidserv, "c:\windows\system32\svchost.exe -k localsystemnetworkrestricted" {"c:\windows\system32\hidserv.dll" [ms]}


print monitors:
---------------

hklm\system\currentcontrolset\control\print\monitors\
epson stylus dx7400 series 64monitorbe\driver = "e_ilmcde.dll" ["seiko epson corporation"]


---------- (launch time: 2008-12-07 18:34:29)
<<!>>: Suspicious data at a malware launch point.

+ this report excludes default entries except where indicated.
+ to see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ to search all directories of local fixed drives for desktop.ini
dll launch points, use the -supp parameter or answer "no" at the
first message box and "yes" at the second message box.
---------- (total run time: 35 seconds, including 13 seconds for message boxes)

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

DigitalDeath 07.12.2008 18:45
ich lass gerade malwarebytes drüber laufen, und poste dann ebenfalls das log hier :)

DigitalDeath 08.12.2008 15:40
das erste malware log :

Zitat:
Malwarebytes' Anti-Malware 1.31
Datenbank Version: 1471
Windows 6.0.6001 Service Pack 1

07.12.2008 23:56:50
mbam-log-2008-12-07 (23-56-50).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 49184
Laufzeit: 2 minute(s), 33 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
danach nochmal drüber laufen lassen, kein fund

Chris4You 09.12.2008 08:10
Hi,

installiere mal die Grafiktreiber neu (nVidia)?,
da werden teile nicht gefunden...

Weiterhin gibt es IP-Adresskonflikte auf Deinem Rechner,
der entsprechende Dienst läuft...

Dann läuft der Vista-Service für "Corrupted or Damaged File Repair for Windows Disk Failure",
Du solltest Deine Festplatte mal überprüfen...

Scanne mit Dr. Web & poste das Log;
http://www.trojaner-board.de/59299-anleitung-drweb-cureit.html

Das der MBR nicht gelesen werden kann, gefällt mir nicht, kann aber
an der Rechtesteuerung von Vista hängen;

Erster Anlauf:
Avira-Antirootkit
Downloade Avira Antirootkit und Scanne dein system, poste das logfile.
http://dl.antivir.de/down/windows/antivir_rootkit.zip

Sonst sieht das eher unauffällig aus, bin aber kein Vista-Experte.
Zur Sicherheit noch Prevx mal drüberlassen...
http://www.prevx.com/freescan.asp
Funde bitte posten...

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
C:\Windows\TEMP\E_S97A.tmp
C:\Windows\SysWOW64\mshta.exe
C:\Windows\system32\dimsjob.dll
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

chris

DigitalDeath 09.12.2008 19:25
hi, vielen dank für die antwort - prevx und anti vir rootkit kann ich nicht benutzen - da eine fehlermeldung kommt - bei prevx kommt eine inkompatibilitätsmeldung, da ich ein 64 bit system habe, und es nur 32 unterstützt - anti vir root kit, kann nicht gestartet werden -
fehlermeldung " Error loading Driver !"

ich werde eben grakatreiber neu installieren, sowie festplatte überprüfen ( windows dienst ) und dr.web drüberlafen lassen, und anschließend log posten

überbrückungsweise - bis überprüfung abgeschlossen ist - eben die Virus Total Ergebnisse :

---------------

C:\Windows\TEMP\E_S97A.tmp - diese datei existiert nicht :)

---------------
---------------

mshta.exe Bericht :
Zitat:
Datei mshta.exe empfangen 2008.12.09 19:17:05 (CET)
Status: Beendet
Ergebnis: 0/38 (0%)
Filter
Drucken der Ergebnisse Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.12.10.0 2008.12.09 -
AntiVir 7.9.0.43 2008.12.09 -
Authentium 5.1.0.4 2008.12.09 -
Avast 4.8.1281.0 2008.12.09 -
AVG 8.0.0.199 2008.12.09 -
BitDefender 7.2 2008.12.09 -
CAT-QuickHeal 10.00 2008.12.09 -
ClamAV 0.94.1 2008.12.09 -
Comodo 713 2008.12.09 -
DrWeb 4.44.0.09170 2008.12.09 -
eSafe 7.0.17.0 2008.12.09 -
eTrust-Vet 31.6.6252 2008.12.09 -
Ewido 4.0 2008.12.09 -
F-Prot 4.4.4.56 2008.12.09 -
F-Secure 8.0.14332.0 2008.12.09 -
Fortinet 3.117.0.0 2008.12.09 -
GData 19 2008.12.09 -
Ikarus T3.1.1.45.0 2008.12.08 -
K7AntiVirus 7.10.549 2008.12.09 -
Kaspersky 7.0.0.125 2008.12.09 -
McAfee 5458 2008.12.08 -
McAfee+Artemis 5458 2008.12.09 -
Microsoft 1.4205 2008.12.09 -
NOD32 3677 2008.12.09 -
Norman 5.80.02 2008.12.09 -
Panda 9.0.0.4 2008.12.09 -
PCTools 4.4.2.0 2008.12.09 -
Prevx1 V2 2008.12.09 -
Rising 21.07.12.00 2008.12.09 -
SecureWeb-Gateway 6.7.6 2008.12.09 -
Sophos 4.36.0 2008.12.09 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.09 -
TheHacker 6.3.1.2.180 2008.12.09 -
TrendMicro 8.700.0.1004 2008.12.09 -
VBA32 3.12.8.10 2008.12.09 -
ViRobot 2008.12.9.1509 2008.12.09 -
VirusBuster 4.5.11.0 2008.12.09 -
weitere Informationen
File size: 45568 bytes
MD5...: 98dbb19126ffb940dfd40cc3c8706e89
SHA1..: 5a2f4f5c8eed5701f16bf16601197412147cc0d9
SHA256: 830aec1bd342b65d6fd5c6bb4196d541a3d7911d0d4849311be304599d16c85a
SHA512: a6b408cd3e7fda3fb19e33399c5407fa0ba12b36c4ddd6ee244619525b94b254
5a639b926e330fe6c7b3388e67734295d18034cc9e08ce060a94fdbece0f9bbd
ssdeep: 768:lnb3ctK41cd3ThMM2Le/Vb9Q+kCT850JdvQE4krx:lrm3qdDhB2LYA+kC7Q1
kV
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1002823
timedatestamp.....: 0x47918edd (Sat Jan 19 05:47:09 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7f8a 0x8000 6.58 99e874473d081b4c873b642d428bd537
.data 0x9000 0x1840 0xe00 2.35 4d344bb93bfc62cd114659199cf1d753
.rsrc 0xb000 0x11b0 0x1200 3.94 5fb4fe3a8796e01f864e5058708743ec
.reloc 0xd000 0xc4c 0xe00 4.05 76156172086e563f00327509992ebb6d

( 2 imports )
> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> KERNEL32.dll: GetVersion, GetProcAddress, GetModuleHandleW, FreeLibrary, MultiByteToWideChar, lstrlenA, LoadLibraryW, LoadLibraryA, ExpandEnvironmentStringsA, GetCommandLineA, GetVersionExA, GetStartupInfoA, SetUnhandledExceptionFilter, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCurrentThreadId, HeapDestroy, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapAlloc, LeaveCriticalSection, EnterCriticalSection, OutputDebugStringA, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, Sleep, VirtualAlloc, HeapReAlloc, RtlUnwind, UnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, TerminateProcess, GetCurrentProcess, VirtualProtect, GetSystemInfo, VirtualQuery

( 0 exports )
---------------
---------------

dimsjob.dll Bericht :

Zitat:
Datei dimsjob.dll empfangen 2008.12.09 19:21:46 (CET)
Status: Beendet
Ergebnis: 0/38 (0%)
Filter
Drucken der Ergebnisse Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.12.10.0 2008.12.09 -
AntiVir 7.9.0.43 2008.12.09 -
Authentium 5.1.0.4 2008.12.09 -
Avast 4.8.1281.0 2008.12.09 -
AVG 8.0.0.199 2008.12.09 -
BitDefender 7.2 2008.12.09 -
CAT-QuickHeal 10.00 2008.12.09 -
ClamAV 0.94.1 2008.12.09 -
Comodo 713 2008.12.09 -
DrWeb 4.44.0.09170 2008.12.09 -
eSafe 7.0.17.0 2008.12.09 -
eTrust-Vet 31.6.6252 2008.12.09 -
Ewido 4.0 2008.12.09 -
F-Prot 4.4.4.56 2008.12.09 -
F-Secure 8.0.14332.0 2008.12.09 -
Fortinet 3.117.0.0 2008.12.09 -
GData 19 2008.12.09 -
Ikarus T3.1.1.45.0 2008.12.08 -
K7AntiVirus 7.10.549 2008.12.09 -
Kaspersky 7.0.0.125 2008.12.09 -
McAfee 5458 2008.12.08 -
McAfee+Artemis 5458 2008.12.09 -
Microsoft 1.4205 2008.12.09 -
NOD32 3677 2008.12.09 -
Norman 5.80.02 2008.12.09 -
Panda 9.0.0.4 2008.12.09 -
PCTools 4.4.2.0 2008.12.09 -
Prevx1 V2 2008.12.09 -
Rising 21.07.12.00 2008.12.09 -
SecureWeb-Gateway 6.7.6 2008.12.09 -
Sophos 4.36.0 2008.12.09 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.09 -
TheHacker 6.3.1.2.180 2008.12.09 -
TrendMicro 8.700.0.1004 2008.12.09 -
VBA32 3.12.8.10 2008.12.09 -
ViRobot 2008.12.9.1509 2008.12.09 -
VirusBuster 4.5.11.0 2008.12.09 -
weitere Informationen
File size: 35328 bytes
MD5...: 70c6489d56008d75dedf73226fa63c11
SHA1..: 1f43ccbd2092f8c51ecdf2a81641db804b37216e
SHA256: 7ab4c89d7a259bb7dd6f24c5ca181749c3015a06b160b91593f2f1fc1e4aedce
SHA512: a01ff5a1598d9b6a48954135f69ccd66d92a0c32d5de05f8d4c0d5ee2eb2f8b6
b776ef8627b991c39a7fe485ef58d53241604839f11ca65e498c9493f8eaa32c
ssdeep: 384:0vqAeyIn+sRBkgCYCLGUS7rkj8P3Au5tgW8s/8UK+meX/B9rKqmtSyHpllO5
O5BQ:wA+I9FrhfgVs/jKu2zHpvNegugaim
PEiD..: -
TrID..: File type identification
DirectShow filter (58.4%)
Win64 Executable Generic (24.8%)
Win32 Executable MS Visual C++ (generic) (10.9%)
Win32 Executable Generic (2.4%)
Win32 Dynamic Link Library (generic) (2.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4a445864
timedatestamp.....: 0x4791a66f (Sat Jan 19 07:27:43 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x66c4 0x6800 6.31 6ad59d53f0cdd81bbf02db60ffa86c7e
.data 0x8000 0x3d4 0x200 0.66 50adaaeffff3dfb352f16eb7f4052a67
.rsrc 0x9000 0x1210 0x1400 3.47 e73042764d0290ee1494c71183fb54a9
.reloc 0xb000 0x7c2 0x800 6.17 c2c61b94a01db00dac881ed6e3fd474a

( 6 imports )
> msvcrt.dll: _wcsicmp, __CxxFrameHandler3, rand, _adjust_fdiv, memcpy, wcscat_s, _XcptFilter, malloc, _terminate@@YAXXZ, _except_handler4_common, _onexit, _lock, __dllonexit, _unlock, __1type_info@@UAE@XZ, _CxxThrowException, _amsg_exit, _initterm, free
> ntdll.dll: TpAllocTimer, RtlAcquireSRWLockExclusive, TpSetTimer, RtlReleaseSRWLockShared, RtlInitializeSRWLock, RtlAcquireSRWLockShared, TpReleaseTimer, RtlReleaseSRWLockExclusive, TpWaitForTimer, TpAllocWait, TpReleaseWait, TpSetWait, TpWaitForWait
> KERNEL32.dll: SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, QueryPerformanceCounter, InterlockedCompareExchange, Sleep, LocalReAlloc, LocalAlloc, GetCurrentThread, DisableThreadLibraryCalls, InterlockedDecrement, InterlockedIncrement, InterlockedExchangeAdd, GetLastError, GetModuleFileNameW, LocalFree, MulDiv, GetTickCount, CloseHandle, FindCloseChangeNotification, FindNextChangeNotification, FindFirstChangeNotificationW, CreateEventW, InterlockedExchange, FreeLibrary, GetProcAddress, LoadLibraryW, GetSystemDirectoryW, GetCurrentProcess
> ADVAPI32.dll: EventWrite, EventUnregister, EventRegister, GetTraceEnableFlags, OpenThreadToken, OpenProcessToken, GetTokenInformation, ConvertSidToStringSidW, RegQueryValueExW, RegDeleteKeyW, RegSetValueExW, RegCloseKey, RegOpenKeyExW, RegCreateKeyExW, UnregisterTraceGuids, RegisterTraceGuidsW, GetTraceLoggerHandle, GetTraceEnableLevel, TraceMessage
> USERENV.dll: UnregisterGPNotification, GetUserProfileDirectoryW, RegisterGPNotification
> ncrypt.dll: NCryptNotifyChangeKey, NCryptOpenStorageProvider, NCryptFreeObject

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

DigitalDeath 10.12.2008 00:33
hi, das problem hat sich erledigt - da der pc noch nicht einmal mehr hochfahren wollte, und der bildschirm stets schwarz blieb - hab ich mich entschlossen zu formatieren , das hab ich dann auch getan, und nun bin ich wieder virenfrei und alles funktioniert wieder - trotzdem jedoch vielen dank für die hilfe ! :dankeschoen:

mfg


Alle Zeitangaben in WEZ +1. Es ist jetzt 21:46 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131