Trojaner-Board - Worm

Trojaner-Board (https://www.trojaner-board.de/)

- Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)

- - Worm_downad.ad ? (https://www.trojaner-board.de/85119-worm_downad-ad.html)

Snewi

20.04.2010 11:28

Worm_downad.ad ?

Hallo,

ich habe in unserem Netz einen sehr hartnäckigen Wurm der alle Server und Clients befallen hat!

Ich nutze den Virenscanner TrendMicro OfficeScan! Dieser schlägt ständig Alarm mit den Einträgen:

WORM_DOWNAD.AD C.\Windows\System32\udtyjy.tjb
Mal_DownadJ from C:\Windows\Tasks\At1.job
zusätzlich kommen Fehlermeldungen bezüglich des svchosts.exe!

Habe vieles versucht! Die Systeme Updatemäßig auf den neusten Stand gebracht! Tools wie HijackThis, Malwarebytes, f-downadup versucht das Ding zu entfernen, es kommt aber leider immer wieder!

Was könnte ich noch tun?

Gruß

cosinus

20.04.2010 17:45

Hallo und :hallo:

Zitat:

ich habe in unserem Netz einen sehr hartnäckigen Wurm der alle Server und Clients befallen hat!

Firmennetz? Wie viele Clients und Server?
Ist die Meldung wirklich auf jedem Client? Wenn ja, überall gleich?
Ich nehme mal an, dass keine Backups in Form von Systemimages vorliegen... :rolleyes:

Zitat:

Die Systeme Updatemäßig auf den neusten Stand gebracht!

Das auch schon vor dem Befall? Hinterher bringt des nicht viel... :schmoll:

Snewi

20.04.2010 22:16

Ja es ist einFirmennetz es gibt 6 Server und ca 15 Clients! Auf allen kommt die gleiche Meldung! Natürlich wurden die Updates nachträglich installiert. worden: -(

Ist hier noch was zu retten? Es gibt keine Images!

Gruss
Snewi

cosinus

21.04.2010 08:43

Oje, schwierige Sache. Sind die 15 Clients alle von der hardware gesehen völlig unterschiedlich oder quasi identisch? Wenn identisch, könntest Du einen Rechner neu aufsetzen und komplett neu einrichten - wenn alles fertig ist ein Image erstellen und das auf die anderen Rechner einspielen, so dass alle Rechner von der Konfig her wieder gleich und auch nicht mehr befallen sind (bevor Du die geklonten Maschinen ins Netz bringt, solltest Du NewSID ausführen!).

Ob Du den Server so aufsetzen kannst, weiß ich nicht. Wenn der nicht verfügbar ist, kann im Grunde keiner arbeiten und das ist nicht im Sinne des Erfinders.

Erstell mal von einem Client OTL Logs und poste sie, evtl. ist der Bereinigungsaufwand auch garnicht so hoch (sofern Du bereingen willst und das auch veranworten kannst..)

Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop

Doppelklick auf die OTL.exe
Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
Unter Extra Registry, wähle bitte Use SafeList
Klicke nun auf Run Scan links oben
Wenn der Scan beendet wurde werden 2 Logfiles erstellt
Poste die Logfiles hier in den Thread.

Snewi

21.04.2010 09:57

Das mit dem Neuaufsetzen wäre die allerletzte Lösung ich hoffe ja immer noch das ich es vorher so hinbekomme! :applaus: Genau sieht es mit den Servern aus!

Also hier mal die LogFiles:

1.OTL:
OTL logfile created on: 21.04.2010 10:47:21 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = Y:\User\xxx\Viren
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

502,00 Mb Total Physical Memory | 262,00 Mb Available Physical Memory | 52,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 74,41 Gb Total Space | 69,49 Gb Free Space | 93,40% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 68,24 Gb Total Space | 48,19 Gb Free Space | 70,62% Space Free | Partition Type: NTFS
Drive Z: | 124,45 Gb Total Space | 91,03 Gb Free Space | 73,15% Space Free | Partition Type: NTFS

Computer Name: xxx
Current User Name: xxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - Y:\User\xxx\Viren\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\Temp\YHA674.EXE (Trend Micro Inc.)
PRC - C:\Programme\Trend Micro\OfficeScan Client\TmListen.exe (Trend Micro Inc.)
PRC - C:\Programme\Trend Micro\OfficeScan Client\NTRtScan.exe (Trend Micro Inc.)
PRC - C:\Programme\Trend Micro\OfficeScan Client\PccNTMon.exe (Trend Micro Inc.)
PRC - C:\Programme\Trend Micro\OfficeScan Client\CNTAoSMgr.exe (Trend Micro Inc.)
PRC - C:\Programme\PFANNEN\Pfannen_Update_r.exe (Georgsmarienhuette GmbH)
PRC - C:\Programme\TrueImage\TrueImageMonitor.exe (Acronis)
PRC - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe (Acronis)
PRC - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Programme\Symantec\pcAnywhere\awhost32.exe (Symantec Corporation)
PRC - C:\Programme\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe ()
PRC - C:\NWC\NWC_SERVICE.EXE ()

========== Modules (SafeList) ==========

MOD - Y:\User\xxx\Viren\OTL.exe (OldTimer Tools)
MOD - C:\Programme\Symantec\pcAnywhere\awhk32.dll (Symantec Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\netui1.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\netui0.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\ntlanman.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\davclnt.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\drprov.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\netrap.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msvcr70.dll (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (tmlisten) -- C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe (Trend Micro Inc.)
SRV - (ntrtscan) -- C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe (Trend Micro Inc.)
SRV - (TmProxy) -- C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe (Trend Micro Inc.)
SRV - (AcrSch2Svc) -- C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (awhost32) -- C:\Programme\Symantec\pcAnywhere\awhost32.exe (Symantec Corporation)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (NWC_Service) -- C:\NWC\NWC_SERVICE.EXE ()

========== Driver Services (SafeList) ==========

DRV - (TmFilter) -- C:\Programme\Trend Micro\OfficeScan Client\TmXpflt.sys (Trend Micro Inc.)
DRV - (TmPreFilter) -- C:\Programme\Trend Micro\OfficeScan Client\TmPreflt.sys (Trend Micro Inc.)
DRV - (VSApiNt) -- C:\Programme\Trend Micro\OfficeScan Client\vsapiNT.sys (Trend Micro Inc.)
DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (timounter) -- C:\WINDOWS\system32\DRIVERS\timntr.sys (Acronis)
DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis)
DRV - (snapman) -- C:\WINDOWS\system32\DRIVERS\snapman.sys (Acronis)
DRV - (SymEvent) -- C:\Programme\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (senfilt) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (awecho) -- C:\WINDOWS\system32\drivers\awechomd.sys (Symantec Corporation)
DRV - (awlegacy) -- C:\WINDOWS\System32\Drivers\awlegacy.sys (Symantec Corporation)
DRV - (AW_HOST) -- C:\WINDOWS\system32\drivers\AW_HOST5.sys (Symantec Corporation)
DRV - (Gernuwa) -- C:\WINDOWS\system32\drivers\GERNUWA.sys (Symantec Corporation)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.euro.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.euro.dell.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.euro.dell.com
IE - HKCU\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: ([2009.02.24 15:58:21 | 000,009,278 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Pfannenupdate] c:\Programme\PFANNEN\Pfannen_Update.exe (Georgsmarienhuette GmbH)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Programme\TrueImage\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWinKeys = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxx
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\System32\PCANotify.dll (Symantec Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004.08.13 14:54:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.04.21 10:07:50 | 000,142,992 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010.04.21 10:07:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\log
[2010.04.21 10:07:04 | 000,000,000 | ---D | C] -- C:\Programme\Trend Micro
[2004.08.13 15:00:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2004.08.13 15:00:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2004.08.13 14:47:04 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Microsoft
[2004.08.13 14:47:04 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.04.21 10:43:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.04.21 10:43:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.04.21 10:42:45 | 001,835,008 | -H-- | M] () -- C:\Dokumente und Einstellungen\velikonja\NTUSER.DAT
[2010.04.21 10:42:45 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\velikonja\ntuser.ini
[2010.04.21 10:25:43 | 000,010,752 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2010.04.19 13:46:32 | 000,002,513 | ---- | M] () -- C:\Dokumente und Einstellungen\velikonja\Desktop\Vai.ProcessExplorer GMH.lnk
[2010.04.19 08:33:08 | 000,000,622 | ---- | M] () -- C:\Dokumente und Einstellungen\velikonja\Desktop\spülstand_temp.xls.lnk
[2010.04.19 07:14:16 | 000,059,392 | ---- | M] () -- C:\Dokumente und Einstellungen\velikonja\Eigene Dateien\spülstand_temp.xls
[2010.04.12 10:53:32 | 000,902,476 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.04.12 10:53:32 | 000,392,512 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.04.12 10:53:32 | 000,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.04.12 10:53:32 | 000,064,452 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.04.12 10:53:32 | 000,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.04.21 10:25:43 | 000,010,752 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2010.04.19 08:33:08 | 000,000,622 | ---- | C] () -- C:\Dokumente und Einstellungen\velikonja\Desktop\spülstand_temp.xls.lnk
[2008.06.23 12:27:08 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\STC_DLL.DLL
[2007.12.27 17:28:27 | 001,627,648 | ---- | C] () -- C:\Dokumente und Einstellungen\velikonja\LF_Dat1207.xls
[2006.11.20 15:45:49 | 000,001,380 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006.08.09 10:58:23 | 000,002,412 | RHS- | C] () -- C:\Dokumente und Einstellungen\All Users\ntuser.pol
[2006.08.09 10:54:54 | 000,000,470 | RHS- | C] () -- C:\Dokumente und Einstellungen\velikonja\ntuser.pol
[2006.08.09 10:54:51 | 000,000,142 | ---- | C] () -- C:\Dokumente und Einstellungen\velikonja\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
[2006.08.09 10:54:50 | 001,835,008 | -H-- | C] () -- C:\Dokumente und Einstellungen\velikonja\NTUSER.DAT
[2006.08.09 10:54:50 | 000,184,320 | -H-- | C] () -- C:\Dokumente und Einstellungen\velikonja\ntuser.dat.LOG
[2006.08.09 10:54:50 | 000,000,190 | -HS- | C] () -- C:\Dokumente und Einstellungen\velikonja\ntuser.ini
[2006.08.02 11:35:44 | 000,000,183 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2006.07.17 14:42:58 | 000,262,144 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\NTUSER.DAT
[2006.07.17 14:42:58 | 000,001,024 | -H-- | C] () -- C:\Dokumente und Einstellungen\All Users\NTUSER.DAT.LOG
[2005.11.29 06:23:27 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005.11.29 06:05:32 | 000,000,412 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004.08.13 15:04:30 | 000,000,849 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004.08.13 14:51:43 | 000,003,776 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004.08.13 14:40:41 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004.08.13 14:40:26 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
< End of report >

2.EXTRAS:
OTL Extras logfile created on: 21.04.2010 10:47:21 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = Y:\User\xxx\Viren
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

502,00 Mb Total Physical Memory | 262,00 Mb Available Physical Memory | 52,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 74,41 Gb Total Space | 69,49 Gb Free Space | 93,40% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 68,24 Gb Total Space | 48,19 Gb Free Space | 70,62% Space Free | Partition Type: NTFS
Drive Z: | 124,45 Gb Total Space | 91,03 Gb Free Space | 73,15% Space Free | Partition Type: NTFS

Computer Name: xxx
Current User Name: xxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Programme\Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programme\Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1480:TCP" = 1480:TCP:*:Enabled:umablo
"28747:TCP" = 28747:TCP:*:Enabled:Trend Micro OfficeScan Listener

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programme\Symantec\pcAnywhere\awhost32.exe" = C:\Programme\Symantec\pcAnywhere\awhost32.exe:*:Enabled:pcAnywhere Host -- (Symantec Corporation)
"C:\Programme\VAI\Vai ProcessExplorer GMH\Vai.ProcessExplorerForm.exe" = C:\Programme\VAI\Vai ProcessExplorer GMH\Vai.ProcessExplorerForm.exe:*:Enabled:Vai.ProcessExplorerForm -- (Voest Alpine Industieanlagenbau GmbH, Linz, Austria)
"C:\Dokumente und Einstellungen\velikonja\Lokale Einstellungen\Temp\OraInstall2006-11-20_03-19-49PM\jre\1.4.2\bin\javaw.exe" = C:\Dokumente und Einstellungen\velikonja\Lokale Einstellungen\Temp\OraInstall2006-11-20_03-19-49PM\jre\1.4.2\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\oracle\product\10.2.0\client_1\jdk\jre\bin\java.exe" = C:\oracle\product\10.2.0\client_1\jdk\jre\bin\java.exe:*:Enabled:java -- ()
"C:\NWC\NWC_SERVICE.EXE" = C:\NWC\NWC_SERVICE.EXE:*:Enabled:NWC_SERVICE -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\VAI\Vai ProcessExplorer GMH\Vai.ProcessExplorerForm.exe" = C:\Programme\VAI\Vai ProcessExplorer GMH\Vai.ProcessExplorerForm.exe:*:Enabled:Vai.ProcessExplorerForm -- (Voest Alpine Industieanlagenbau GmbH, Linz, Austria)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{11518183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}" = Oracle Data Provider for .NET Help
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A19D7EBD-54B0-4C14-BDCE-B4ECAFE77037}" = Vai ProcessExplorer GMH
"{BFBB0B55-D7FE-4F72-9091-C8D9D56A31D1}" = Vai ProcessExplorer GMH
"{CA83357B-931E-44DC-AD43-9996FEEB8116}" = Acronis*True*Image
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DBF9845F-0D40-4636-8F7D-63D3E22231D4}" = Vai ProcessExplorer GMH
"{E32C38B0-3B52-428D-A6FE-10EE1E1C63FB}" = Vai ProcessExplorer GMH
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{ECEA7878-2100-4525-915D-B09174E36971}" = Trend Micro OfficeScan Client
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.5 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"ST6UNST #1" = Pfannenverfolgung
"ST6UNST #2" = Pfannen_Update

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 13.04.2010 01:03:42 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 13.04.2010 04:11:56 | Computer Name = xxx | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 13.04.2010 04:11:56 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 14.04.2010 09:44:55 | Computer Name = xxx | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 14.04.2010 09:44:55 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 14.04.2010 10:31:24 | Computer Name = xxx | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 14.04.2010 10:31:24 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 15.04.2010 01:02:38 | Computer Name = xxx | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 15.04.2010 01:02:38 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 15.04.2010 01:10:50 | Computer Name = xxx | Source = Application Error | ID = 1004
Description = Fehlgeschlagene Anwendung svchost.exe, Version 0.0.0.0, fehlgeschlagenes
Modul unknown, Version 0.0.0.0, Fehleradresse 0x00000000.

[ System Events ]
Error - 02.04.2008 12:41:06 | Computer Name = xxx | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/pf-entw1.stw.gmh.de. This indicates that the ticket used against that server
is not yet valid (in relationship to that server time). Contact your system administrator
to make sure the client and server times are in sync, and that the KDC in realm
STW.GMH.DE is in sync with the KDC in the client realm.

Error - 03.04.2008 01:08:19 | Computer Name = xxx | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/pf-entw1.stw.gmh.de. This indicates that the ticket used against that server
is not yet valid (in relationship to that server time). Contact your system administrator
to make sure the client and server times are in sync, and that the KDC in realm
STW.GMH.DE is in sync with the KDC in the client realm.

Error - 03.04.2008 19:13:09 | Computer Name = xxx | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/pf-entw1.stw.gmh.de. This indicates that the ticket used against that server
is not yet valid (in relationship to that server time). Contact your system administrator
to make sure the client and server times are in sync, and that the KDC in realm
STW.GMH.DE is in sync with the KDC in the client realm.

Error - 04.04.2008 01:00:45 | Computer Name = xxx | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/pf-entw1.stw.gmh.de. This indicates that the ticket used against that server
is not yet valid (in relationship to that server time). Contact your system administrator
to make sure the client and server times are in sync, and that the KDC in realm
STW.GMH.DE is in sync with the KDC in the client realm.

Error - 24.11.2009 04:05:36 | Computer Name = xxx | Source = NetBT | ID = 4321
Description = Der Name "STW :1d" konnte nicht auf der Schnittstelle mit
IP-Adresse 192.168.10.52 registriert werden. Der Computer mit IP-Adresse 192.168.10.57
hat nicht zugelassen, dass dieser Computer diesen Namen verwendet.

Error - 24.11.2009 04:08:39 | Computer Name = xxx | Source = NetBT | ID = 4321
Description = Der Name "STW :1d" konnte nicht auf der Schnittstelle mit
IP-Adresse 192.168.10.52 registriert werden. Der Computer mit IP-Adresse 192.168.10.57
hat nicht zugelassen, dass dieser Computer diesen Namen verwendet.

Error - 24.11.2009 04:10:57 | Computer Name = xxx | Source = NetBT | ID = 4321
Description = Der Name "STW :1d" konnte nicht auf der Schnittstelle mit
IP-Adresse 192.168.10.52 registriert werden. Der Computer mit IP-Adresse 192.168.10.57
hat nicht zugelassen, dass dieser Computer diesen Namen verwendet.

Error - 15.04.2010 01:12:17 | Computer Name = xxx | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Security Driver" wurde mit folgendem Fehler beendet: %%1114

Error - 16.04.2010 12:14:12 | Computer Name = xxx | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Security Driver" wurde mit folgendem Fehler beendet: %%1114

Error - 21.04.2010 04:26:42 | Computer Name = xxx | Source = Service Control Manager | ID = 7032
Description = Der Versuch des Dienststeuerungs-Managers, nach dem unerwarteten Beenden
des Dienstes "Windows-Verwaltungsinstrumentation" Korrekturmaßnahmen (Starten Sie
den Dienst neu.) durchzuführen, ist fehlgeschlagen. Fehler: %%1056

< End of report >

cosinus

21.04.2010 10:31

Zitat:

C:\NWC\NWC_SERVICE.EXE

Sagt Dir NWC-Service was? Die besagte Datei C:\Windows\System32\udtyjy.tjb taucht im Log nicht auf. Mach bitte mal ein Log mit GMER von der gleichen Arbeitsstation und poste das Log.

Snewi

21.04.2010 11:46

NWC_Service ist bekannt!!

Log:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-21 12:42:25
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOKUME~1\VELIKO~1\LOKALE~1\Temp\uwtdipod.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7ED9F80]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \FileSystem\Fastfat \Fat A95E0C8A

AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----

cosinus

21.04.2010 13:37

Taucht auch da nicht auf :balla:
Die Meldungen dieser Datei sind aber schon ständig da oder? :dummguck:

Snewi

21.04.2010 14:08

ja sind ständig da wie gesagt auf allen Servern und Rechnern obwohl die Datei auch mal eine andere sein kann!
Ist denn vielleicht auch hier die Quelle des Wurms eine andere?

Gruß

cosinus

21.04.2010 14:32

Sieht stark nach einem Rootkit aus. Mach bitte nochmal ein Log mit OSAM und poste es. Mit einem Tool muss man es ja sehen :rolleyes:

Snewi

21.04.2010 14:36

Bekommst morgen früh! Bis morgen

Snewi

22.04.2010 07:58

Hier mal das Log-File von einem anderen Client mit gleicher Viren Meldung:

Nur hier heisst die Datei C:\Windows\System32\dlzlnti.ar
und C:\Windows\Tasks\At1.job

Log-File Osam:

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 08:21:54 on 22.04.2010

OS: Windows XP Professional Service Pack 2 (Build 2600)
Default Browser: Unable to get information

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries

[Common]
-----( %SystemRoot%\Tasks )-----
"WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"BACSCPL.cpl" - ? - C:\WINDOWS\system32\BACSCPL.cpl
"jpicpl32.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\jpicpl32.cpl
"pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl (File found, but it contains no detailed information)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"AC3 Filter" - ? - D:\Programme\TTPack\AC3\ac3filter.cpl
"QuickTime" - "Apple Computer, Inc." - D:\Programme\TTPack\QTLite\QuickTime.cpl
"SYMLIVE" - "Symantec Corporation" - C:\Programme\Symantec\LiveUpdate\S32LUCP1.CPL

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ACEDRV07" (ACEDRV07) - "Protect Software GmbH" - C:\WINDOWS\system32\drivers\ACEDRV07.sys
"Acronis Snapshots Manager" (snapman) - "Acronis" - C:\WINDOWS\System32\DRIVERS\snapman.sys
"Acronis TrueImage Backup Archive Explorer" (timounter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\timntr.sys
"Acronis TrueImage FS Filter" (tifsfilter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
"AVM Bluetooth Audio Driver" (AVMBTSND) - "AVM GmbH" - C:\WINDOWS\System32\drivers\avmbtsnd.sys
"AVM Bluetooth CAPI-Controller" (CAPI_CIP) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\capi_cip.sys
"AVM Bluetooth Druckeranschluss" (AVMBTPARALLEL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtpar.sys
"AVM Bluetooth Kommunikationsanschluss" (AVMBTSERIAL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtser.sys
"AVM Bluetooth Netzwerkadapter" (NETBFPAN) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\netbfpan.sys
"AVM ISDN CoNDIS WAN CAPI Treiber" (AVMCOWAN) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmcowan.sys
"awecho" (awecho) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\awechomd.sys
"awlegacy" (awlegacy) - "Symantec Corporation" - C:\WINDOWS\System32\Drivers\awlegacy.sys
"AW_HOST" (AW_HOST) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\aw_host5.sys
"BlueFRITZ! USB 2.5(WinXP/2000)" (bfhubase) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\bfhubase.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Gernuwa" (Gernuwa) - "Symantec Corporation" - C:\WINDOWS\system32\drivers\Gernuwa.sys
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found)
"Nokia USB Generic" (Nokia USB Generic) - ? - C:\WINDOWS\System32\drivers\nmwcdc.sys (File not found)
"Nokia USB Modem" (Nokia USB Modem) - ? - C:\WINDOWS\System32\drivers\nmwcdcm.sys (File not found)
"Nokia USB Phone Parent" (Nokia USB Phone Parent) - ? - C:\WINDOWS\System32\drivers\nmwcd.sys (File not found)
"Nokia USB Port" (Nokia USB Port) - ? - C:\WINDOWS\System32\drivers\nmwcdcj.sys (File not found)
"Nsynas32" (Nsynas32) - "Syncrosoft Hard- und Software GmbH" - C:\WINDOWS\system32\drivers\Nsynas32.sys
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"Secdrv" (Secdrv) - ? - C:\WINDOWS\System32\DRIVERS\secdrv.sys (File signed by Microsoft | File found, but it contains no detailed information)
"SymEvent" (SymEvent) - "Symantec Corporation" - C:\Programme\Symantec\SYMEVENT.SYS
"SynasUSB" (SynasUSB) - "SIA Syncrosoft" - C:\WINDOWS\System32\drivers\SynasUSB.sys
"tmcomm" (tmcomm) - "Trend Micro Inc." - C:\WINDOWS\system32\drivers\tmcomm.sys
"Trend Micro Filter" (TmFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys
"Trend Micro PreFilter" (TmPreFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmPreFlt.sys
"Trend Micro VSAPI NT" (VSApiNt) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\VSApiNt.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll
{CD00020A-8B95-11D1-82DB-00C04FB1625D} "Microsoft PKM KnowledgePluggable Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\pkmcdo.dll
{9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} "Quest RevNet Protocol" - ? - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - D:\Programme\7-Zip\7-zip.dll
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - D:\Programme\Adobe Acrobat\Acrobat Elements\ContextMenu.dll
{D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found)
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found)
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\msohev.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL
{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - D:\Nero\Nero 9\Nero CoverDesigner\CoverEdExtension.dll
{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL
{E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
InCDShellExt extension "{CAE3251E-9B15-4810-B268-852AD9792A59}" - ? - (File not found | COM-object registry key not found)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{4FDF3696-5078-4952-868C-CEEB9683B8C4} "DownloadFile Control" - ? - C:\WINDOWS\DOWNLO~1\Download.ocx / hxxp://192.168.10.31/cab/DownloadFile.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} "Java Plug-in 1.5.0" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / https://st-entw1:2607/jre-1_5_0_06-windows-i586-p.exe
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{7D30109B-DD2B-4339-BE80-1CD48723C2BC} "LiveX(v6.0.1.0)" - ? - C:\WINDOWS\DOWNLO~1\LiveX.ocx / hxxp://192.168.10.31/cab/Live.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{182EC0BE-5110-49C8-A062-BEB1D02A220B} "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
"Knowledge Base" - ? - hxxp://support.microsoft.com/ (HTTP value)
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{AE7CD045-E861-484f-8273-0445EE161910} "AcroIEToolbarHelper Class" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{56CF4856-ECB4-4e46-A897-A378821F97B9} "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "SSVHelper Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

[LSA Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )-----
"Authentication packages" - "Acronis" - C:\WINDOWS\system32\relog_ap.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Acrobat - Schnellstart.lnk" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\acrobat_sl.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\schoenea.STW\Startmenü\Programme\Autostart\desktop.ini
"Microsoft Office Outlook 2003.lnk" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE (Shortcut exists | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"SpybotSD TeaTimer" - "Safer Networking Limited" - D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Acrobat Assistant 7.0" - "Adobe Systems Inc." - "D:\Programme\Adobe Acrobat\Distillr\Acrotray.exe"
"Acronis Scheduler2 Service" - "Acronis" - "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
"bgsmsnd.exe" - "Broadgun Software" - C:\WINDOWS\system32\bgsmsnd.exe
"OfficeScanNT Monitor" - "Trend Micro Inc." - "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
"OSSelectorReinstall" - ? - C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe (File found, but it contains no detailed information)
"Pfannenupdate" - "Georgsmarienhuette GmbH" - c:\Programme\PFANNEN\Pfannen_Update.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
"TrueImageMonitor.exe" - "Acronis" - D:\Programme\Acronis\True Image 9.0\TrueImageMonitor.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Adobe PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\system32\AdobePDF.dll
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"pcAnywhere Remote Printing" - "Symantec Corporation" - C:\WINDOWS\system32\awmon.dll
"PDF Port Monitor" - ? - C:\WINDOWS\system32\bgspmnt.dll (File found, but it contains no detailed information)

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Acronis Scheduler2 Service" (AcrSch2Svc) - "Acronis" - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
"Adobe LM Service" (Adobe LM Service) - "Adobe Systems" - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Machine Debug Manager" (MDM) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
"Nero BackItUp Scheduler 4.0" (Nero BackItUp Scheduler 4.0) - "Nero AG" - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
"NMSAccessU" (NMSAccessU) - ? - D:\Programme\CDBurnerXP\NMSAccessU.exe (File found, but it contains no detailed information)
"NWC Service" (NWC_Service) - ? - C:\NWC\NWC_SERVICE.EXE (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"OfficeScan NT Listener" (tmlisten) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
"OfficeScan NT Proxy Service" (TmProxy) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe
"OfficeScanNT RealTime Scan" (ntrtscan) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
"pcAnywhere Host-Modul" (awhost32) - "Symantec Corporation" - D:\Programme\Symantec\PCAnywhere\awhost32.exe
"Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\WINDOWS\system32\hpzipm12.dll
"Server Support" (hwvzw) - ? - C:\Programme\Movie Maker\dlzlnti.dll (File not found)
"Shell Server" (eifqcaunr) - ? - C:\WINDOWS\system32\dlzlnti.dll (File not found)
"SolidWorks Licensing Service" (SolidWorks Licensing Service) - "SolidWorks" - C:\Programme\Gemeinsame Dateien\SolidWorks Shared\Service\SolidWorksLicensing.exe
"SQL Server (SQLEXPRESS)" (MSSQL$SQLEXPRESS) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"PCANotify" - "Symantec Corporation" - C:\WINDOWS\system32\PCANotify.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

cosinus

22.04.2010 08:34

Im OSAM-Log seh ich das unter Abschnitt [services]

Code:

"Server Support" (hwvzw) - ? - C:\Programme\Movie Maker\dlzlnti.dll (File not found)

"Shell Server" (eifqcaunr) - ? - C:\WINDOWS\system32\dlzlnti.dll (File not found)

Geh mal nach der OSAM Anleitung vor, um diese Einträge zu fixen.
Versuch erstmal nur die Einträge zu deaktivieren, damit man die Dateien mit ständig wechselnden Namen nochmal bei Virustotal auswerten könnte.

Analog kannst Du auch mit den anderen Rechnern vorgehen bzgl fixen der Einträge mit OSAM.

Snewi

22.04.2010 09:32

Hallo,

also bin jetzt mal nach Anleitung vorgegangen und es kommt immoment keine Meldung mehr auf dem Client! Das geliche habe ich auf einem Server gemacht (Entwicklungsserver) und es kommt immer noch der Eintrag:

C:\Windows\System32\udtyjy.rjb
und C:\Windows\Tasks\At1.job

Hier mal das Log:
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 10:28:51 on 22.04.2010

OS: Windows Server 2003, Standard Edition Service Pack 2 (Build 3790)
Default Browser: Microsoft Corporation Internet Explorer 6.00.3790.3959

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries

[Common]
-----( %SystemRoot%\Tasks )-----
"SGStoerMail.job" - "Georgsmarienhütte GmbH" - C:\Programme\GMH\SGStoerMail\SGStoerMail.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"nvcpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvcpl.cpl
"nvtuicpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvtuicpl.cpl
"S7epaepx.cpl" - "SIEMENS AG" - C:\WINDOWS\system32\S7epaepx.cpl
"S7EPATDX.CPL" - "SIEMENS AG" - C:\WINDOWS\system32\S7EPATDX.CPL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"SYMLIVE" - "Symantec Corporation" - C:\Programme\Symantec\LiveUpdate\S32LUCP1.CPL

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ASPI32" (ASPI32) - "Adaptec" - C:\WINDOWS\system32\drivers\ASPI32.sys
"awecho" (awecho) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\awechomd.sys
"awlegacy" (awlegacy) - "Symantec Corporation" - C:\WINDOWS\System32\Drivers\awlegacy.sys
"AW_HOST" (AW_HOST) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\aw_host5.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Dpmtrcdd" (Dpmtrcdd) - "Siemens AG" - C:\WINDOWS\System32\DRIVERS\dpmtrcdd.sys
"Gernuwa" (Gernuwa) - "Symantec Corporation" - C:\WINDOWS\system32\drivers\Gernuwa.sys
"hltov" (hltov) - ? - C:\WINDOWS\system32\01.tmp (File not found)
"i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found)
"IP/IP-Tunneltreiber" (IpInIp) - ? - C:\WINDOWS\System32\DRIVERS\ipinip.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"PROFINET IO RT-Protocol" (s7snsrtx) - ? - C:\WINDOWS\System32\DRIVERS\s7snsrtx.sys
"s7otranx" (s7otranx) - "SIEMENS AG" - C:\WINDOWS\System32\Drivers\s7otranx.sys
"scpdrv" (scpdrv) - ? - C:\Programme\Gemeinsame Dateien\Siemens\SWS\PlugIns\SCP\scpdrv.sys (File found, but it contains no detailed information)
"SIMATIC Industrial Ethernet (ISO)" (SNTIE) - "Siemens AG" - C:\WINDOWS\System32\DRIVERS\sntie.sys
"SymEvent" (SymEvent) - "Symantec Corporation" - C:\Programme\Symantec\SYMEVENT.SYS
"System Management Driver" (dcdbas) - ? - C:\WINDOWS\System32\DRIVERS\dcdbas32.sys (File not found)
"tmcomm" (tmcomm) - "Trend Micro Inc." - C:\WINDOWS\system32\drivers\tmcomm.sys
"Trend Micro Filter" (TmFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys
"Trend Micro PreFilter" (TmPreFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmPreFlt.sys
"Trend Micro VSAPI NT" (VSApiNt) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\VSApiNt.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} "Quest RevNet Protocol" - ? - D:\QUESTS~1\SQLNAV~1\RNetPin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{D545EBD1-BD92-11CF-8772-00A0C9039735} "Developer Studio Components" - "Microsoft Corporation" - D:\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
{88895560-9AA2-1069-930E-00AA0030EBC8} "Erweiterung für HyperTerminal-Icons" - ? - hticons.dll (File not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL
{6B19FEC2-A45B-11CF-9045-00A0C9039735} "Registered ActiveX Controls" - "Microsoft Corporation" - D:\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{59B0F512-BD54-46f7-A872-039788A3A5AD} "Simatic Shell" - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\Bin\CCShellExtention.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "AcroIEHlprObj Class" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[Known DLLs]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs )-----
"wow64" - ? - C:\WINDOWS\system32\wow64.dll (File not found)
"wow64cpu" - ? - C:\WINDOWS\system32\wow64cpu.dll (File not found)
"wow64win" - ? - C:\WINDOWS\system32\wow64win.dll (File not found)

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Reader Speed Launch.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"Komponenten Konfigurator.lnk" - "Siemens AG" - C:\Programme\Gemeinsame Dateien\Siemens\S7wnsmsx\s7wnsmgx.exe (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\Administrator.STW\Startmenü\Programme\Autostart\desktop.ini
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"FreePDF Assistant" - "shbox.de" - C:\Programme\FreePDF_XP\fpassist.exe
"Kill_Old_SimaticNet_Setup" - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\_koss
"nwiz" - "NVIDIA Corporation" - nwiz.exe /install
"OfficeScanNT Monitor" - "Trend Micro Inc." - "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
"simpcmon" - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\_simpcmon.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"HP Standard TCP/IP Port" - "Hewlett Packard" - C:\WINDOWS\system32\HpTcpMon.dll
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"pcAnywhere Remote Printing" - "Symantec Corporation" - C:\WINDOWS\system32\awmon.dll
"Redirected Port" - ? - C:\WINDOWS\system32\redmonnt.dll (File found, but it contains no detailed information)

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Automation License Manager Service" (almservice) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe
"CCAgent" (CCAgent) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCAgent.exe
"CCEClient" (CCEClient) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCEClient.exe
"CCEServer" (CCEServer) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCEServer.exe
"Crystal Query Server" (Crystal Query Server) - ? - C:\Programme\Seagate Software\Query Server\querysrv.exe
"Meinberg Time Adjustment" (MbgAdjTm) - "Meinberg Funkuhren GmbH & Co. KG, Bad Pyrmont, Germany" - C:\WINDOWS\system32\mbgadjtm.exe
"MySQL" (MySQL) - ? - C:\Programme\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe (File found, but it contains no detailed information)
"Network Time Protocol Daemon" (NTP) - ? - C:\Programme\NTP\bin\ntpd.exe (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"OfficeScan NT Listener" (tmlisten) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
"OfficeScan NT Proxy Service" (TmProxy) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe
"OfficeScanNT RealTime Scan" (ntrtscan) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
"OpcEnum" (OpcEnum) - "OPC Foundation" - c:\windows\system32\OpcEnum.exe
"OracleDBConsolepfentw" (OracleDBConsolepfentw) - "Oracle Corporation" - D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
"OracleMTSRecoveryService" (OracleMTSRecoveryService) - "Oracle Corporation" - D:\OraHome_9\bin\omtsreco.exe
"OracleOraDb10g_home1iSQL*Plus" (OracleOraDb10g_home1iSQL*Plus) - "Oracle" - D:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
"OracleOraDb10g_home1TNSListener" (OracleOraDb10g_home1TNSListener) - ? - D:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (File found, but it contains no detailed information)
"OracleServicePFENTW" (OracleServicePFENTW) - "Oracle Corporation" - d:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
"pcAnywhere Host-Modul" (awhost32) - "Symantec Corporation" - C:\Programme\Symantec\pcAnywhere\awhost32.exe
"S7 Global Services" (s7asysvx) - "SIEMENS AG" - C:\Programme\SIEMENS\SIMATIC.NCM\S7bin\s7asysvx.exe
"SIMATIC IEPG Help Service" (s7oiehsx) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\S7IEPG\s7oiehsx.exe
"SIMATIC NET Configuration Server" (SIMATIC NET Configuration Server) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\scorecfg.exe
"SIMATIC NET Configuration Service" (SIMATIC NET Configuration Service) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\SServCFG.exe
"SIMATIC NET Core Server DP" (SIMATIC NET Core Server DP) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bindp\scoredp.exe
"SIMATIC NET Core Server DP2" (SIMATIC NET Core Server DP2) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bindp2\scoredp2.exe
"SIMATIC NET Core Server FDL" (SIMATIC NET Core Server FDL) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binfdl\scorefdl.exe
"SIMATIC NET Core Server FMS" (SIMATIC NET Core Server FMS) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binfms\scorefms.exe
"SIMATIC NET Core Server PD" (SIMATIC NET Core Server PD) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binpd\scorepd.exe
"SIMATIC NET Core Server PROFINET CbA" (SIMATIC NET Core Server PROFINET CbA) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binPN\scorepn.exe
"SIMATIC NET Core Server PROFINET IO" (SIMATIC NET Core Server PROFINET IO) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binpnio\scorepnio.exe
"SIMATIC NET Core Server S7" (SIMATIC NET Core Server S7) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binS7\SCoreS7.exe
"SIMATIC NET Core Server SNMP" (SIMATIC NET Core Server SNMP) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binSNMP\scoresnmp.exe
"SIMATIC NET Core Server SR" (SIMATIC NET Core Server SR) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binsr\scoresr.exe
"SIMATIC NET P&P Manager" (SIMATIC NET P&P Manager) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\simnetpnpman.exe
"SIMATIC NET Route Manager" (SIMATIC NET RouteManager) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\s7wnrmsx\s7wnrmsx.exe
"SIMATIC NET Station-Manager" (StatMgr) - "Siemens AG" - C:\Programme\Gemeinsame Dateien\Siemens\s7wnsmsx\s7wnsmsx.exe
"SIMATIC NET Synchronization Service" (sim9sync) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\sim9sync.exe
"SQL Server (MSSQLSERVER)" (MSSQLSERVER) - "Microsoft Corporation" - C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
"Visual Studio Analyzer RPC bridge" (Visual Studio Analyzer RPC bridge) - "Microsoft Corporation" - D:\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll (File not found)
(Disabled) "MVB" - ? - mvfs32.dll (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"AtiExtEvent" - ? - Ati2evxx.dll (File not found)
"PCANotify" - "Symantec Corporation" - C:\WINDOWS\system32\PCANotify.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Snewi

22.04.2010 09:50

Alles zurück der Client gibt wieder die Virenmeldung aus :-( So ein Mist hier nochmal das aktuelle Log:

Report of OSAM: Autorun Manager v5.0.11926.0
Online Solutions. Complex Protection for Information Systems
Saved at 10:41:17 on 22.04.2010

OS: Windows XP Professional Service Pack 2 (Build 2600)
Default Browser: Unable to get information

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries

[Common]
-----( %SystemRoot%\Tasks )-----
"WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"BACSCPL.cpl" - ? - C:\WINDOWS\system32\BACSCPL.cpl
"jpicpl32.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\jpicpl32.cpl
"pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl (File found, but it contains no detailed information)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"AC3 Filter" - ? - D:\Programme\TTPack\AC3\ac3filter.cpl
"QuickTime" - "Apple Computer, Inc." - D:\Programme\TTPack\QTLite\QuickTime.cpl
"SYMLIVE" - "Symantec Corporation" - C:\Programme\Symantec\LiveUpdate\S32LUCP1.CPL

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ACEDRV07" (ACEDRV07) - "Protect Software GmbH" - C:\WINDOWS\system32\drivers\ACEDRV07.sys
"Acronis Snapshots Manager" (snapman) - "Acronis" - C:\WINDOWS\System32\DRIVERS\snapman.sys
"Acronis TrueImage Backup Archive Explorer" (timounter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\timntr.sys
"Acronis TrueImage FS Filter" (tifsfilter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
"AVM Bluetooth Audio Driver" (AVMBTSND) - "AVM GmbH" - C:\WINDOWS\System32\drivers\avmbtsnd.sys
"AVM Bluetooth CAPI-Controller" (CAPI_CIP) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\capi_cip.sys
"AVM Bluetooth Druckeranschluss" (AVMBTPARALLEL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtpar.sys
"AVM Bluetooth Kommunikationsanschluss" (AVMBTSERIAL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtser.sys
"AVM Bluetooth Netzwerkadapter" (NETBFPAN) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\netbfpan.sys
"AVM ISDN CoNDIS WAN CAPI Treiber" (AVMCOWAN) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmcowan.sys
"awecho" (awecho) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\awechomd.sys
"awlegacy" (awlegacy) - "Symantec Corporation" - C:\WINDOWS\System32\Drivers\awlegacy.sys
"AW_HOST" (AW_HOST) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\aw_host5.sys
"BlueFRITZ! USB 2.5(WinXP/2000)" (bfhubase) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\bfhubase.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Gernuwa" (Gernuwa) - "Symantec Corporation" - C:\WINDOWS\system32\drivers\Gernuwa.sys
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found)
"Nokia USB Generic" (Nokia USB Generic) - ? - C:\WINDOWS\System32\drivers\nmwcdc.sys (File not found)
"Nokia USB Modem" (Nokia USB Modem) - ? - C:\WINDOWS\System32\drivers\nmwcdcm.sys (File not found)
"Nokia USB Phone Parent" (Nokia USB Phone Parent) - ? - C:\WINDOWS\System32\drivers\nmwcd.sys (File not found)
"Nokia USB Port" (Nokia USB Port) - ? - C:\WINDOWS\System32\drivers\nmwcdcj.sys (File not found)
"Nsynas32" (Nsynas32) - "Syncrosoft Hard- und Software GmbH" - C:\WINDOWS\system32\drivers\Nsynas32.sys
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"Secdrv" (Secdrv) - ? - C:\WINDOWS\System32\DRIVERS\secdrv.sys (File signed by Microsoft | File found, but it contains no detailed information)
"SymEvent" (SymEvent) - "Symantec Corporation" - C:\Programme\Symantec\SYMEVENT.SYS
"SynasUSB" (SynasUSB) - "SIA Syncrosoft" - C:\WINDOWS\System32\drivers\SynasUSB.sys
"tmcomm" (tmcomm) - "Trend Micro Inc." - C:\WINDOWS\system32\drivers\tmcomm.sys
"Trend Micro Filter" (TmFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys
"Trend Micro PreFilter" (TmPreFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmPreFlt.sys
"Trend Micro VSAPI NT" (VSApiNt) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\VSApiNt.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll
{CD00020A-8B95-11D1-82DB-00C04FB1625D} "Microsoft PKM KnowledgePluggable Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\pkmcdo.dll
{9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} "Quest RevNet Protocol" - ? - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - D:\Programme\7-Zip\7-zip.dll
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - D:\Programme\Adobe Acrobat\Acrobat Elements\ContextMenu.dll
{D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found)
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found)
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\msohev.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL
{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - D:\Nero\Nero 9\Nero CoverDesigner\CoverEdExtension.dll
{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL
{E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
InCDShellExt extension "{CAE3251E-9B15-4810-B268-852AD9792A59}" - ? - (File not found | COM-object registry key not found)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{4FDF3696-5078-4952-868C-CEEB9683B8C4} "DownloadFile Control" - ? - C:\WINDOWS\DOWNLO~1\Download.ocx / hxxp://192.168.10.31/cab/DownloadFile.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} "Java Plug-in 1.5.0" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / https://st-entw1:2607/jre-1_5_0_06-windows-i586-p.exe
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{7D30109B-DD2B-4339-BE80-1CD48723C2BC} "LiveX(v6.0.1.0)" - ? - C:\WINDOWS\DOWNLO~1\LiveX.ocx / hxxp://192.168.10.31/cab/Live.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{182EC0BE-5110-49C8-A062-BEB1D02A220B} "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
"Knowledge Base" - ? - Microsoft Support (HTTP value)
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{AE7CD045-E861-484f-8273-0445EE161910} "AcroIEToolbarHelper Class" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{56CF4856-ECB4-4e46-A897-A378821F97B9} "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "SSVHelper Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

[LSA Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )-----
"Authentication packages" - "Acronis" - C:\WINDOWS\system32\relog_ap.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Acrobat - Schnellstart.lnk" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\acrobat_sl.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\schoenea.STW\Startmenü\Programme\Autostart\desktop.ini
"Microsoft Office Outlook 2003.lnk" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE (Shortcut exists | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"SpybotSD TeaTimer" - "Safer Networking Limited" - D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Acrobat Assistant 7.0" - "Adobe Systems Inc." - "D:\Programme\Adobe Acrobat\Distillr\Acrotray.exe"
"Acronis Scheduler2 Service" - "Acronis" - "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
"bgsmsnd.exe" - "Broadgun Software" - C:\WINDOWS\system32\bgsmsnd.exe
"OfficeScanNT Monitor" - "Trend Micro Inc." - "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
"OSSelectorReinstall" - ? - C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe (File found, but it contains no detailed information)
"Pfannenupdate" - "Georgsmarienhuette GmbH" - c:\Programme\PFANNEN\Pfannen_Update.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
"TrueImageMonitor.exe" - "Acronis" - D:\Programme\Acronis\True Image 9.0\TrueImageMonitor.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Adobe PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\system32\AdobePDF.dll
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"pcAnywhere Remote Printing" - "Symantec Corporation" - C:\WINDOWS\system32\awmon.dll
"PDF Port Monitor" - ? - C:\WINDOWS\system32\bgspmnt.dll (File found, but it contains no detailed information)

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Acronis Scheduler2 Service" (AcrSch2Svc) - "Acronis" - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
"Adobe LM Service" (Adobe LM Service) - "Adobe Systems" - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Machine Debug Manager" (MDM) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
"Nero BackItUp Scheduler 4.0" (Nero BackItUp Scheduler 4.0) - "Nero AG" - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
"NMSAccessU" (NMSAccessU) - ? - D:\Programme\CDBurnerXP\NMSAccessU.exe (File found, but it contains no detailed information)
"NWC Service" (NWC_Service) - ? - C:\NWC\NWC_SERVICE.EXE (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"OfficeScan NT Listener" (tmlisten) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
"OfficeScan NT Proxy Service" (TmProxy) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe
"OfficeScanNT RealTime Scan" (ntrtscan) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
"pcAnywhere Host-Modul" (awhost32) - "Symantec Corporation" - D:\Programme\Symantec\PCAnywhere\awhost32.exe
"Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\WINDOWS\system32\hpzipm12.dll
"SolidWorks Licensing Service" (SolidWorks Licensing Service) - "SolidWorks" - C:\Programme\Gemeinsame Dateien\SolidWorks Shared\Service\SolidWorksLicensing.exe
"SQL Server (SQLEXPRESS)" (MSSQL$SQLEXPRESS) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
(Disabled) "MVB" - ? - mvfs32.dll (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"PCANotify" - "Symantec Corporation" - C:\WINDOWS\system32\PCANotify.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit Online Solutions :: Index

Was ist hier mit mvfs32.dll?

Gruß

cosinus

22.04.2010 09:51

Im OSAM Log vom Server 2003 hab ich diese Einträge gefunden:

Zitat:

[Drivers]
"hltov" (hltov) - ? - C:\WINDOWS\system32\01.tmp (File not found)

[Known DLLs]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs )-----
"wow64" - ? - C:\WINDOWS\system32\wow64.dll (File not found)
"wow64cpu" - ? - C:\WINDOWS\system32\wow64cpu.dll (File not found)
"wow64win" - ? - C:\WINDOWS\system32\wow64win.dll (File not found)

Snewi

22.04.2010 10:15

Heisst das die Dateien erst deaktivieren und dann müssten sie als Datei zu finden sein? Dann mit Virustotal scannen und dann?

cosinus

22.04.2010 12:00

Zitat:

Alles zurück der Client gibt wieder die Virenmeldung aus :-( So ein Mist hier nochmal das aktuelle Log:

Immer noch die gleichen? Mit OSAM werden die Einträge (bzw. Dienste/Treiber) deaktiviert, nach dem Neustart sind sie dann nicht mehr aktiv, die Datei ist aber noch u.U. vorhanden, so dass es eben wieder die Meldung geben kann. Wenn sie dann aber entfernt wird, sollte sie auch dauerhaft weg sein (da ja mit OSAM entsprechend deaktiviert - so die Theorie im güngtigen Fall, hat aber mit OSAM immer gut geklappt ;) ).

Zitat:

Was ist hier mit mvfs32.dll?

Der Eintrag zu dieser Datei ganz unten im OSAM Log ist legitim.

Snewi

22.04.2010 12:10

Wie gesagt auf dem einen Client deaktiviert und gelöscht die Meldung kommt aber trotzdem noch!

Gibt es noch ne andere Alternative?

Gruß

cosinus

22.04.2010 12:36

Zitat:

Wie gesagt auf dem einen Client deaktiviert und gelöscht die Meldung kommt aber trotzdem noch!

Gelöscht, auch die Datei? Und trotzdem wird sie immer wieder gefunden, mit wechselndem Namen?

Zitat:

Gibt es noch ne andere Alternative?

Combofix:

ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir ComboFix hier herunter auf deinen Desktop. Benenne es beim Runterladen um in cofi.exe.

http://saved.im/mtm0nzyzmzd5/cofi.jpg

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Schliesse alle Programme, vor allem dein Antivirenprogramm und andere Hintergrundwächter sowie deinen Internetbrowser.

Starte cofi.exe von deinem Desktop aus, bestätige die Warnmeldungen, führe die Updates durch (falls vorgeschlagen), installiere die Wiederherstellungskonsole (falls vorgeschlagen) und lass dein System durchsuchen.
Vermeide es auch während Combofix läuft die Maus und Tastatur zu benutzen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte kopieren ([Strg]a, [Strg]c) und in deinen Beitrag einfügen ([Strg]v). Die Datei findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Snewi

23.04.2010 08:11

Hallo,

also auf dem Client hat das ComboFix folgendes herausgegeben:

ComboFix 10-04-21.01 - schoenea 22.04.2010 14:26:29.1.2 - x86
ausgeführt von:: c:\dokumente und einstellungen\schoenea.STW\Desktop\Cofi.exe

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Cache
c:\windows\system32\noruns.reg

.
((((((((((((((((((((((( Dateien erstellt von 2010-03-22 bis 2010-04-22 ))))))))))))))))))))))))))))))
.

2010-04-22 07:45 . 2010-04-22 07:52 -------- d-----w- c:\dokumente und einstellungen\schoenea.STW\Anwendungsdaten\Online Solutions
2010-04-20 11:26 . 2010-04-20 11:26 -------- d-sh--w- c:\dokumente und einstellungen\LocalService\IETldCache
2010-04-20 10:05 . 2010-04-20 10:05 -------- d-sh--w- c:\dokumente und einstellungen\schoenea.STW\PrivacIE
2010-04-20 06:56 . 2010-04-20 06:56 -------- d-sh--w- c:\dokumente und einstellungen\schoenea.STW\IETldCache
2010-04-20 06:53 . 2010-04-20 06:53 -------- d-----w- c:\windows\ie8updates
2010-04-20 06:52 . 2010-04-20 06:53 -------- d-----w- c:\windows\system32\de-DE
2010-04-20 06:52 . 2010-04-20 06:53 -------- dc-h--w- c:\windows\ie8
2010-04-20 06:36 . 2010-04-20 06:36 -------- d-----w- c:\programme\MSXML 4.0
2010-04-20 06:33 . 2008-02-26 11:59 294912 ------w- c:\windows\system32\dllcache\msctf.dll
2010-04-20 06:33 . 2010-02-25 06:15 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-04-20 06:33 . 2010-02-25 06:14 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-04-20 06:33 . 2010-02-25 06:15 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-04-20 06:33 . 2010-02-25 06:15 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-04-20 06:33 . 2010-02-25 06:15 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-04-20 06:31 . 2010-02-16 04:50 64000 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-04-20 06:26 . 2010-04-20 06:26 -------- d-----w- c:\windows\ServicePackFiles
2010-04-20 06:23 . 2010-04-20 06:23 -------- d-----w- c:\windows\system32\KB905474
2010-04-20 06:23 . 2009-03-10 20:26 1436544 ----a-w- c:\windows\system32\KB905474\wganotifypackageinner.exe
2010-04-20 06:23 . 2009-03-10 20:18 455048 ----a-w- c:\windows\system32\KB905474\wgasetup.exe
2010-04-20 06:22 . 2010-04-20 06:22 -------- d-----w- c:\programme\MSXML 6.0
2010-04-20 06:16 . 2010-02-24 12:31 454016 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-04-20 06:15 . 2009-10-23 14:27 3555328 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-04-20 06:15 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-20 06:15 . 2009-12-31 16:14 352640 ------w- c:\windows\system32\dllcache\srv.sys
2010-04-20 06:13 . 2009-10-15 17:20 82432 ------w- c:\windows\system32\dllcache\fontsub.dll
2010-04-20 06:13 . 2009-11-21 16:37 470528 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-04-20 06:07 . 2009-06-21 22:05 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-04-20 06:06 . 2009-07-10 13:39 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2010-04-20 06:06 . 2009-06-05 07:42 655872 ------w- c:\windows\system32\dllcache\mstscax.dll
2010-04-20 06:01 . 2009-07-31 04:58 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
2010-04-20 06:00 . 2008-05-01 14:30 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2010-04-20 06:00 . 2008-04-11 18:50 683520 ------w- c:\windows\system32\dllcache\inetcomm.dll
2010-04-20 05:59 . 2008-06-14 17:57 273024 ------w- c:\windows\system32\drivers\bthport.sys
2010-04-20 05:59 . 2008-06-14 17:57 273024 ------w- c:\windows\system32\dllcache\bthport.sys
2010-04-20 05:59 . 2008-05-08 12:28 202752 ------w- c:\windows\system32\dllcache\rmcast.sys
2010-04-20 05:58 . 2009-01-07 16:20 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2010-04-20 05:36 . 2009-08-06 17:24 44768 ----a-w- c:\windows\system32\wups2.dll
2010-04-20 05:09 . 2010-04-20 05:09 -------- d-sh--w- c:\dokumente und einstellungen\schoenea.STW\UserData
2010-04-19 09:53 . 2010-04-19 09:53 -------- d-----w- c:\dokumente und einstellungen\schoenea.STW\Anwendungsdaten\Malwarebytes
2010-04-19 09:53 . 2010-03-29 22:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-19 09:53 . 2010-04-19 09:53 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2010-04-19 09:53 . 2010-03-29 22:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-19 09:53 . 2010-04-19 09:53 -------- d-----w- c:\programme\Malwarebytes' Anti-Malware
2010-04-19 05:25 . 2008-10-15 16:57 332800 ------w- c:\windows\system32\dllcache\netapi32.dll
2010-04-16 09:53 . 2009-02-11 15:17 142992 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-04-16 09:53 . 2010-04-16 09:53 -------- d-----w- c:\windows\system32\log
2010-04-16 09:53 . 2010-04-16 09:53 -------- d-----w- c:\programme\Trend Micro

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 08:07 . 2007-02-06 09:46 -------- d-----w- c:\programme\PFANNEN
2010-04-20 06:48 . 2004-08-13 12:40 562956 ----a-w- c:\windows\system32\perfh007.dat
2010-04-20 06:48 . 2004-08-13 12:40 130788 ----a-w- c:\windows\system32\perfc007.dat
2010-03-23 06:07 . 2007-05-08 06:08 -------- d-----w- c:\dokumente und einstellungen\schoenea.STW\Anwendungsdaten\pdfMachine
2010-03-09 09:34 . 2007-04-26 10:33 -------- d-----w- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2010-03-03 10:41 . 2010-03-03 10:41 71264 ----a-w- c:\dokumente und einstellungen\afliegen\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2010-02-25 06:15 . 2004-08-13 12:40 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 12:31 . 2005-11-29 04:03 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-24 08:00 . 2009-12-03 12:43 -------- d-----w- c:\programme\Incuity
2010-02-16 19:30 . 2004-08-13 12:40 2139648 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:30 . 2004-08-04 00:50 2019328 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:45 . 2004-08-13 12:40 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:01 . 2004-08-13 12:40 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="d:\programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-06 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-06 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-06 114688]
"SoundMAXPnP"="c:\programme\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\programme\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"OSSelectorReinstall"="c:\programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe" [2005-11-09 1556456]
"TrueImageMonitor.exe"="d:\programme\Acronis\True Image 9.0\TrueImageMonitor.exe" [2005-11-16 1009806]
"Acronis Scheduler2 Service"="c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2005-11-16 118784]
"Acrobat Assistant 7.0"="d:\programme\Adobe Acrobat\Distillr\Acrotray.exe" [2004-12-14 483328]
"Pfannenupdate"="c:\programme\PFANNEN\Pfannen_Update.exe" [2008-06-25 139264]
"bgsmsnd.exe"="c:\windows\system32\bgsmsnd.exe" [2007-11-19 160136]
"OfficeScanNT Monitor"="c:\programme\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-02-11 718120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\dokumente und einstellungen\schoenea.STW\Startmen\Programme\Autostart\
Microsoft Office Outlook 2003.lnk - c:\windows\Installer\{90110407-6000-11D3-8CFE-0150048383C9}\outicon.exe [2006-1-24 794624]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Adobe Acrobat - Schnellstart.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe [2006-7-27 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2005-05-20 10:51 8704 ----a-w- c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Programme\\Symantec\\PCAnywhere\\awhost32.exe"=
"c:\\Programme\\VAI\\Vai ProcessExplorer GMH\\Vai.ProcessExplorerForm.exe"=
"c:\\oracle\\ora10g\\jdk\\jre\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 TmFilter;Trend Micro Filter;c:\programme\Trend Micro\OfficeScan Client\TmXpflt.sys [26.11.2008 17:42 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\programme\Trend Micro\OfficeScan Client\TmPreflt.sys [26.11.2008 17:42 36368]
R3 AVMBTPARALLEL;AVM Bluetooth Druckeranschluss;c:\windows\system32\drivers\avmbtpar.sys [23.08.2004 02:00 60032]
R3 AVMBTSERIAL;AVM Bluetooth Kommunikationsanschluss;c:\windows\system32\drivers\avmbtser.sys [23.08.2004 02:00 61056]
R3 AVMBTSND;AVM Bluetooth Audio Driver;c:\windows\system32\drivers\avmbtsnd.sys [23.08.2004 02:00 49664]
S2 NWC_Service;NWC Service;c:\nwc\NWC_SERVICE.EXE [06.02.2007 10:25 91648]
S3 AVMCOWAN;AVM ISDN CoNDIS WAN CAPI Treiber;c:\windows\system32\drivers\avmcowan.sys [23.08.2004 02:00 53248]
S3 bfhubase;BlueFRITZ! USB 2.5(WinXP/2000);c:\windows\system32\drivers\bfhubase.sys [23.08.2004 02:00 796192]
S3 CAPI_CIP;AVM Bluetooth CAPI-Controller;c:\windows\system32\drivers\capi_cip.sys [23.08.2004 02:00 374144]
S3 NETBFPAN;AVM Bluetooth Netzwerkadapter;c:\windows\system32\drivers\netbfpan.sys [23.08.2004 02:00 35914]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [08.05.2007 08:08 23288]
S3 TmProxy;OfficeScan NT Proxy Service;c:\programme\Trend Micro\OfficeScan Client\TmProxy.exe [11.02.2009 17:00 652552]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\programme\Microsoft Visual Studio .NET 2005\Common7\IDE\Remote Debugger\x86\msvsmon.exe [09.12.2005 11:40 2799808]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eifqcaunr
hwvzw

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##sg-prod3#d$]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RUNdLl32.ExE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
.
Inhalt des "geplante Tasks" Ordners

2010-04-22 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-20 20:18]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Settings,ProxyServer = 172.16.0.6:8080
IE: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - d:\programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - d:\programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Auswahl in Adobe PDF konvertieren - d:\programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Auswahl in vorhandene PDF-Datei konvertieren - d:\programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - d:\programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: In vorhandene PDF-Datei konvertieren - d:\programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Nach Microsoft &Excel exportieren - d:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Verknüpfungsziel in Adobe PDF konvertieren - d:\programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - d:\programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {{8b2d996f-b7d1-4961-a929-414d9cf5ba7b} - hxxp://support.microsoft.com/
TCP: {E4E361F5-0DE8-4C76-A282-DB1F762EE139} = 192.168.10.15,192.168.10.14
DPF: {4FDF3696-5078-4952-868C-CEEB9683B8C4} - hxxp://192.168.10.31/cab/DownloadFile.cab
DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} - hxxp://192.168.10.31/cab/Live.cab
.
.
------- Dateityp-Verknüpfung -------
.
.txt=UltraEdit.txt
.

**************************************************************************
Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien:

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-551994410-1285964257-3565697379-1122\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
@Denied: (Full) (Administrators)
"View"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,
ff,ff,ff,ff,ff,ff,3a,00,00,00,93,00,00,00,d7,04,00,00,65,03,00,00,a7,01,00,\
"FindFlags"=dword:0000000e

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32*]
"Class"=hex:8c,87,5c,85,bf,21,8c,27,0a,94,1b,74,2c,48,eb,5d,8d,30,3b,51,d5,08,
f9,5c,b3,dd,f7,e0,56,8d,22,d4,0a,19,bd,e3,13,f3,a4,51,d1,d7,6b,48,78,46,31,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32*]
"Class"=hex:ef,fc,da,4c,f0,07,46,5b,2a,bd,71,4a,9a,42,7e,05,c3,7e,39,91,7e,fb,
16,66,16,15,27,6f,11,8c,18,08,a1,06,61,48,73,94,d3,59,a7,0c,bf,2c,44,1b,fc,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32*]
"Class"=hex:11,8e,b4,c6,6c,d2,d8,ec,d4,04,9d,bb,b1,1e,c6,8a,3f,f0,dd,1a,6c,81,
b3,3a,d1,1b,03,a0,be,0d,3e,4a,1a,5f,64,a5,9d,56,80,e5,73,d8,68,2e,31,25,f7,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32*]
"Class"=hex:06,c0,a7,84,1d,78,15,4d,3d,59,f4,14,05,6f,89,47,8e,90,f9,a7,1d,74,
f1,83,c2,2b,3a,52,bb,30,77,9e,37,9d,9d,de,09,9a,c7,02,29,e0,b2,06,6e,85,69,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32*]
"Class"=hex:0d,d8,d0,dc,b7,e0,b8,65,23,b4,1c,65,0d,8c,29,7f,84,22,c8,6f,93,fa,
d5,44,ee,92,b5,fb,9c,92,e9,4a,95,ae,87,91,46,c7,9b,5e,d4,4e,f5,76,4c,f3,b2,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32*]
"Class"=hex:e1,62,26,42,65,26,00,d8,6e,ec,87,a5,34,b8,61,9a,49,86,ee,5c,bb,0b,
83,ac,89,fc,14,e7,f5,c1,59,bc,f1,2f,c1,05,22,bb,14,ee,a8,cc,18,a6,be,6c,34,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32*]
"Class"=hex:32,d0,64,76,61,a8,ea,24,df,22,87,58,78,db,59,af,03,e8,53,d2,02,bc,
0e,5a,bb,98,c5,e0,5b,f2,87,ac,59,b7,06,79,4a,40,24,c1,00,cd,bf,a3,21,b6,14,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32*]
"Class"=hex:67,cf,1b,7a,65,da,36,91,e4,8e,a0,02,cf,3c,10,11,c1,c3,62,18,50,b4,
e9,b5,3c,f5,d1,32,1a,2d,fb,bd,5c,73,60,98,70,8b,b1,67,14,12,1b,29,10,83,80,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32*]
"Class"=hex:85,c4,93,0e,96,0c,d6,dc,c8,27,06,fe,48,99,18,55,df,62,b5,43,dc,79,
cb,d3,32,3c,5e,6a,ed,d3,a0,9b,18,49,80,52,51,68,e3,23,19,a1,3f,26,76,cb,9e,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32*]
"Class"=hex:7f,ec,7b,87,45,64,f3,ee,5f,9b,22,9b,46,74,88,d0,45,b9,91,bf,4b,c6,
c1,5b,d3,16,3b,52,bb,b9,ca,41,71,a9,8e,75,6f,23,0c,2b,a1,fe,d3,db,8a,1c,85,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32*]
"Class"=hex:95,a6,39,c9,da,c7,e7,ed,27,60,fc,9a,44,86,eb,1f,24,1d,bc,3a,09,9f,
32,e7,25,55,fa,db,e0,82,82,7f,b3,d4,9d,b3,a6,98,97,8d,82,06,d7,f1,43,7e,f7,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32*]
"Class"=hex:43,b9,8e,70,8d,98,33,b0,54,39,22,16,99,20,c3,4d,36,94,bb,f5,ae,69,
ec,56,ef,f8,b2,8b,9f,93,d8,2f,28,13,92,88,3d,6e,a1,61,74,4d,b3,73,56,5b,ac,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32*]
"Class"=hex:71,ce,04,64,0f,9b,c1,e7,e7,14,0c,7b,c9,59,f2,47,db,bc,23,90,e0,94,
93,fc,c1,41,ac,60,6e,ba,c6,77,66,80,4b,1d,31,33,64,8f,4d,e2,a7,83,c3,f2,1f,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32*]
"Class"=hex:10,bb,e2,52,08,d8,ad,e7,40,d2,6c,be,99,74,18,41,06,e1,d4,77,f6,91,
cf,8c,17,3d,bf,03,46,7c,d2,ff,ed,ac,a2,50,c4,ba,38,c1,59,ae,3f,e1,ae,ea,91,\
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\relog_ap.dll
.
Zeit der Fertigstellung: 2010-04-22 14:38:23
ComboFix-quarantined-files.txt 2010-04-22 12:38

Vor Suchlauf: 2.384.510.976 Bytes frei
Nach Suchlauf: 2.353.430.528 Bytes frei

- - End Of File - - 5A661715253EFAA3E66DA2685644041E

cosinus

23.04.2010 08:17

Zitat:

Gelöscht, auch die Datei? Und trotzdem wird sie immer wieder gefunden, mit wechselndem Namen?

Was ist hiermit?

Snewi

23.04.2010 09:10

Hallo,

also ich habe jetzt auf einem Server endlich mal eine .dll gefunden und diese mit Virustotal gescannt - kein Ergebnis!
Hier mal das log file für diesen Server:

Report of OSAM: Autorun Manager v5.0.11926.0
Online Solutions. Complex Protection for Information Systems
Saved at 10:07:17 on 23.04.2010

OS: Windows Server 2003, Standard Edition Service Pack 2 (Build 3790)
Default Browser: Microsoft Corporation Internet Explorer 6.00.3790.3959

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries

[Common]
-----( %SystemRoot%\Tasks )-----
"EXPORT_ALL_ELO.job" - ? - D:\sekmet\Database\Export\EXPORT_ALL_ELO.Cmd
"EXPORT_ALL_PO.job" - ? - D:\sekmet\Database\Export\EXPORT_ALL_PO.Cmd
"EXPORT_ALL_SIM.job" - ? - D:\sekmet\Database\Export\EXPORT_ALL_SIM.Cmd
"EXPORT_ALL_VAK.job" - ? - D:\sekmet\Database\Export\EXPORT_ALL_VAK.Cmd
"TIMESYNC.job" - ? - D:\sekmet\TIMESYNC.BAT
"TIMESYNC1.job" - ? - D:\sekmet\TIMESYNC.BAT

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"javacpl.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\javacpl.cpl
"S7epaepx.cpl" - "SIEMENS AG" - C:\WINDOWS\system32\S7epaepx.cpl
"S7EPATDX.CPL" - "SIEMENS AG" - C:\WINDOWS\system32\S7EPATDX.CPL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"SYMLIVE" - "Symantec Corporation" - C:\Programme\Symantec\LiveUpdate\S32LUCP1.CPL

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"awecho" (awecho) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\awechomd.sys
"awlegacy" (awlegacy) - "Symantec Corporation" - C:\WINDOWS\System32\Drivers\awlegacy.sys
"AW_HOST" (AW_HOST) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\aw_host5.sys
"BASFND" (BASFND) - "Broadcom Corporation" - C:\Programme\Broadcom\SNMP\BASFND.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Dpmtrcdd" (Dpmtrcdd) - "Siemens AG" - C:\WINDOWS\System32\DRIVERS\dpmtrcdd.sys
"Gernuwa" (Gernuwa) - "Symantec Corporation" - C:\WINDOWS\system32\drivers\Gernuwa.sys
"i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found)
"IP/IP-Tunneltreiber" (IpInIp) - ? - C:\WINDOWS\System32\DRIVERS\ipinip.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"PORTACCESSOR_1" (PORTACCESSOR_1) - "Dell Inc." - C:\Programme\Dell\SysMgt\oldiags\packages\PORTACCESSOR32.sys
"PROFINET IO RT-Protocol" (s7snsrtx) - ? - C:\WINDOWS\System32\DRIVERS\s7snsrtx.sys
"s7otranx" (s7otranx) - "SIEMENS AG" - C:\WINDOWS\System32\Drivers\s7otranx.sys
"scpdrv" (scpdrv) - ? - C:\Programme\Gemeinsame Dateien\Siemens\SWS\PlugIns\SCP\scpdrv.sys (File found, but it contains no detailed information)
"SIMATIC Industrial Ethernet (ISO)" (SNTIE) - "Siemens AG" - C:\WINDOWS\System32\DRIVERS\sntie.sys
"SymEvent" (SymEvent) - "Symantec Corporation" - C:\Programme\Symantec\SYMEVENT.SYS
"Systems management IPMI driver" (dcdipm) - ? - C:\WINDOWS\System32\DRIVERS\dcdipm32.sys (File not found)
"tmcomm" (tmcomm) - "Trend Micro Inc." - C:\WINDOWS\system32\drivers\tmcomm.sys
"Trend Micro Filter" (TmFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys
"Trend Micro PreFilter" (TmPreFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmPreFlt.sys
"Trend Micro VSAPI NT" (VSApiNt) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\VSApiNt.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll
{9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} "Quest RevNet Protocol" - ? - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - ? - C:\Programme\7-Zip\7-zip.dll
{88895560-9AA2-1069-930E-00AA0030EBC8} "Erweiterung für HyperTerminal-Icons" - ? - hticons.dll (File not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{59B0F512-BD54-46f7-A872-039788A3A5AD} "Simatic Shell" - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\Bin\CCShellExtention.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} "Java Plug-in 1.5.0_10" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_10\bin\npjpi150_10.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.6.0_01" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll / hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} "Shockwave Flash Object" - "Adobe Systems, Inc." - C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx / hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\npjpi160_01.dll
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "SSVHelper Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll

[Known DLLs]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs )-----
"wow64" - ? - C:\WINDOWS\system32\wow64.dll (File not found)
"wow64cpu" - ? - C:\WINDOWS\system32\wow64cpu.dll (File not found)
"wow64win" - ? - C:\WINDOWS\system32\wow64win.dll (File not found)

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Reader - Schnellstart.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"Komponenten Konfigurator.lnk" - "Siemens AG" - C:\Programme\Gemeinsame Dateien\Siemens\S7wnsmsx\s7wnsmgx.exe (Shortcut exists | File exists)
"Verknüpfung mit Subst_Drive_U.lnk" - ? - D:\sekmet\UI_DEV\LW_U\Subst_Drive_U.bat (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\administrator.STW\Startmenü\Programme\Autostart\desktop.ini
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Kill_Old_SimaticNet_Setup" - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\_koss
"OfficeScanNT Monitor" - "Trend Micro Inc." - "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
"simpcmon" - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\_simpcmon.exe
"SunJavaUpdateSched" - ? - "C:\Programme\Java\jre1.6.0_01\bin\jusched.exe" (File not found)

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"pcAnywhere Remote Printing" - "Symantec Corporation" - C:\WINDOWS\system32\awmon.dll

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Automation License Manager Service" (almservice) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe
"Backup Exec Remote Agent for Windows Servers" (BackupExecAgentAccelerator) - "Symantec Corporation" - C:\Programme\VERITAS\Backup Exec\RANT\beremote.exe
"CCAgent" (CCAgent) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCAgent.exe
"CCEClient" (CCEClient) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCEClient.exe
"CCEServer" (CCEServer) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCEServer.exe
"DSM BMU SOL Proxy" (SOLProxy) - ? - C:\Programme\Dell\SysMgt\bmc\DSM_BMU_SOLProxy32.exe (File found, but it contains no detailed information)
"DSM IT Assistant Connection Service" (dcconnsvc) - ? - C:\Programme\Dell\SysMgt\ITAssistant\iws\bin\win32\dsm_om_connsvc32.exe
"DSM IT Assistant Network Monitor" (dcnetmon) - "Dell Inc." - C:\Programme\Dell\SysMgt\ITAssistant\bin\DSM_ITA_Netmon32.exe
"DSM SA Connection Service" (Server Administrator) - ? - C:\Programme\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
"DSM SA Data Manager" (dcstor32) - "Dell Inc." - C:\Programme\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
"DSM SA Event Manager" (dcevt32) - "Dell Inc." - C:\Programme\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
"DSM SA Shared Services" (omsad) - "Dell Inc." - C:\Programme\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
"Machine Debug Manager" (MDM) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
"mr2kserv" (mr2kserv) - "LSI Logic Corporation" - C:\Programme\Dell\SysMgt\sm\mr2kserv.exe
"Network Time Protocol Daemon" (NTP) - ? - C:\Programme\NTP\bin\ntpd.exe (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"OfficeScan NT Listener" (tmlisten) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
"OfficeScan NT Proxy Service" (TmProxy) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe
"OfficeScanNT RealTime Scan" (ntrtscan) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
"OpcEnum" (OpcEnum) - "OPC Foundation" - C:\WINDOWS\system32\OpcEnum.exe
"OracleDBConsoleSTENTW" (OracleDBConsoleSTENTW) - "Oracle Corporation" - D:\oracle\ora10g\bin\nmesrvc.exe
"OracleOraHome10gTNSListener" (OracleOraHome10gTNSListener) - ? - D:\oracle\ora10g\BIN\TNSLSNR.exe (File found, but it contains no detailed information)
"OracleServiceSTENTW" (OracleServiceSTENTW) - "Oracle Corporation" - d:\oracle\ora10g\bin\ORACLE.EXE
"pcAnywhere Host-Modul" (awhost32) - "Symantec Corporation" - C:\Programme\Symantec\pcAnywhere\awhost32.exe
"Remote Access Controller 4 (RAC4)" (racsvc) - "Dell, Inc." - C:\Programme\Dell\SysMgt\RAC4\racsvc.exe
"S7 Global Services" (s7asysvx) - "SIEMENS AG" - C:\Programme\SIEMENS\SIMATIC.NCM\S7bin\s7asysvx.exe
"Shell Task" (geiretsjo) - ? - C:\WINDOWS\system32\cnysu.dll (Hidden registry entry, rootkit activity | File not found)
"SIMATIC IEPG Help Service" (s7oiehsx) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\S7IEPG\s7oiehsx.exe
"SIMATIC NET Configuration Server" (SIMATIC NET Configuration Server) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\scorecfg.exe
"SIMATIC NET Configuration Service" (SIMATIC NET Configuration Service) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\SServCFG.exe
"SIMATIC NET Core Server DP" (SIMATIC NET Core Server DP) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bindp\scoredp.exe
"SIMATIC NET Core Server DP2" (SIMATIC NET Core Server DP2) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bindp2\scoredp2.exe
"SIMATIC NET Core Server FDL" (SIMATIC NET Core Server FDL) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binfdl\scorefdl.exe
"SIMATIC NET Core Server FMS" (SIMATIC NET Core Server FMS) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binfms\scorefms.exe
"SIMATIC NET Core Server PD" (SIMATIC NET Core Server PD) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binpd\scorepd.exe
"SIMATIC NET Core Server PROFINET CbA" (SIMATIC NET Core Server PROFINET CbA) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binPN\scorepn.exe
"SIMATIC NET Core Server PROFINET IO" (SIMATIC NET Core Server PROFINET IO) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binpnio\scorepnio.exe
"SIMATIC NET Core Server S7" (SIMATIC NET Core Server S7) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binS7\SCoreS7.exe
"SIMATIC NET Core Server SNMP" (SIMATIC NET Core Server SNMP) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binSNMP\scoresnmp.exe
"SIMATIC NET Core Server SR" (SIMATIC NET Core Server SR) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binsr\scoresr.exe
"SIMATIC NET P&P Manager" (SIMATIC NET P&P Manager) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\simnetpnpman.exe
"SIMATIC NET Route Manager" (SIMATIC NET RouteManager) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\s7wnrmsx\s7wnrmsx.exe
"SIMATIC NET Station-Manager" (StatMgr) - "Siemens AG" - C:\Programme\Gemeinsame Dateien\Siemens\s7wnsmsx\s7wnsmsx.exe
"SIMATIC NET Synchronization Service" (sim9sync) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\sim9sync.exe
"SQL Server (MSSQLSERVER)" (MSSQLSERVER) - "Microsoft Corporation" - C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
"System Boot" (rxeczri) - ? - C:\WINDOWS\system32\cnysu.dll (Hidden registry entry, rootkit activity | File not found)
"VAI Startup COM_SIM PRD" (VAI Startup COM_SIM PRD) - ? - D:\sekmet\steel\common\win32\sysmgr\vai_service.exe (File found, but it contains no detailed information)
"VAI Startup ELO_SIM PRD" (VAI Startup ELO_SIM PRD) - ? - D:\sekmet\steel\common\win32\sysmgr\vai_service.exe (File found, but it contains no detailed information)
"VAI Startup PO1_SIM PRD" (VAI Startup PO1_SIM PRD) - ? - D:\sekmet\steel\common\win32\sysmgr\vai_service.exe (File found, but it contains no detailed information)
"VAI Startup PO2_SIM PRD" (VAI Startup PO2_SIM PRD) - ? - D:\sekmet\Steel\common\win32\sysmgr\vai_service.exe (File found, but it contains no detailed information)
"VAI Startup SP1_SIM PRD" (VAI Startup SP1_SIM PRD) - ? - D:\sekmet\steel\common\win32\sysmgr\vai_service.exe (File found, but it contains no detailed information)
"VAI Startup SP2_SIM PRD" (VAI Startup SP2_SIM PRD) - ? - D:\sekmet\steel\common\win32\sysmgr\vai_service.exe (File found, but it contains no detailed information)
"VAI Startup VAK_SIM PRD" (VAI Startup VAK_SIM PRD) - ? - D:\sekmet\steel\common\win32\sysmgr\vai_service.exe (File found, but it contains no detailed information)

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll (File not found)
(Disabled) "MVB" - ? - mvfs32.dll (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"PCANotify" - "Symantec Corporation" - C:\WINDOWS\system32\PCANotify.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit Online Solutions :: Index

Ich habe dann noch auf mehreren Rechnern die Einträge
[Known DLLs]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs )-----
"wow64" - ? - C:\WINDOWS\system32\wow64.dll (File not found)
"wow64cpu" - ? - C:\WINDOWS\system32\wow64cpu.dll (File not found)
"wow64win" - ? - C:\WINDOWS\system32\wow64win.dll (File not found)
sind diese auch schädlich?

Was muss ich nun genau machen?

Gruß und Danke schonmal für die hervorragende Hilfeleistung :-)

cosinus

23.04.2010 11:09

*hust*

ich wiederhole:

Zitat:

Gelöscht, auch die Datei? Und trotzdem wird sie immer wieder gefunden, mit wechselndem Namen?

Beantworte diese Frage.

Lass und bitte erstmal nur beim Server und bei dem einen Client bleiben, sonst verliert man hier den Durchblick.

Zitat:

sind diese auch schädlich?

Diese WOW64-Geschichten sind nur auf einem 64-Bit vorhanden, deswegen hab ich die auf Deinem offensichtlichen 32-bittigen Server 2003 deaktivieren lassen.

Snewi

23.04.2010 11:20

Also du hast recht wir bleiben jetzt bei einem Server und einem Client!

Aktuell habe ich auf dem Server eine dll gefunden wie im letzten Log-File zu sehen ist! und diese deaktiviert und dann gelöscht!
Jetzt taucht immoment diese Datei nicht mehr auf! Hoffentlich ist deine Frage beantwortet :(

(Delayed) HKLM\SYSTEM\CurrentControlSet\Services\geiretsjo Shell Task C:\WINDOWS\system32\cnysu.dll
(Delayed) HKLM\SYSTEM\CurrentControlSet\Services\rxeczri System Boot C:\WINDOWS\system32\cnysu.dll

Gruß

cosinus

23.04.2010 11:27

Okay und auf dem Client, den wir behandelt hatten? Auf dem Server ist die Meldung über die Datei jetzt weg wenn ich das richtig verstanden habe.

Zitat:

C:\WINDOWS\system32\cnysu.dll

Die hattest Du schon bei Virustotal ausgewertet?

Snewi

23.04.2010 12:44

Auf dem Client habe ich das selbe gemacht und bisher ca 1std nirgends eine Fehlermeldu!ng bekommen :taenzer: hoffe das es so bleibt!

bei virustotal wurde nix gefunden

gruß

cosinus

23.04.2010 12:57

Lad die Datei bitte mal bei uns hoch > http://www.trojaner-board.de/54791-a...ner-board.html

Bei den anderen Clients kannst Du ja analog vorgehen.

Snewi

26.04.2010 07:16

Guten Morgen,

leider gibt es diese Datei nicht mehr! Das komische der Server ist nun Meldungsfrei! Der Client bekommt seit dieser Nacht wieder die Meldung obwohl OSAm nichts findest! Analog sieht es auf anderen Client und Servern auch aus! :headbang: Was könnte man noch tun? :snyper:

Gruß

cosinus

26.04.2010 08:52

Da der Bereinigungsaufwand wohl doch zu hoch ist, was ist hiermit:

Zitat:

Zitat von cosinus (Beitrag 519144)

Sind die 15 Clients alle von der hardware gesehen völlig unterschiedlich oder quasi identisch? Wenn identisch, könntest Du einen Rechner neu aufsetzen und komplett neu einrichten - wenn alles fertig ist ein Image erstellen und das auf die anderen Rechner einspielen, so dass alle Rechner von der Konfig her wieder gleich und auch nicht mehr befallen sind (bevor Du die geklonten Maschinen ins Netz bringt, solltest Du NewSID ausführen!).

Snewi

26.04.2010 10:37

Kommt leider nicht in Frage der Aufwand ist zu groß und Zeit in der nicht Produziert wird zu klein :-( sonst keine Idee? Wenn auf den einzelnen Rechner von den Tools nichts gefunden wird kann so ein Scanner das auch über Netz erkennen! Vielleicht haben wir die Quelle noch nicht ausfindig machen können!

Gruß

cosinus

26.04.2010 10:54

Trotzdem müsstest Du jeden Rechner analysieren. Rechne mal nach ob das wirklich vom Aufwand weniger ist, als ein Master-Image zu erstellen und das auf allen anderen Rechnern zu verteilen :rolleyes:
Außerdem hast Du nach der Bereinigung keine Garantie auf saubere Systeme.

Snewi

26.04.2010 11:01

Das stimmt aber alle Systeme sind nicht gleich! Und nach dem Image müssten noch Anpassungen an jedes System vorgenommen werden die auch einen erheblichen MEhraufwand darstellen! Klar könnte man das nach und nach machen aber zur Zeit versuche ich noch die andere Variante!
Also wie soll ich bei jedem Rechner vorgehen?

Gruß

cosinus

26.04.2010 11:07

Mir fällt gerade auf, dass ich noch kein einziges Malwarebytes-Logfile gesehen habe. Poste bitte mal alle von diesem einen Client-Rechner.

Mach auch mal bitte einen neuen Durchgang auf dem Client mit malwarebytes, aktualisiere die Signaturen und machen einen Vollscan.

Snewi

27.04.2010 08:19

Hier das Log von Maleswarebytes:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Datenbank Version: 4006

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

27.04.2010 02:00:47
mbam-log-2010-04-27 (02-00-47).txt

Art des Suchlaufs: Vollständiger Suchlauf (C:\|D:\|G:\|H:\|I:\|J:\|K:\|M:\|V:\|W:\|X:\|Y:\|)
Durchsuchte Objekte: 854124
Laufzeit: 13 Stunde(n), 45 Minute(n), 56 Sekunde(n)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

cosinus

27.04.2010 08:32

Hm, also wenn auf dem Client die gleiche Virenwarnung immer noch kommt (auch nach Löschen durch den Virenscanner) aber im OSAM Log nichts mehr zu sehen ist, haben wir IMHO nur noch mit ner Live-CD eine Chance, da nicht das infizierte OS gebootet wird:

Systemscan mit OTLPE

Lade Dir zuerst ISOBurner herunter und installiere es.
Lade Dir dann OTLPE.iso von Oldtimer und brenne sie per Imagebrennfunktion auf eine leere CD-R.
Bei Verwendung von ISOBurner reicht ein Doppelklick auf OTLPE.iso.
Boote nun den infizierten Rechner von der OTLPE-CD (evtl. Reihenfolge im BIOS umstellen).
Dein System sollte nun einen REATOGO-X-PE Desktop anzeigen.
Starte OTLPE mit einem Doppelklick auf das OTLPE Icon.
"Do you wish to load the remote registry" und "Do you wish to load remote user profile(s) for scanning" mit Yes beantworten.
Entsichere die Box "Automatically Load All Remaining Users" wenn sie gewählt ist und drücke OK.
Im Block "Drivers" Use SafeList auswählen und dann mit Run Scan den Scan starten.
Nach dem Scan wird ein Logfile erstellt (C:\OTL.txt)
Kopiere dieses auf einen USB-Stick und poste es hier.

Snewi

27.04.2010 12:20

Hallo Cosinus,

habe noch mal ein Scan mit f-secure blacklight gemacht

Code:

04/27/10 10:28:17 [Info]: BlackLight Engine 1.0.67 initialized

04/27/10 10:28:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)

04/27/10 10:28:17 [Note]: 7019 4

04/27/10 10:28:17 [Note]: 7005 0

04/27/10 10:28:31 [Note]: 7006 0

04/27/10 10:28:31 [Note]: 7011 3980

04/27/10 10:28:31 [Note]: 7026 0

04/27/10 10:28:31 [Note]: 7026 0

04/27/10 10:28:35 [Note]: FSRAW library version 1.7.1024

04/27/10 10:33:32 [Note]: 2000 1012

04/27/10 10:33:32 [Note]: 2000 1012

04/27/10 10:33:32 [Note]: 2000 1012

04/27/10 11:36:44 [Note]: 7007 0

Dann mit Gmer

Code:

GMER 1.0.15.15281 - hxxp://www.gmer.net

Rootkit scan 2010-04-27 12:48:12

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOKUME~1\xxx\LOKALE~1\Temp\pfryqaoc.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

init            C:\WINDOWS\system32\drivers\senfilt.sys                                                           entry point in "init" section [0xB9B16F80]

.text           C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          section is writeable [0xA92D3000, 0x328BA, 0xE8000020]

.pklstb         C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          entry point in ".pklstb" section [0xA9317000]

.relo2          C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          unknown last section [0xA9333000, 0x8E, 0x42000040]
 

---- User code sections - GMER 1.0.15 ----
 

.text           C:\WINDOWS\System32\svchost.exe[1212] ntdll.dll!NtQueryInformationProcess                         7C91D7FE 5 Bytes  JMP 01A19DC2 

.text           C:\WINDOWS\System32\svchost.exe[1212] NETAPI32.dll!NetpwPathCanonicalize                          597DA101 5 Bytes  JMP 01A19D62 

.text           C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtQueryInformationProcess                         7C91D7FE 5 Bytes  JMP 00739DC2 
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                            TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                          tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                         tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                         tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                       tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \FileSystem\Fastfat \Fat                                                                          TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
 

---- Services - GMER 1.0.15 ----
 

Service         C:\WINDOWS\system32\svchost.exe (*** hidden *** )                                                 [AUTO] tgtfckks                                                                                                                                                                                                                                                                                                                              <-- ROOTKIT !!!
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks@DisplayName                                       Config Universal

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks@Type                                              32

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks@Start                                             2

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks@ErrorControl                                      0

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks@ImagePath                                         %SystemRoot%\system32\svchost.exe -k netsvcs

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks@ObjectName                                        LocalSystem

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks@Description                                       F?hrt eine aktuelle Liste der Computer im Netzwerk und gibt diese an als Browser fungierende Computer weiter. Diese Liste wird nicht aktualisiert oder gewartet, falls der Dienst beendet wird. Falls dieser Dienst deaktiviert wird, k?nnen die Dienste, die von diesem ausschlie?lich Dienst abh?ngig sind, nicht mehr gestartet werden.

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks\Parameters                                        

Reg             HKLM\SYSTEM\CurrentControlSet\Services\tgtfckks\Parameters@ServiceDll                             C:\WINDOWS\system32\dlzlnti.dll

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@Class           0x8C 0x87 0x5C 0x85 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@Class           0xEF 0xFC 0xDA 0x4C ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@Class           0x11 0x8E 0xB4 0xC6 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@Class           0x06 0xC0 0xA7 0x84 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@Class           0x0D 0xD8 0xD0 0xDC ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@Class           0xE1 0x62 0x26 0x42 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@Class           0x32 0xD0 0x64 0x76 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@Class           0x67 0xCF 0x1B 0x7A ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@Class           0x85 0xC4 0x93 0x0E ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@Class           0x7F 0xEC 0x7B 0x87 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@Class           0x95 0xA6 0x39 0xC9 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@Class           0x43 0xB9 0x8E 0x70 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@Class           0x71 0xCE 0x04 0x64 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@Class           0x10 0xBB 0xE2 0x52 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit@FindFlags                          14

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites                          
 

---- EOF - GMER 1.0.15 ----

und mit HJTscanlist:

Code:

 

                        $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 

                        º                                    º 

                                    hjtscanlist v2.0              

                        º                                    º 

                        $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 
 

Microsoft Windows XP [Version 5.1.2600]

 

 

C:
 

  27.04.2010 13:05      C:\WINDOWS --------- 0 

  27.04.2010 13:05      C:\RECYCLER --------- 0 

  27.04.2010 13:00      C:\Temp --------- 0 

  27.04.2010 13:00      C:\Dokumente und Einstellungen --------- 0 

        C:\pagefile.sys ---------  

  27.04.2010 12:55      C:\Config.Msi --------- 0 

  27.04.2010 12:53      C:\System Volume Information --------- 0 

  27.04.2010 11:38      C:\Programme --------- 0 

  23.04.2010 17:00      C:\ToadDebug.txt --------- 34 

  22.04.2010 16:33      C:\Win32.Worm.Downladup.Gen.log --------- 3046 

  22.04.2010 14:38      C:\Cofi --------- 0 

  22.04.2010 14:38      C:\ComboFix.txt --------- 18669 

  22.04.2010 14:38      C:\Qoobox --------- 0 

  25.02.2009 12:25      C:\NWC --------- 0 

  16.10.2008 09:52      C:\setup.log --------- 164 

  13.03.2008 14:57      C:\mb.err --------- 246 

  10.05.2007 10:59      C:\DWGRemoval.iss --------- 505 

  08.05.2007 15:22      C:\DWGInstall.iss --------- 630 

  07.03.2007 13:32      C:\MSOCache --------- 0 

  06.02.2007 10:49      C:\vai --------- 0 

  14.09.2006 10:55      C:\oracle --------- 0 

  27.04.2006 11:31      C:\Inetpub --------- 0 

  27.04.2006 10:32      C:\FilterLog.log --------- 80 

  12.01.2006 16:07      C:\dell --------- 0 

  12.01.2006 15:53      C:\i386 --------- 0 

  12.01.2006 14:50      C:\INFCACHE.1 --------- 4128 

  11.01.2006 14:46      C:\boot.ini --------- 211 

  29.11.2005 06:04      C:\dell.sdr --------- 3636 

  13.08.2004 14:54      C:\MSDOS.SYS --------- 0 

  13.08.2004 14:54      C:\IO.SYS --------- 0 

  13.08.2004 14:54      C:\CONFIG.SYS --------- 0 

  13.08.2004 14:54      C:\AUTOEXEC.BAT --------- 0 

  04.08.2004 16:00      C:\NTDETECT.COM --------- 47564 

  04.08.2004 16:00      C:\ntldr --------- 251184 

  04.08.2004 16:00      C:\bootfont.bin --------- 4952 

----------------------------------------
 

 

C:\WINDOWS
 

  27.04.2010 13:00     C:\WINDOWS\wiadebug.log --------- 159 

  27.04.2010 13:00     C:\WINDOWS\wiaservc.log --------- 50 

  27.04.2010 13:00     C:\WINDOWS\bootstat.dat --------- 2048 

  27.04.2010 12:59     C:\WINDOWS\SchedLgU.Txt --------- 32480 

  22.04.2010 14:37     C:\WINDOWS\system.ini --------- 227 

  13.04.2010 07:14     C:\WINDOWS\NetScan.ini --------- 339 

  12.03.2010 18:02     C:\WINDOWS\PEV.exe --------- 261632 

  25.10.2009 06:11     C:\WINDOWS\MBR.exe --------- 77312 

  20.04.2009 12:56     C:\WINDOWS\NIRCMD.exe --------- 31232 

  23.02.2009 11:17     C:\WINDOWS\NeroDigital.ini --------- 69 

  13.02.2009 12:24     C:\WINDOWS\ODBC.INI --------- 1892 

  27.01.2009 09:12     C:\WINDOWS\pdf2word.INI --------- 311 

  27.01.2009 08:56     C:\WINDOWS\PDF2HTML.INI --------- 105 

  26.11.2008 11:51     C:\WINDOWS\CD_Start.INI --------- 32 

  29.04.2008 09:46     C:\WINDOWS\cLines.INI --------- 0 

  20.03.2008 09:15     C:\WINDOWS\WCOSOBA.INI --------- 143 

  02.08.2007 10:29     C:\WINDOWS\ODBCINST.INI --------- 4346 

  02.08.2007 10:28     C:\WINDOWS\Setup1.exe --------- 249856 

  02.08.2007 10:28     C:\WINDOWS\ST6UNST.EXE --------- 73216 

  06.06.2007 11:40     C:\WINDOWS\dwg2jpg.INI --------- 268 

  06.06.2007 08:13     C:\WINDOWS\win.ini --------- 640 

  21.05.2007 12:35     C:\WINDOWS\cadkasdeinst01.exe --------- 73216 

  11.05.2007 10:40     C:\WINDOWS\eDrawingOfficeAutomator.INI --------- 0 

  26.04.2007 14:55     C:\WINDOWS\Iedit_.INI --------- 30 

  09.01.2007 12:07     C:\WINDOWS\hpbafd.ini --------- 305 

  07.10.2006 18:43     C:\WINDOWS\x2.64.exe --------- 502784 

  23.05.2006 14:35     C:\WINDOWS\WMSysPr9.prx --------- 316640 

  09.05.2006 09:35     C:\WINDOWS\Clony2.ini --------- 32 

  27.04.2006 12:38     C:\WINDOWS\vbaddin.ini --------- 63 

  27.04.2006 11:33     C:\WINDOWS\frontpg.ini --------- 0 

  20.04.2006 14:22     C:\WINDOWS\multiview.ini --------- 88 

  12.04.2006 10:47     C:\WINDOWS\meta4.exe --------- 217073 

  05.04.2006 09:09     C:\WINDOWS\MOTA113.exe --------- 66560 

  06.02.2006 13:12     C:\WINDOWS\mgxoschk.ini --------- 3237 

  29.11.2005 06:20     C:\WINDOWS\smscfg.ini --------- 61 

  29.11.2005 06:03     C:\WINDOWS\setpwrcg.exe --------- 49152 

  23.08.2004 02:00     C:\WINDOWS\instcli.dex --------- 135168 

  13.08.2004 15:30     C:\WINDOWS\setupapi.del --------- 1017421 

  13.08.2004 15:05     C:\WINDOWS\orun32.isu --------- 210415 

  13.08.2004 15:05     C:\WINDOWS\orun32.ini --------- 849 

  13.08.2004 14:59     C:\WINDOWS\setupact.del --------- 220319 

  13.08.2004 14:59     C:\WINDOWS\setuplog.del --------- 746067 

  13.08.2004 14:54     C:\WINDOWS\control.ini --------- 0 

  13.08.2004 14:53     C:\WINDOWS\WindowsShell.Manifest --------- 749 

  13.08.2004 14:52     C:\WINDOWS\vb.ini --------- 36 

  13.08.2004 14:52     C:\WINDOWS\T30DebugLogFile.txt --------- 0 

  13.08.2004 14:49     C:\WINDOWS\Sti_Trace.log --------- 0 

  13.08.2004 14:46     C:\WINDOWS\setuperr.del --------- 0 

  04.08.2004 16:00     C:\WINDOWS\regedit.exe --------- 153600 

  04.08.2004 16:00     C:\WINDOWS\Granit.bmp --------- 26582 

  04.08.2004 16:00     C:\WINDOWS\Santa Fe-Stuck.bmp --------- 65832 

  04.08.2004 16:00     C:\WINDOWS\Feder.bmp --------- 16730 

  04.08.2004 16:00     C:\WINDOWS\Präriewind.bmp --------- 65954 

  04.08.2004 16:00     C:\WINDOWS\Seifenblase.bmp --------- 65978 

  04.08.2004 16:00     C:\WINDOWS\wmprfDEU.prx --------- 34818 

  04.08.2004 16:00     C:\WINDOWS\explorer.scf --------- 80 

  04.08.2004 16:00     C:\WINDOWS\hh.exe --------- 10752 

  04.08.2004 16:00     C:\WINDOWS\NOTEPAD.EXE --------- 70144 

  04.08.2004 16:00     C:\WINDOWS\winhelp.exe --------- 257568 

  04.08.2004 16:00     C:\WINDOWS\winnt256.bmp --------- 48680 

  04.08.2004 16:00     C:\WINDOWS\winnt.bmp --------- 48680 

  04.08.2004 16:00     C:\WINDOWS\explorer.exe --------- 1035264 

  04.08.2004 16:00     C:\WINDOWS\msdfmap.ini --------- 1405 

  04.08.2004 16:00     C:\WINDOWS\Fächer.bmp --------- 26680 

  04.08.2004 16:00     C:\WINDOWS\desktop.ini --------- 2 

  04.08.2004 16:00     C:\WINDOWS\Zapotek.bmp --------- 9522 

  04.08.2004 16:00     C:\WINDOWS\winhlp32.exe --------- 288768 

  04.08.2004 16:00     C:\WINDOWS\clock.avi --------- 82944 

  04.08.2004 16:00     C:\WINDOWS\Rhododendron.bmp --------- 17362 

  04.08.2004 16:00     C:\WINDOWS\TASKMAN.EXE --------- 15872 

  04.08.2004 16:00     C:\WINDOWS\twain.dll --------- 94800 

  04.08.2004 16:00     C:\WINDOWS\twain_32.dll --------- 50688 

  04.08.2004 16:00     C:\WINDOWS\twunk_16.exe --------- 49680 

  04.08.2004 16:00     C:\WINDOWS\twunk_32.exe --------- 25600 

  04.08.2004 16:00     C:\WINDOWS\Blaue Spitzen 16.bmp --------- 1272 

  04.08.2004 16:00     C:\WINDOWS\vmmreg32.dll --------- 18944 

  04.08.2004 16:00     C:\WINDOWS\Kaffeetasse.bmp --------- 17062 

  04.08.2004 16:00     C:\WINDOWS\Angler.bmp --------- 17336 

  04.08.2004 16:00     C:\WINDOWS\_default.pif --------- 707 

  18.02.2004 11:53     C:\WINDOWS\STable.xml --------- 54633 

  22.12.2003 17:59     C:\WINDOWS\GeoCodec.dll --------- 405504 

  22.12.2003 17:56     C:\WINDOWS\GeoCodecLib.dll --------- 176128 

  10.06.2002 17:26     C:\WINDOWS\Dell.bmp --------- 787512 

  04.05.2001 12:05     C:\WINDOWS\mpg4c32.dll --------- 413760 

  31.08.2000 08:00     C:\WINDOWS\SWXCACLS.exe --------- 212480 

  31.08.2000 08:00     C:\WINDOWS\zip.exe --------- 68096 

  31.08.2000 08:00     C:\WINDOWS\SWSC.exe --------- 136704 

  31.08.2000 08:00     C:\WINDOWS\grep.exe --------- 80412 

  31.08.2000 08:00     C:\WINDOWS\sed.exe --------- 98816 

  31.08.2000 08:00     C:\WINDOWS\SWREG.exe --------- 161792 

  07.04.2000 13:13     C:\WINDOWS\W_ZIPPER.EXE --------- 131072 

  23.03.1999 08:12     C:\WINDOWS\unin0407.exe --------- 304128 

  17.11.1998 11:44     C:\WINDOWS\IsUn0407.exe --------- 328704 

  29.10.1998 16:45     C:\WINDOWS\IsUninst.exe --------- 306688 

  01.04.1998 15:11     C:\WINDOWS\uninst.exe --------- 299520 

----------------------------------------
 

 

C:\WINDOWS\System
 

 04.08.2004 16:00    C:\WINDOWS\System\AVICAP.DLL --------- 70368 

 04.08.2004 16:00    C:\WINDOWS\System\AVIFILE.DLL --------- 109504 

 04.08.2004 16:00    C:\WINDOWS\System\COMMDLG.DLL --------- 33744 

 04.08.2004 16:00    C:\WINDOWS\System\WFWNET.DRV --------- 13600 

 04.08.2004 16:00    C:\WINDOWS\System\KEYBOARD.DRV --------- 2000 

 04.08.2004 16:00    C:\WINDOWS\System\LZEXPAND.DLL --------- 9936 

 04.08.2004 16:00    C:\WINDOWS\System\MCIAVI.DRV --------- 73760 

 04.08.2004 16:00    C:\WINDOWS\System\MCISEQ.DRV --------- 25296 

 04.08.2004 16:00    C:\WINDOWS\System\MCIWAVE.DRV --------- 28160 

 04.08.2004 16:00    C:\WINDOWS\System\MMSYSTEM.DLL --------- 69632 

 04.08.2004 16:00    C:\WINDOWS\System\MMTASK.TSK --------- 1152 

 04.08.2004 16:00    C:\WINDOWS\System\MOUSE.DRV --------- 2032 

 04.08.2004 16:00    C:\WINDOWS\System\MSVIDEO.DLL --------- 127104 

 04.08.2004 16:00    C:\WINDOWS\System\OLECLI.DLL --------- 82944 

 04.08.2004 16:00    C:\WINDOWS\System\OLESVR.DLL --------- 24064 

 04.08.2004 16:00    C:\WINDOWS\System\setup.inf --------- 59167 

 04.08.2004 16:00    C:\WINDOWS\System\SHELL.DLL --------- 5120 

 04.08.2004 16:00    C:\WINDOWS\System\SOUND.DRV --------- 1744 

 04.08.2004 16:00    C:\WINDOWS\System\stdole.tlb --------- 5532 

 04.08.2004 16:00    C:\WINDOWS\System\SYSTEM.DRV --------- 3360 

 04.08.2004 16:00    C:\WINDOWS\System\TAPI.DLL --------- 19200 

 04.08.2004 16:00    C:\WINDOWS\System\TIMER.DRV --------- 4048 

 04.08.2004 16:00    C:\WINDOWS\System\VER.DLL --------- 9200 

 04.08.2004 16:00    C:\WINDOWS\System\VGA.DRV --------- 2176 

 04.08.2004 16:00    C:\WINDOWS\System\WINSPOOL.DRV --------- 146944 

 19.09.2001 19:47    C:\WINDOWS\System\crlds3d.dll --------- 765952 

----------------------------------------
 

 

C:\WINDOWS\System32
 

 27.04.2010 13:04     C:\WINDOWS\system32\inetsrv --------- 0 

 27.04.2010 12:53     C:\WINDOWS\system32\Restore --------- 0 

 27.04.2010 10:27     C:\WINDOWS\system32\CatRoot2 --------- 0 

 23.04.2010 11:04     C:\WINDOWS\system32\drivers --------- 0 

 20.04.2010 08:55     C:\WINDOWS\system32\dllcache --------- 0 

 20.04.2010 08:53     C:\WINDOWS\system32\de-DE --------- 0 

 20.04.2010 08:48     C:\WINDOWS\system32\perfc009.dat --------- 107610 

 20.04.2010 08:48     C:\WINDOWS\system32\perfh009.dat --------- 521794 

 20.04.2010 08:48     C:\WINDOWS\system32\perfh007.dat --------- 562956 

 20.04.2010 08:48     C:\WINDOWS\system32\perfc007.dat --------- 130788 

 20.04.2010 08:48     C:\WINDOWS\system32\PerfStringBackup.INI --------- 1342744 

 20.04.2010 08:44     C:\WINDOWS\system32\FNTCACHE.DAT --------- 274168 

 20.04.2010 08:43     C:\WINDOWS\system32\Setup --------- 0 

 20.04.2010 08:43     C:\WINDOWS\system32\wbem --------- 0 

 20.04.2010 08:40     C:\WINDOWS\system32\TZLog.log --------- 4230 

 20.04.2010 08:23     C:\WINDOWS\system32\KB905474 --------- 0 

 20.04.2010 07:58     C:\WINDOWS\system32\wpa.dbl --------- 2206 

 20.04.2010 07:58     C:\WINDOWS\system32\PreInstall --------- 0 

 20.04.2010 07:36     C:\WINDOWS\system32\SoftwareDistribution --------- 0 

 19.04.2010 10:07     C:\WINDOWS\system32\CatRoot --------- 0 

 16.04.2010 11:53     C:\WINDOWS\system32\log --------- 0 

 06.04.2010 10:52     C:\WINDOWS\system32\MRT.exe --------- 31971272 

 10.03.2010 07:18     C:\WINDOWS\system32\shdocvw.dll --------- 1506304 

 10.03.2010 07:18     C:\WINDOWS\system32\browseui.dll --------- 1023488 

 26.02.2010 08:10     C:\WINDOWS\system32\shlwapi.dll --------- 474624 

 26.02.2010 08:10     C:\WINDOWS\system32\danim.dll --------- 1056256 

 26.02.2010 08:10     C:\WINDOWS\system32\extmgr.dll --------- 55808 

 26.02.2010 08:10     C:\WINDOWS\system32\cdfview.dll --------- 152064 

 26.02.2010 02:58     C:\WINDOWS\system32\xpsp3res.dll --------- 375808 

 25.02.2010 11:45     C:\WINDOWS\system32\ieframe.dll --------- 11070976 

 25.02.2010 08:15     C:\WINDOWS\system32\wininet.dll --------- 916480 

 25.02.2010 08:15     C:\WINDOWS\system32\urlmon.dll --------- 1209344 

 25.02.2010 08:15     C:\WINDOWS\system32\occache.dll --------- 206848 

 25.02.2010 08:15     C:\WINDOWS\system32\mstime.dll --------- 611840 

 25.02.2010 08:15     C:\WINDOWS\system32\mshtml.dll --------- 5944832 

 25.02.2010 08:15     C:\WINDOWS\system32\msfeedsbs.dll --------- 55296 

 25.02.2010 08:15     C:\WINDOWS\system32\msfeeds.dll --------- 594432 

 25.02.2010 08:15     C:\WINDOWS\system32\jsproxy.dll --------- 25600 

 25.02.2010 08:15     C:\WINDOWS\system32\inetcpl.cpl --------- 1469440 

 25.02.2010 08:15     C:\WINDOWS\system32\iertutil.dll --------- 1985536 

 25.02.2010 08:14     C:\WINDOWS\system32\iepeers.dll --------- 184320 

 25.02.2010 08:14     C:\WINDOWS\system32\iedkcs32.dll --------- 387584 

 24.02.2010 11:53     C:\WINDOWS\system32\ie4uinit.exe --------- 173056 

 16.02.2010 21:30     C:\WINDOWS\system32\ntoskrnl.exe --------- 2139648 

 16.02.2010 21:30     C:\WINDOWS\system32\ntkrnlpa.exe --------- 2019328 

 16.02.2010 07:27     C:\WINDOWS\system32\wmp.dll --------- 4734976 

 12.02.2010 12:03     C:\WINDOWS\system32\browserchoice.exe --------- 293376 

 12.02.2010 06:45     C:\WINDOWS\system32\6to4svc.dll --------- 100864 

 29.01.2010 16:43     C:\WINDOWS\system32\l3codecx.ax --------- 143422 

 29.01.2010 16:43     C:\WINDOWS\system32\l3codeca.acm --------- 307260 

 23.01.2010 10:11     C:\WINDOWS\system32\tzchange.exe --------- 46080 

 13.01.2010 16:08     C:\WINDOWS\system32\cabview.dll --------- 86016 

 24.12.2009 09:05     C:\WINDOWS\system32\wintrust.dll --------- 177664 

 17.12.2009 09:57     C:\WINDOWS\system32\mspaint.exe --------- 346624 

 14.12.2009 09:35     C:\WINDOWS\system32\csrsrv.dll --------- 33280 

 27.11.2009 19:33     C:\WINDOWS\system32\msyuv.dll --------- 17920 

 27.11.2009 19:33     C:\WINDOWS\system32\quartz.dll --------- 1296896 

 27.11.2009 18:37     C:\WINDOWS\system32\msrle32.dll --------- 11264 

 27.11.2009 18:37     C:\WINDOWS\system32\msvidc32.dll --------- 28672 

 27.11.2009 18:37     C:\WINDOWS\system32\avifil32.dll --------- 85504 

 27.11.2009 18:37     C:\WINDOWS\system32\iyuv_32.dll --------- 48128 

 27.11.2009 18:37     C:\WINDOWS\system32\tsbyuv.dll --------- 8704 

 15.10.2009 22:50     C:\WINDOWS\system32\t2embed.dll --------- 119808 

 15.10.2009 19:20     C:\WINDOWS\system32\fontsub.dll --------- 82432 

 13.10.2009 12:51     C:\WINDOWS\system32\oakley.dll --------- 267776 

 12.10.2009 15:51     C:\WINDOWS\system32\rastls.dll --------- 113152 

 12.10.2009 15:51     C:\WINDOWS\system32\raschap.dll --------- 69632 

 11.09.2009 16:31     C:\WINDOWS\system32\msv1_0.dll --------- 133632 

 04.09.2009 22:45     C:\WINDOWS\system32\msasn1.dll --------- 58880 

 01.09.2009 16:32     C:\WINDOWS\system32\msaud32.acm --------- 282654 

 26.08.2009 10:14     C:\WINDOWS\system32\strmdll.dll --------- 247326 

 19.08.2009 17:07     C:\WINDOWS\system32\msxml6.dll --------- 1415000 

 14.08.2009 17:18     C:\WINDOWS\system32\win32k.sys --------- 1850240 

 06.08.2009 19:24     C:\WINDOWS\system32\wucltui.dll --------- 327896 

 06.08.2009 19:24     C:\WINDOWS\system32\wuaueng.dll.mui --------- 18144 

 06.08.2009 19:24     C:\WINDOWS\system32\wuapi.dll.mui --------- 15584 

 06.08.2009 19:24     C:\WINDOWS\system32\wuaucpl.cpl --------- 217816 

 06.08.2009 19:24     C:\WINDOWS\system32\wups.dll --------- 35552 

 06.08.2009 19:24     C:\WINDOWS\system32\wups2.dll --------- 44768 

 06.08.2009 19:24     C:\WINDOWS\system32\wuauclt.exe --------- 53472 

 06.08.2009 19:24     C:\WINDOWS\system32\cdm.dll --------- 96480 

 06.08.2009 19:24     C:\WINDOWS\system32\wuaucpl.cpl.mui --------- 15584 

 06.08.2009 19:24     C:\WINDOWS\system32\wucltui.dll.mui --------- 23264 

 06.08.2009 19:23     C:\WINDOWS\system32\wuapi.dll --------- 575704 

 06.08.2009 19:23     C:\WINDOWS\system32\wuaueng.dll --------- 1929952 

 06.08.2009 19:23     C:\WINDOWS\system32\wuweb.dll --------- 209624 

 05.08.2009 11:05     C:\WINDOWS\system32\mswebdvd.dll --------- 206336 

 31.07.2009 06:58     C:\WINDOWS\system32\msxml3.dll --------- 1172480 

 21.07.2009 00:05     C:\WINDOWS\system32\msxml4.dll --------- 1348432 

 17.07.2009 20:56     C:\WINDOWS\system32\atl.dll --------- 58880 

 17.07.2009 18:25     C:\WINDOWS\system32\query.dll --------- 1441792 

 13.07.2009 02:18     C:\WINDOWS\system32\wmpdxm.dll --------- 233472 

 25.06.2009 20:34     C:\WINDOWS\system32\mqtrig.dll --------- 186880 

 25.06.2009 20:34     C:\WINDOWS\system32\mqdscli.dll --------- 47104 

 25.06.2009 20:34     C:\WINDOWS\system32\mqise.dll --------- 16896 

 25.06.2009 20:34     C:\WINDOWS\system32\mqoa.dll --------- 225280 

 25.06.2009 20:34     C:\WINDOWS\system32\mqqm.dll --------- 661504 

 25.06.2009 20:34     C:\WINDOWS\system32\mqad.dll --------- 138240 

 25.06.2009 20:34     C:\WINDOWS\system32\mqutil.dll --------- 533504 

 25.06.2009 20:34     C:\WINDOWS\system32\mqsnap.dll --------- 517120 

----------------------------------------
 

 

C:\WINDOWS\Prefetch
 

 27.04.2010 13:05     C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf --------- 15104 

 27.04.2010 13:04     C:\WINDOWS\Prefetch\CCLEANER.EXE-17760B94.pf --------- 53064 

 27.04.2010 13:04     C:\WINDOWS\Prefetch\7ZG.EXE-3B8AF2E3.pf --------- 17408 

 27.04.2010 13:04     C:\WINDOWS\Prefetch\IGFXSRVC.EXE-1D88F978.pf --------- 49872 

 27.04.2010 13:03     C:\WINDOWS\Prefetch\WINWORD.EXE-1220CCA8.pf --------- 124468 

 27.04.2010 13:02     C:\WINDOWS\Prefetch\PFANNEN_UPDATE_R.EXE-01A81DBA.pf --------- 124310 

 27.04.2010 13:02     C:\WINDOWS\Prefetch\OUTLOOK.EXE-3639333C.pf --------- 9394 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\ACROBAT_SL.EXE-3AC3EA4D.pf --------- 11606 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\CTFMON.EXE-05E57A5E.pf --------- 14148 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\TEATIMER.EXE-14B047BF.pf --------- 31774 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\SMAX4PNP.EXE-0AFDE2F0.pf --------- 19364 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\SCHEDHLP.EXE-2F4AADD8.pf --------- 10960 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\OSS_REINSTALL.EXE-1E947E26.pf --------- 13698 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\JUSCHED.EXE-3942B063.pf --------- 10062 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\IGFXPERS.EXE-19DA7B04.pf --------- 10794 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\HKCMD.EXE-0F06AE14.pf --------- 10384 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf --------- 17056 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\IGFXTRAY.EXE-0A23D403.pf --------- 29642 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf --------- 100052 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf --------- 40040 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\CNTAOSMGR.EXE-05C16A24.pf --------- 94710 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\ALG.EXE-275708CF.pf --------- 52734 

 27.04.2010 13:01     C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf --------- 1256728 

 27.04.2010 12:57     C:\WINDOWS\Prefetch\AWREM32.EXE-354E6502.pf --------- 72178 

 27.04.2010 12:56     C:\WINDOWS\Prefetch\WINAW32.EXE-120EACB4.pf --------- 76604 

 27.04.2010 12:56     C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf --------- 24470 

 27.04.2010 12:56     C:\WINDOWS\Prefetch\ACRODIST.EXE-15F20FA2.pf --------- 2792 

 27.04.2010 12:56     C:\WINDOWS\Prefetch\TRUEIMAGEMONITOR.EXE-1CA84A54.pf --------- 12254 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\DAVCDATA.EXE-14FB80FC.pf --------- 11998 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\RUNDLL32.EXE-51D80323.pf --------- 29968 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\RUNDLL32.EXE-71E6BF7D.pf --------- 42152 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\DLLHOST.EXE-474D72E6.pf --------- 83436 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\IE4UINIT.EXE-046D13C9.pf --------- 38368 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\RUNDLL32.EXE-73FEE585.pf --------- 17130 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\MSIEXEC.EXE-330626DC.pf --------- 23962 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\REGSVR32.EXE-396DEA2C.pf --------- 17372 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\SHMGRATE.EXE-2DD3E4D8.pf --------- 21856 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\SETUP50.EXE-0177D3B8.pf --------- 33046 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\RUNDLL32.EXE-54650060.pf --------- 17590 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\UNREGMP2.EXE-0CFB0619.pf --------- 14742 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E074905.pf --------- 16056 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\RUNDLL32.EXE-49E968F9.pf --------- 17348 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\IEUDINIT.EXE-1E723E51.pf --------- 8182 

 27.04.2010 12:55     C:\WINDOWS\Prefetch\IZ5D97.EXE-181A0FFC.pf --------- 14042 

 27.04.2010 12:49     C:\WINDOWS\Prefetch\UEDIT32.EXE-0FC247FE.pf --------- 65640 

 27.04.2010 12:48     C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf --------- 13488 

 27.04.2010 11:42     C:\WINDOWS\Prefetch\GMER.EXE-0D35692B.pf --------- 16270 

 27.04.2010 11:35     C:\WINDOWS\Prefetch\MSTSC.EXE-2A28D622.pf --------- 116460 

 27.04.2010 11:25     C:\WINDOWS\Prefetch\Layout.ini --------- 499542 

 27.04.2010 10:28     C:\WINDOWS\Prefetch\FSBL1067.EXE-0D7959A4.pf --------- 14626 

 27.04.2010 10:00     C:\WINDOWS\Prefetch\RUNDLL32.EXE-5A336057.pf --------- 14092 

 27.04.2010 09:59     C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf --------- 23456 

 27.04.2010 09:29     C:\WINDOWS\Prefetch\PCCNTUPD.EXE-315A543B.pf --------- 7912 

 27.04.2010 09:29     C:\WINDOWS\Prefetch\XPUPG.EXE-36A723D9.pf --------- 12414 

 27.04.2010 09:28     C:\WINDOWS\Prefetch\TSC.EXE-24356832.pf --------- 64284 

 27.04.2010 09:20     C:\WINDOWS\Prefetch\IEXPLORE.EXE-360BBB5C.pf --------- 93038 

 27.04.2010 07:26     C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf --------- 72610 

 27.04.2010 07:25     C:\WINDOWS\Prefetch\RUNDLL32.EXE-3DE4948B.pf --------- 29344 

 26.04.2010 14:39     C:\WINDOWS\Prefetch\SYMANTEC.EXE-3333ABE3.pf --------- 38504 

 26.04.2010 13:03     C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf --------- 24540 

 26.04.2010 12:10     C:\WINDOWS\Prefetch\MBAM.EXE-325FAE38.pf --------- 62340 

 26.04.2010 12:10     C:\WINDOWS\Prefetch\PCCNT.EXE-0304BDAD.pf --------- 39528 

 26.04.2010 11:34     C:\WINDOWS\Prefetch\WMIAPSRV.EXE-02740A4B.pf --------- 18820 

 26.04.2010 11:34     C:\WINDOWS\Prefetch\VAI.PROCESSEXPLORERFORM.EXE-0E7EF1F5.pf --------- 75966 

 26.04.2010 11:33     C:\WINDOWS\Prefetch\PFANNEN.EXE-14BEAF03.pf --------- 40194 

 26.04.2010 11:23     C:\WINDOWS\Prefetch\HELPSVC.EXE-1C192440.pf --------- 114328 

 26.04.2010 09:11     C:\WINDOWS\Prefetch\PING.EXE-30F9CA9D.pf --------- 14034 

 26.04.2010 08:24     C:\WINDOWS\Prefetch\WGASETUP.EXE-0098D97F.pf --------- 27280 

 24.04.2010 14:53     C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38C3807C.pf --------- 41360 

 24.04.2010 14:53     C:\WINDOWS\Prefetch\DEFRAG.EXE-2858C7E2.pf --------- 18896 

----------------------------------------
 

 

C:\WINDOWS\Tasks
 

 27.04.2010 13:00     C:\WINDOWS\Tasks\SA.DAT --------- 6 

 04.08.2004 16:00     C:\WINDOWS\Tasks\desktop.ini --------- 65 

----------------------------------------
 

 

C:\WINDOWS\Temp
 

 11.02.2009 17:17     C:\WINDOWS\Temp\HO94A.EXE --------- 296224 

----------------------------------------
 

 

C:\DOKUME~1\xxx\LOKALE~1\Temp
 

 27.04.2010 13:02      C:\DOKUME~1\xxx\LOKALE~1\Temp\~DFDF0F.tmp --------- 512 

----------------------------------------
 

 

C:\Programme
 

 27.04.2010 13:02     C:\Programme\PFANNEN --------- 0 

 27.04.2010 11:38     C:\Programme\gmer --------- 0 

 27.04.2010 10:28     C:\Programme\Blacklight --------- 0 

 22.04.2010 14:29     C:\Programme\Gemeinsame Dateien --------- 0 

 20.04.2010 08:55     C:\Programme\Internet Explorer --------- 0 

 20.04.2010 08:40     C:\Programme\Movie Maker --------- 0 

 20.04.2010 08:36     C:\Programme\MSXML 4.0 --------- 0 

 20.04.2010 08:26     C:\Programme\Outlook Express --------- 0 

 20.04.2010 08:22     C:\Programme\MSXML 6.0 --------- 0 

 20.04.2010 08:21     C:\Programme\Messenger --------- 0 

 19.04.2010 11:53     C:\Programme\Malwarebytes' Anti-Malware --------- 0 

 16.04.2010 11:53     C:\Programme\Trend Micro --------- 0 

 24.02.2010 10:00     C:\Programme\Incuity --------- 0 

 22.01.2010 12:13     C:\Programme\Blockguss --------- 0 

 27.01.2009 09:05     C:\Programme\VeryPDF PDF2Word v3.0 --------- 0 

 23.01.2009 13:20     C:\Programme\Adobe --------- 0 

 15.01.2009 16:43     C:\Programme\CUEcards 2000 --------- 0 

 04.12.2008 13:29     C:\Programme\LuckieDIPS --------- 0 

 01.12.2008 16:38     C:\Programme\AviSynth 2.5 --------- 0 

 01.12.2008 16:12     C:\Programme\USSF --------- 0 

 01.12.2008 16:09     C:\Programme\Orca --------- 0 

 01.12.2008 15:20     C:\Programme\Office Slipstreamer --------- 0 

 01.12.2008 14:58     C:\Programme\Windows Sidebar --------- 0 

 26.11.2008 11:08     C:\Programme\AutoPlay Menu Builder --------- 0 

 24.11.2008 12:51     C:\Programme\Tools&More --------- 0 

 24.10.2008 11:13     C:\Programme\InstallShield Installation Information --------- 0 

 20.10.2008 08:17     C:\Programme\Uninstall Information --------- 0 

 20.10.2008 08:17     C:\Programme\Microsoft SQL Server --------- 0 

 16.10.2008 09:52     C:\Programme\Syncrosoft --------- 0 

 08.10.2008 09:16     C:\Programme\ThouVis Demoversion --------- 0 

 22.11.2007 10:32     C:\Programme\Microsoft.NET --------- 0 

 22.11.2007 10:30     C:\Programme\Microsoft Device Emulator --------- 0 

 22.11.2007 10:30     C:\Programme\Microsoft SQL Server 2005 Mobile Edition --------- 0 

 22.11.2007 10:23     C:\Programme\MSBuild --------- 0 

 22.11.2007 10:16     C:\Programme\CE Remote Tools --------- 0 

 22.11.2007 10:14     C:\Programme\Microsoft Visual Studio 8 --------- 0 

 08.05.2007 14:06     C:\Programme\CLines4NG zu ArCon 2005 --------- 0 

 02.05.2007 08:56     C:\Programme\Microsoft Office --------- 0 

 26.04.2007 10:25     C:\Programme\Microsoft Office 2007 --------- 0 

 28.03.2007 09:59     C:\Programme\Java --------- 0 

 13.02.2007 14:30     C:\Programme\VAI --------- 0 

 27.12.2006 15:36     C:\Programme\Intel --------- 0 

 27.09.2006 16:47     C:\Programme\Quest Software --------- 0 

 14.09.2006 10:59     C:\Programme\Microsoft Visual Studio .NET --------- 0 

 14.09.2006 10:58     C:\Programme\Oracle --------- 0 

 27.04.2006 12:01     C:\Programme\HTML Help Workshop --------- 0 

 27.04.2006 11:56     C:\Programme\Microsoft ACT --------- 0 

 24.04.2006 10:51     C:\Programme\Nero --------- 0 

 18.04.2006 12:44     C:\Programme\Microsoft IntelliType Pro 5.5 --------- 0 

 18.04.2006 12:35     C:\Programme\Microsoft IntelliPoint 5.5 --------- 0 

 04.04.2006 09:52     C:\Programme\Interwise --------- 0 

 12.01.2006 15:53     C:\Programme\Symantec --------- 0 

 29.11.2005 06:19     C:\Programme\Broadcom --------- 0 

 29.11.2005 06:07     C:\Programme\Analog Devices --------- 0 

 13.08.2004 14:55     C:\Programme\microsoft frontpage --------- 0 

 13.08.2004 14:55     C:\Programme\xerox --------- 0 

 13.08.2004 14:53     C:\Programme\WindowsUpdate --------- 0 

 13.08.2004 14:53     C:\Programme\Online-Dienste --------- 0 

 13.08.2004 14:53     C:\Programme\NetMeeting --------- 0 

 13.08.2004 14:52     C:\Programme\ComPlus Applications --------- 0 

 13.08.2004 14:52     C:\Programme\Windows Media Player --------- 0 

 13.08.2004 14:51     C:\Programme\MSN Gaming Zone --------- 0 

 13.08.2004 14:51     C:\Programme\Windows NT --------- 0 

 13.08.2004 14:51     C:\Programme\MSN --------- 0 

----------------------------------------
 

Abbildname                  PID Sitzungsname      Sitz.-Nr. Speichernutzung

========================= ===== ================ ========== ===============

System Idle Process           0 Console                   0            28 K

System                        4 Console                   0           236 K

smss.exe                    716 Console                   0           416 K

csrss.exe                   764 Console                   0         3.856 K

winlogon.exe                788 Console                   0         2.640 K

services.exe                832 Console                   0         4.240 K

lsass.exe                   844 Console                   0         7.608 K

svchost.exe                1052 Console                   0         5.220 K

svchost.exe                1120 Console                   0         4.356 K

svchost.exe                1208 Console                   0        18.576 K

svchost.exe                1308 Console                   0         3.548 K

svchost.exe                1368 Console                   0         3.940 K

spoolsv.exe                1552 Console                   0         6.156 K

svchost.exe                1624 Console                   0         5.448 K

schedul2.exe               1688 Console                   0         1.800 K

awhost32.exe               1724 Console                   0         7.356 K

inetinfo.exe               1788 Console                   0        10.448 K

mdm.exe                    1828 Console                   0         2.736 K

sqlservr.exe               1860 Console                   0         1.248 K

NBService.exe              1932 Console                   0         6.596 K

NMSAccessU.exe             2012 Console                   0         1.804 K

NTRtScan.exe               2024 Console                   0        15.896 K

NWC_SERVICE.EXE            2044 Console                   0         2.664 K

svchost.exe                 256 Console                   0         2.864 K

svchost.exe                 404 Console                   0         4.156 K

TmListen.exe                708 Console                   0        13.120 K

HO94A.EXE                  1460 Console                   0         2.644 K

alg.exe                    2232 Console                   0         3.488 K

CNTAoSMgr.exe              2888 Console                   0         2.532 K

explorer.exe               3136 Console                   0        32.400 K

hkcmd.exe                  3236 Console                   0         2.728 K

igfxpers.exe               3244 Console                   0         2.820 K

smax4pnp.exe               3316 Console                   0         4.516 K

jusched.exe                3332 Console                   0         2.256 K

TrueImageMonitor.exe       3444 Console                   0         3.208 K

schedhlp.exe               3460 Console                   0         2.620 K

acrotray.exe               3592 Console                   0         2.832 K

bgsmsnd.exe                3640 Console                   0         2.764 K

PccNTMon.exe               3648 Console                   0         8.940 K

TeaTimer.exe               3748 Console                   0        43.100 K

ctfmon.exe                 3756 Console                   0         3.256 K

acrobat_sl.exe             3888 Console                   0         2.720 K

OUTLOOK.EXE                3944 Console                   0        29.572 K

WINWORD.EXE                3728 Console                   0        23.020 K

Pfannen_Update_r.exe       3928 Console                   0        19.028 K

cmd.exe                    2636 Console                   0         2.284 K

tasklist.exe               3976 Console                   0         4.492 K

wmiprvse.exe               4004 Console                   0         5.684 K
 

 

***** Ende des Scans 27.04.2010 um 13:05:47,17 ***

Und ich glaube es wurde noch was gefunden!!

Gruß

Snewi

27.04.2010 13:32

Auch OSAM findet jetzt wieder was wenn Virenscanner und alle Netzwerkverbindungen deaktiviert sind!

Code:

Report of OSAM: Autorun Manager v5.0.11926.0

hxxp://www.online-solutions.ru/en/

Saved at 14:18:08 on 27.04.2010
 

OS: Windows XP Professional Service Pack 2 (Build 2600)

Default Browser: Microsoft Corporation Internet Explorer 8.00.6001.18702
 

Scanner Settings

[x] Rootkits detection (hidden registry)

[x] Rootkits detection (hidden files)

[x] Retrieve files information

[x] Check Microsoft signatures
 

Filters

[ ] Trusted entries

[ ] Empty entries

[x] Hidden registry entries (rootkit activity)

[x] Exclusively opened files

[x] Not found files

[x] Files without detailed information

[x] Existing files

[ ] Non-startable services

[ ] Non-startable drivers

[x] Active entries

[x] Disabled entries
 
 

[Control Panel Objects]

-----( %SystemRoot%\system32 )-----

"BACSCPL.cpl" - ? - C:\WINDOWS\system32\BACSCPL.cpl

"jpicpl32.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\jpicpl32.cpl

"pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl  (File found, but it contains no detailed information)

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----

"AC3 Filter" - ? - D:\Programme\TTPack\AC3\ac3filter.cpl

"QuickTime" - "Apple Computer, Inc." - D:\Programme\TTPack\QTLite\QuickTime.cpl

"SYMLIVE" - "Symantec Corporation" - C:\Programme\Symantec\LiveUpdate\S32LUCP1.CPL
 

[Drivers]

-----( HKLM\SYSTEM\CurrentControlSet\Services )-----

"ACEDRV07" (ACEDRV07) - "Protect Software GmbH" - C:\WINDOWS\system32\drivers\ACEDRV07.sys

"Acronis Snapshots Manager" (snapman) - "Acronis" - C:\WINDOWS\System32\DRIVERS\snapman.sys

"Acronis TrueImage Backup Archive Explorer" (timounter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\timntr.sys

"Acronis TrueImage FS Filter" (tifsfilter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\tifsfilt.sys

"AVM Bluetooth Audio Driver" (AVMBTSND) - "AVM GmbH" - C:\WINDOWS\System32\drivers\avmbtsnd.sys

"AVM Bluetooth CAPI-Controller" (CAPI_CIP) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\capi_cip.sys

"AVM Bluetooth Druckeranschluss" (AVMBTPARALLEL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtpar.sys

"AVM Bluetooth Kommunikationsanschluss" (AVMBTSERIAL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtser.sys

"AVM Bluetooth Netzwerkadapter" (NETBFPAN) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\netbfpan.sys

"AVM ISDN CoNDIS WAN CAPI Treiber" (AVMCOWAN) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmcowan.sys

"awecho" (awecho) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\awechomd.sys

"awlegacy" (awlegacy) - "Symantec Corporation" - C:\WINDOWS\System32\Drivers\awlegacy.sys

"AW_HOST" (AW_HOST) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\aw_host5.sys

"BlueFRITZ! USB 2.5(WinXP/2000)" (bfhubase) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\bfhubase.sys

"catchme" (catchme) - ? - C:\DOKUME~1\xxxa.STW\LOKALE~1\Temp\catchme.sys  (File not found)

"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys  (File not found)

"Gernuwa" (Gernuwa) - "Symantec Corporation" - C:\WINDOWS\system32\drivers\Gernuwa.sys

"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys  (File not found)

"Nokia USB Generic" (Nokia USB Generic) - ? - C:\WINDOWS\System32\drivers\nmwcdc.sys  (File not found)

"Nokia USB Modem" (Nokia USB Modem) - ? - C:\WINDOWS\System32\drivers\nmwcdcm.sys  (File not found)

"Nokia USB Phone Parent" (Nokia USB Phone Parent) - ? - C:\WINDOWS\System32\drivers\nmwcd.sys  (File not found)

"Nokia USB Port" (Nokia USB Port) - ? - C:\WINDOWS\System32\drivers\nmwcdcj.sys  (File not found)

"Nsynas32" (Nsynas32) - "Syncrosoft Hard- und Software GmbH" - C:\WINDOWS\system32\drivers\Nsynas32.sys

"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys  (File not found)

"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys  (File not found)

"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys  (File not found)

"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys  (File not found)

"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys  (File not found)

"Secdrv" (Secdrv) - ? - C:\WINDOWS\System32\DRIVERS\secdrv.sys  (File signed by Microsoft | File found, but it contains no detailed information)

"SymEvent" (SymEvent) - "Symantec Corporation" - C:\Programme\Symantec\SYMEVENT.SYS

"SynasUSB" (SynasUSB) - "SIA Syncrosoft" - C:\WINDOWS\System32\drivers\SynasUSB.sys

"tmcomm" (tmcomm) - "Trend Micro Inc." - C:\WINDOWS\system32\drivers\tmcomm.sys

"Trend Micro Filter" (TmFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys

"Trend Micro PreFilter" (TmPreFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmPreFlt.sys

"Trend Micro VSAPI NT" (VSApiNt) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\VSApiNt.sys

"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys  (File not found)
 

[Explorer]

-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----

{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----

{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll

{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll

-----( HKLM\Software\Classes\Protocols\Filter )-----

{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll

{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll

{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll

{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

-----( HKLM\Software\Classes\Protocols\Handler )-----

{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll

{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll

{CD00020A-8B95-11D1-82DB-00C04FB1625D} "Microsoft PKM KnowledgePluggable Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\pkmcdo.dll

{9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} "Quest RevNet Protocol" - ? - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----

{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - D:\Programme\7-Zip\7-zip.dll

{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - D:\Programme\Adobe Acrobat\Acrobat Elements\ContextMenu.dll

{D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll

{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll  (File not found)

{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll

{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? -   (File not found | COM-object registry key not found)

{506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll

{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? -   (File not found | COM-object registry key not found)

{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\msohev.dll

{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL

{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - D:\Nero\Nero 9\Nero CoverDesigner\CoverEdExtension.dll

{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll

{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll

{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL

{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll

{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? -   (File not found | COM-object registry key not found)

{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL

{E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

{E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

{E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

{E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL

InCDShellExt extension "{CAE3251E-9B15-4810-B268-852AD9792A59}" - ? -   (File not found | COM-object registry key not found)
 

[Internet Explorer]

-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----

<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll

ITBar7Height "ITBar7Height" - ? -   (File not found | COM-object registry key not found)

<binary data> "ITBar7Layout" - ? -   (File not found | COM-object registry key not found)

<binary data> "ITBarLayout" - ? -   (File not found | COM-object registry key not found)

<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll

-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----

{4FDF3696-5078-4952-868C-CEEB9683B8C4} "DownloadFile Control" - ? - C:\WINDOWS\DOWNLO~1\Download.ocx / hxxp://192.168.10.31/cab/DownloadFile.cab

{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} "Java Plug-in 1.5.0" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab

{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / https://st-entw1:2607/jre-1_5_0_06-windows-i586-p.exe

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

{7D30109B-DD2B-4339-BE80-1CD48723C2BC} "LiveX(v6.0.1.0)" - ? - C:\WINDOWS\DOWNLO~1\LiveX.ocx / hxxp://192.168.10.31/cab/Live.cab

-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----

{182EC0BE-5110-49C8-A062-BEB1D02A220B} "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll

-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll

"Knowledge Base" - ? - hxxp://support.microsoft.com/  (HTTP value)

{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----

<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll

<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----

{AE7CD045-E861-484f-8273-0445EE161910} "AcroIEToolbarHelper Class" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll

{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

{56CF4856-ECB4-4e46-A897-A378821F97B9} "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "SSVHelper Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
 

[LSA Providers]

-----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )-----

"Authentication packages" - "Acronis" - C:\WINDOWS\system32\relog_ap.dll
 

[Logon]

-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----

"Adobe Acrobat - Schnellstart.lnk" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\acrobat_sl.exe  (Shortcut exists | File exists)

"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini

-----( %UserProfile%\Startmenü\Programme\Autostart )-----

"desktop.ini" - ? - C:\Dokumente und Einstellungen\xxxa.STW\Startmenü\Programme\Autostart\desktop.ini

"Microsoft Office Outlook 2003.lnk" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE  (Shortcut exists | File exists)

-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----

"SpybotSD TeaTimer" - "Safer Networking Limited" - D:\Programme\Spybot - Search & Destroy\TeaTimer.exe

-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----

"Acrobat Assistant 7.0" - "Adobe Systems Inc." - "D:\Programme\Adobe Acrobat\Distillr\Acrotray.exe"

"Acronis Scheduler2 Service" - "Acronis" - "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"

"bgsmsnd.exe" - "Broadgun Software" - C:\WINDOWS\system32\bgsmsnd.exe

"OfficeScanNT Monitor" - "Trend Micro Inc." - "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

"OSSelectorReinstall" - ? - C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe  (File found, but it contains no detailed information)

"Pfannenupdate" - "Georgsmarienhuette GmbH" - c:\Programme\PFANNEN\Pfannen_Update.exe

"SunJavaUpdateSched" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\jusched.exe

"TrueImageMonitor.exe" - "Acronis" - D:\Programme\Acronis\True Image 9.0\TrueImageMonitor.exe
 

[Print Monitors]

-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----

"Adobe PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\system32\AdobePDF.dll

"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll

"pcAnywhere Remote Printing" - "Symantec Corporation" - C:\WINDOWS\system32\awmon.dll

"PDF Port Monitor" - ? - C:\WINDOWS\system32\bgspmnt.dll  (File found, but it contains no detailed information)
 

[Services]

-----( HKLM\SYSTEM\CurrentControlSet\Services )-----

".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

"Acronis Scheduler2 Service" (AcrSch2Svc) - "Acronis" - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe

"Adobe LM Service" (Adobe LM Service) - "Adobe Systems" - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe

"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

"Config Universal" (tgtfckks) - ? - C:\WINDOWS\system32\dlzlnti.dll  (Hidden registry entry, rootkit activity | File found, but it contains no detailed information)

"Machine Debug Manager" (MDM) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe

"Nero BackItUp Scheduler 4.0" (Nero BackItUp Scheduler 4.0) - "Nero AG" - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe

"NMSAccessU" (NMSAccessU) - ? - D:\Programme\CDBurnerXP\NMSAccessU.exe  (File found, but it contains no detailed information)

"NWC Service" (NWC_Service) - ? - C:\NWC\NWC_SERVICE.EXE  (File found, but it contains no detailed information)

"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE

"OfficeScan NT Listener" (tmlisten) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe

"OfficeScan NT Proxy Service" (TmProxy) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe

"OfficeScanNT RealTime Scan" (ntrtscan) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe

"pcAnywhere Host-Modul" (awhost32) - "Symantec Corporation" - D:\Programme\Symantec\PCAnywhere\awhost32.exe

"Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\WINDOWS\system32\hpzipm12.dll

"SolidWorks Licensing Service" (SolidWorks Licensing Service) - "SolidWorks" - C:\Programme\Gemeinsame Dateien\SolidWorks Shared\Service\SolidWorksLicensing.exe

"SQL Server (SQLEXPRESS)" (MSSQL$SQLEXPRESS) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
 

[Winlogon]

-----( HKCU\Control Panel\IOProcs )-----

(Disabled) "MVB" - ? - mvfs32.dll  (File not found)

-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----

"PCANotify" - "Symantec Corporation" - C:\WINDOWS\system32\PCANotify.dll
 

===[ Logfile end ]=========================================[ Logfile end ]===
 

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

gruß

cosinus

27.04.2010 13:35

Bitte mal den Avenger anwenden:

1.) Lade Dir von hier Avenger:
Swandog46's Public Anti-Malware Tools (Download, linksseitig)

2.) Entpack das zip-Archiv, führe die Datei "avenger.exe" aus (unter Vista per Rechtsklick => als Administrator ausführen). Die Haken unten wie abgebildet setzen:

http://mitglied.lycos.de/efunction/tb123/avenger.png

3.) Kopiere Dir exakt die Zeilen aus dem folgenden Code-Feld:

Code:

files to delete:

C:\WINDOWS\system32\dlzlnti.dll
 

drivers to delete:

tgtfckks

4.) Geh in "The Avenger" nun oben auf "Load Script", dort auf "Paste from Clipboard".

5.) Der Code-Text hier aus meinem Beitrag müsste nun unter "Input Script here" in "The Avenger" zu sehen sein.

6.) Falls dem so ist, klick unten rechts auf "Execute". Bestätige die nächste Abfrage mit "Ja", die Frage zu "Reboot now" (Neustart des Systems) ebenso.

7.) Nach dem Neustart erhältst Du ein LogFile von Avenger eingeblendet. Kopiere dessen Inhalt und poste ihn hier.

8.) Die Datei c:\avenger\backup.zip bei file-upload.net hochladen und hier verlinken

Snewi

27.04.2010 13:56

Log:

Code:

Logfile of The Avenger Version 2.0, (c) by Swandog46

hxxp://swandog46.geekstogo.com
 

Platform:  Windows XP
 

*******************
 

Script file opened successfully.

Script file read successfully.
 

Backups directory opened successfully at C:\Avenger
 

*******************
 

Beginning to process script file:
 

Rootkit scan active.

No rootkits found!
 

File "C:\WINDOWS\system32\dlzlnti.dll" deleted successfully.

Driver "tgtfckks" deleted successfully.
 

Completed script processing.
 

*******************
 

Finished!  Terminate.

Datei:
hxxp://www.file-upload.net/download-2469778/backup.zip.html

gruß

cosinus

27.04.2010 14:34

Kommt die meldung immer noch? Mach zur Kontrolle bitte ein neues Log mit GMER und poste es.

Snewi

30.04.2010 06:40

Guten Morgen,

hier das aktuelle Log:

Code:

GMER 1.0.15.15281 - hxxp://www.gmer.net

Rootkit scan 2010-04-30 07:04:41

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOKUME~1\xxx\LOKALE~1\Temp\pfryqaoc.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

?               olxvh.sys                                                                                                                                 Das System kann die angegebene Datei nicht finden. !

init            C:\WINDOWS\system32\drivers\senfilt.sys                                                                                                   entry point in "init" section [0xB98C3F80]

.text           C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                                                                  section is writeable [0xA8628000, 0x328BA, 0xE8000020]

.pklstb         C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                                                                  entry point in ".pklstb" section [0xA866C000]

.relo2          C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                                                                  unknown last section [0xA8688000, 0x8E, 0x42000040]
 

---- User code sections - GMER 1.0.15 ----
 

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!CreateWindowExW                                                              77D21AD5 5 Bytes  JMP 4126DAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!DialogBoxParamW                                                              77D26702 5 Bytes  JMP 41195505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!DialogBoxParamA                                                              77D288E1 5 Bytes  JMP 413646DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!DialogBoxIndirectParamW                                                      77D32598 5 Bytes  JMP 4136473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!MessageBoxIndirectA                                                          77D3AEF1 5 Bytes  JMP 41364671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!MessageBoxExW                                                                77D50559 5 Bytes  JMP 41364542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!MessageBoxExA                                                                77D5057D 5 Bytes  JMP 413645A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!DialogBoxIndirectParamA                                                      77D56CED 5 Bytes  JMP 413647A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2596] USER32.dll!MessageBoxIndirectW                                                          77D660B7 5 Bytes  JMP 41364606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!CallNextHookEx                                                               77D1ED6E 5 Bytes  JMP 4125D101 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!CreateWindowExW                                                              77D21AD5 5 Bytes  JMP 4126DAC4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!DialogBoxParamW                                                              77D26702 5 Bytes  JMP 41195505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!DialogBoxParamA                                                              77D288E1 5 Bytes  JMP 413646DC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!DialogBoxIndirectParamW                                                      77D32598 5 Bytes  JMP 4136473F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!MessageBoxIndirectA                                                          77D3AEF1 5 Bytes  JMP 41364671 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!SetWindowsHookExW                                                            77D3E621 5 Bytes  JMP 41269A75 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!UnhookWindowsHookEx                                                          77D3F29F 5 Bytes  JMP 411D466E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!MessageBoxExW                                                                77D50559 5 Bytes  JMP 41364542 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!MessageBoxExA                                                                77D5057D 5 Bytes  JMP 413645A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!DialogBoxIndirectParamA                                                      77D56CED 5 Bytes  JMP 413647A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] USER32.dll!MessageBoxIndirectW                                                          77D660B7 5 Bytes  JMP 41364606 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] ole32.dll!OleLoadFromStream                                                             774E8C62 5 Bytes  JMP 41364AA7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text           C:\Programme\Internet Explorer\iexplore.exe[2776] ole32.dll!CoCreateInstance                                                              774F6009 5 Bytes  JMP 4126DB20 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
 

---- User IAT/EAT - GMER 1.0.15 ----
 

IAT             C:\Programme\Internet Explorer\iexplore.exe[2776] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]                           [451F1ACB] C:\Programme\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                    TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                  tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                 tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                                                                    snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                                                                    snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                                                                    snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                 tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                               tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                                  TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
 

---- Threads - GMER 1.0.15 ----
 

Thread          System [4:1036]                                                                                                                           A8825037

Thread          System [4:1040]                                                                                                                           A8825037

Thread          System [4:1044]                                                                                                                           A8825037

Thread          System [4:1048]                                                                                                                           A8825460

Thread          System [4:1052]                                                                                                                           A86B96D4

Thread          System [4:1056]                                                                                                                           A86B96D4

Thread          System [4:1060]                                                                                                                           A86B96D4

Thread          System [4:1064]                                                                                                                           A86B9C32

Thread          System [4:500]                                                                                                                            A7FEA0E2

Thread          System [4:504]                                                                                                                            A7FEA0E2

Thread          System [4:508]                                                                                                                            A7FEA0E2

Thread          System [4:512]                                                                                                                            A7FEA0E2

Thread          System [4:516]                                                                                                                            A7FEA0E2

Thread          System [4:520]                                                                                                                            A7FEA0E2

Thread          System [4:524]                                                                                                                            A7FEA0E2

Thread          System [4:528]                                                                                                                            A7FEA0E2

Thread          System [4:532]                                                                                                                            A7FEA0E2

Thread          System [4:1192]                                                                                                                           A86BC80E

Thread          System [4:1300]                                                                                                                           A86BC794

Thread          System [4:1304]                                                                                                                           A86BC794

Thread          System [4:1308]                                                                                                                           A86BC794

Thread          System [4:1256]                                                                                                                           A86BC794

Thread          System [4:1316]                                                                                                                           A86BC794

Thread          System [4:1320]                                                                                                                           A86BC794

Thread          System [4:1328]                                                                                                                           A86BC794

Thread          System [4:1332]                                                                                                                           A86BC794

Thread          System [4:1336]                                                                                                                           A86BC794
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA3301004F7706000000000020\Usage@PDFMakerForIE  1016796176

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@Class                                                   0x8C 0x87 0x5C 0x85 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@Class                                                   0xEF 0xFC 0xDA 0x4C ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@Class                                                   0x11 0x8E 0xB4 0xC6 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@Class                                                   0x06 0xC0 0xA7 0x84 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@Class                                                   0x0D 0xD8 0xD0 0xDC ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@Class                                                   0xE1 0x62 0x26 0x42 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@Class                                                   0x32 0xD0 0x64 0x76 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@Class                                                   0x67 0xCF 0x1B 0x7A ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@Class                                                   0x85 0xC4 0x93 0x0E ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@Class                                                   0x7F 0xEC 0x7B 0x87 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@Class                                                   0x95 0xA6 0x39 0xC9 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@Class                                                   0x43 0xB9 0x8E 0x70 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@Class                                                   0x71 0xCE 0x04 0x64 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32                                                         

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@Class                                                   0x10 0xBB 0xE2 0x52 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@ThreadingModel                                          Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@                                                        C:\WINDOWS\system32\OLE32.DLL

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit@FindFlags                                                                  14

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites                                                                  
 

---- EOF - GMER 1.0.15 ----

Wie soll ich auf den anderen System jetzt grundsätzlich vorgehen?

Gruß

Der Virenscanner hat jetzt gerade die dlzlnti.dll wieder angezeigt mache nochmal ein Scan mit Gmer!!!!

Snewi

30.04.2010 07:56

Hier das aktuelle Log:

Code:

GMER 1.0.15.15281 - hxxp://www.gmer.net

Rootkit scan 2010-04-30 08:44:45

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOKUME~1\xxx\LOKALE~1\Temp\pfryqaoc.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

init            C:\WINDOWS\system32\drivers\senfilt.sys                                                           entry point in "init" section [0xB98A0F80]

.text           C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          section is writeable [0xA862D000, 0x328BA, 0xE8000020]

.pklstb         C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          entry point in ".pklstb" section [0xA8671000]

.relo2          C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          unknown last section [0xA868D000, 0x8E, 0x42000040]
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                            TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                          tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                         tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                         tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                       tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \FileSystem\Fastfat \Fat                                                                          TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg@DisplayName                                             bvcmk

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg@Type                                                    32

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg@Start                                                   2

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg@ErrorControl                                            0

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg@ImagePath                                               %SystemRoot%\system32\svchost.exe -k netsvcs

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg@ObjectName                                              LocalSystem

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg@Description                                             Transportiert E-Mail ?ber das Netzwerk

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg\Parameters (not active ControlSet)                      

Reg             HKLM\SYSTEM\ControlSet003\Services\csdsbg\Parameters@ServiceDll                                   C:\WINDOWS\system32\dlzlnti.dll

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@Class           0x8C 0x87 0x5C 0x85 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@Class           0xEF 0xFC 0xDA 0x4C ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-184a-50b6-2c78fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@Class           0x11 0x8E 0xB4 0xC6 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@Class           0x06 0xC0 0xA7 0x84 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-2fc9-b4bb-1ac9fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@Class           0x0D 0xD8 0xD0 0xDC ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@Class           0xE1 0x62 0x26 0x42 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-3ad1-9ddf-e8a8fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@Class           0x32 0xD0 0x64 0x76 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@Class           0x67 0xCF 0x1B 0x7A ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-49a9-aa06-6539fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@Class           0x85 0xC4 0x93 0x0E ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@Class           0x7F 0xEC 0x7B 0x87 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-c0d0-3304-515dfa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@Class           0x95 0xA6 0x39 0xC9 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@Class           0x43 0xB9 0x8E 0x70 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-e005-787e-4b91fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@Class           0x71 0xCE 0x04 0x64 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa5d8d9f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32                 

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@Class           0x10 0xBB 0xE2 0x52 ...

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@ThreadingModel  Apartment

Reg             HKLM\SOFTWARE\Classes\CLSID\{C09C5BC9-8988-ea61-1640-31a6fa79961f}\InprocServer32@                C:\WINDOWS\system32\OLE32.DLL

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit@FindFlags                          14

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites                          
 

---- EOF - GMER 1.0.15 ----

Gruß

Snewi

30.04.2010 11:10

Hier nochmal ein Log von einem anderen Client

Code:

GMER 1.0.15.15281 - hxxp://www.gmer.net

Rootkit scan 2010-04-30 11:14:01

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\ufdyypog.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

init            C:\WINDOWS\system32\drivers\Senfilt.sys                                         entry point in "init" section [0xA9EDCA00]
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                          TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                        tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                       tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Udp                                                       tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                     tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc@DisplayName                          Update Windows

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc@Type                                 32

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc@Start                                2

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc@ErrorControl                         0

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc@ImagePath                            %SystemRoot%\system32\svchost.exe -k netsvcs

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc@ObjectName                           LocalSystem

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc@Description                          Erm?glicht Windows-basierten Programmen, Internet-basierte Dateien zu erstellen, darauf zuzugreifen und sie zu ver?ndern. Wenn dieser Dienst beendet wird, werden diese Funktionen nicht mehr zur Verf?gung stehen. Wenn dieser Dienst deaktiviert wird, werden alle von diesem Dienst explizit abh?ngigen Dienste nicht gestartet werden k?nnen.

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc\Parameters (not active ControlSet)   

Reg             HKLM\SYSTEM\ControlSet002\Services\oznekhc\Parameters@ServiceDll                C:\Programme\Internet Explorer\mepibcf.dll

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt@DisplayName                         Update Universal

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt@Type                                32

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt@Start                               2

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt@ErrorControl                        0

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt@ImagePath                           %SystemRoot%\system32\svchost.exe -k netsvcs

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt@ObjectName                          LocalSystem

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt@Description                         Stellt die Designverwaltung zur Verf?gung.

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt\Parameters (not active ControlSet)  

Reg             HKLM\SYSTEM\ControlSet002\Services\yjanvurt\Parameters@ServiceDll               C:\WINDOWS\system32\mepibcf.dll
 

---- EOF - GMER 1.0.15 ----

Gibt es nun vielleicht eine vorgenhensweise bei allen Rechnern die ich abarbeiten könnte?

Gruß

cosinus

30.04.2010 13:49

Zitat:

Gibt es nun vielleicht eine vorgenhensweise bei allen Rechnern die ich abarbeiten könnte?

Nö, die gibt es so nicht. Im letzten GMER Abschnitt seh ich da einen (versteckten?) Dienst

Zitat:

eg HKLM\SYSTEM\ControlSet002\Services\oznekhc\Parameters@ServiceDll C:\Programme\Internet Explorer\mepibcf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\yjanvurt@DisplayName Update Universal

Und das Teil heißt wohl auf jedem Client anders. Außerdem ist nicht gesagt, dass das Prblem behoben ist, wenn man zB diesen Dienst bzw diese Dienste mit dem Avenger löscht.

Avenger musst Du mit so einem Script füttern (Dienstname ist der name des bösen Dienstes zB die obigen rot fett gedruckten)
Und wenn es nicht in CurrentControlSet ist, sollte man auch die anderen löschen per registry keys to delete
Und ggf. noch verknüpfte Dateien löschen, zB C:\Programme\Internet Explorer\mepibcf.dll die dort als Dienst-DLL eingetragen ist

Code:

drivers to delete:

dienstname1

dienstname1.sys

dienstname2

dienstname2.sys
 

registry keys to delete:

HKLM\SYSTEM\ControlSet002\Services\dienstname1

HKLM\SYSTEM\ControlSet002\Services\dienstname2
 

files to delete:

C:\Programme\Internet Explorer\mepibcf.dll

Ich würde hier aber nicht mehr von einer Bereinigung sprechen, die keinen großen Aufwand erfordert. Ich würde einen Rechner neu aufsetzen mit einer Grundinstallation, ein Image erstellen und das auf alle anderen Rechner verteilen.

Snewi

03.05.2010 06:57

Guten Morgen,

wie gesagt mit einem Image wäre es ja nicht getan! ISt das mit dem Avenger die einzige Möglichkeit wenn überhaupt den Virus zu beseitigen?

Gruß

cosinus

03.05.2010 07:14

Zitat:

wie gesagt mit einem Image wäre es ja nicht getan!

Deswegen sprach ich ja von einem Grundimage. Das auf die Rechner verteilen und evtl. Anpassungen vornehmen.

Zitat:

ISt das mit dem Avenger die einzige Möglichkeit wenn überhaupt den Virus zu beseitigen?

Nö, hat keiner gesagt. Aber mit dem Avenger kann man ganz gut (gesperrte) schädliche Objekte löschen. Wenn Du das nicht willst, kannst Du mit einer aktuellen Rescue-CD Dein Glück versuchen. Eine Garantie auf Schädlingsfreiheit oder gar Vertrauenswürdigkeit ist das alles aber nicht, dazu ist format c: notwendig.

Snewi

03.05.2010 07:26

Ok werd ich versuchen und bei Windows 2003 Server?

Ok wenn also nicht Avenger dann Rescue und sonst?
Was ist hier das Problem wenn bei jedem Neustart der Dienstname ein anderer ist (Registry) aber die .dll die gleiche?
Die .dll lässt sich mit dem Avenger nicht löschen! Was hat das mit der svchost.exe zu tun?

Log

Code:

Logfile of The Avenger Version 2.0, (c) by Swandog46

hxxp://swandog46.geekstogo.com
 

Platform:  Windows XP
 

*******************
 

Script file opened successfully.

Script file read successfully.
 

Backups directory opened successfully at C:\Avenger
 

*******************
 

Beginning to process script file:
 

Rootkit scan active.

No rootkits found!
 

Driver "csdsbg" deleted successfully.

Registry key "HKLM\SYSTEM\ControlSet003\Services\csdsbg" deleted successfully.
 

Error:  file "C:\WINDOWS\system32\dlzlnti.dll" not found!

Deletion of file "C:\WINDOWS\system32\dlzlnti.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

  --> the object does not exist
 
 

Completed script processing.
 

*******************
 

Finished!  Terminate.
 
 

GMER 1.0.15.15281 - hxxp://www.gmer.net

Rootkit scan 2010-05-03 08:28:21

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOKUME~1\schoenea.STW\LOKALE~1\Temp\pfryqaoc.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

init            C:\WINDOWS\system32\drivers\senfilt.sys                                                           entry point in "init" section [0xB9620F80]

.text           C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          section is writeable [0xA8385000, 0x328BA, 0xE8000020]

.pklstb         C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          entry point in ".pklstb" section [0xA83C9000]

.relo2          C:\WINDOWS\system32\drivers\ACEDRV07.sys                                                          unknown last section [0xA83E5000, 0x8E, 0x42000040]
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                            TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                          tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                         tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume1                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume2                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Ftdisk \Device\HarddiskVolume3                                                            snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                         tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                       tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \FileSystem\Fastfat \Fat                                                                          TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
 

---- Services - GMER 1.0.15 ----
 

Service         C:\WINDOWS\system32\svchost.exe (*** hidden *** )                                                 [AUTO] zxfznlr                                                                                                                                                            <-- ROOTKIT !!!
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr@DisplayName                                        Monitor Manager

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr@Type                                               32

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr@Start                                              2

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr@ErrorControl                                       0

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr@ImagePath                                          %SystemRoot%\system32\svchost.exe -k netsvcs

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr@ObjectName                                         LocalSystem

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr@Description                                        Erm?glicht die Ansicht von Ereignisprotokollmeldungen von Windows-basierten Programmen und Komponenten in der Ereignisanzeige. Dieser Dienst kann nicht beendet werden.

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr\Parameters                                         

Reg             HKLM\SYSTEM\CurrentControlSet\Services\zxfznlr\Parameters@ServiceDll                              C:\WINDOWS\system32\dlzlnti.dll

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr@DisplayName                                            Monitor Manager

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr@Type                                                   32

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr@Start                                                  2

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr@ErrorControl                                           0

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr@ImagePath                                              %SystemRoot%\system32\svchost.exe -k netsvcs

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr@ObjectName                                             LocalSystem

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr@Description                                            Erm?glicht die Ansicht von Ereignisprotokollmeldungen von Windows-basierten Programmen und Komponenten in der Ereignisanzeige. Dieser Dienst kann nicht beendet werden.

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr\Parameters (not active ControlSet)                     

Reg             HKLM\SYSTEM\ControlSet003\Services\zxfznlr\Parameters@ServiceDll                                  C:\WINDOWS\system32\dlzlnti.dll

Gruß

cosinus

03.05.2010 08:43

Zitat:

Die .dll lässt sich mit dem Avenger nicht löschen! Was hat das mit der svchost.exe zu tun?

Seit wann bist Du Admin? Man sollte schon in etwa wissen was die svchost.exe macht...
Besorg Dir ne Live-CD von einer Linux-Distro (Desktop-Install zB von Ubuntu oder PartedMagic), boote den befallenen PC und lösch die Datei C:\WINDOWS\system32\dlzlnti.dll - der Pfad sollte unter Linux /media/[name der c-partition]/WINDOWS/system32/dlzlnti.dll heißen, da Linux keine Laufwerksbuchstaben kennt.

Snewi

03.05.2010 09:11

Vielleicht falsch ausgedrückt was die svchost.exe macht ist klar aber wird die .dll über diesen Dienst mitgestartet und warum ist das so! Du bist doch hier der Virenexperte oder etwa nicht :sword2:

vorheriger Beitrag:

Zitat:

Error: file "C:\WINDOWS\system32\dlzlnti.dll" not found!
Deletion of file "C:\WINDOWS\system32\dlzlnti.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Gruß

Snewi

03.05.2010 09:58

Ich versuchs nochmal mit OTLPE wenn das nix bringt mache ich mich ans Image :-)

Hilft es denn sich zukünftig sowas nicht mehr einzufangen wenn der Rechner Update und Virensignatur technisch aktuell ist oder müssen sonstige Vorkehrungen getroffen werden?

Gruß

cosinus

03.05.2010 11:58

Zitat:

Hilft es denn sich zukünftig sowas nicht mehr einzufangen wenn der Rechner Update und Virensignatur technisch aktuell ist oder müssen sonstige Vorkehrungen getroffen werden?

Backups? Eingeschränkte Rechte? Um nur zwei Dinge zu nennen...

Snewi

04.05.2010 07:42

Mhh das mit OTLPE klappt nicht der PC bootet zwar kann aber die OTLPE Applikation nicht auswählen!

- keine WIN32 Anwendung :confused:

Gruß

cosinus

04.05.2010 07:49

Dann wirds schwierig bis unmöglich.
Du kasperst da jetzt schon 2 Wochen herum, in der Zeit hätte man doch schon locker eine Kiste neu aufgesetzt und das "Grundimage" erstellen können! :rolleyes:

Snewi

04.05.2010 09:19

Einen Versuch wage ich noch :)

Ich habe noch eine Datei gefunden und die mal bei Virustotal ausgewertet:

Datei dlz empfangen 2010.05.04 08:01:01 (UTC)Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.5.0.50 2010.05.04 -
AhnLab-V3 2010.05.04.00 2010.05.04 -
AntiVir 8.2.1.224 2010.05.03 TR/Drop.Softomat.AN
Antiy-AVL 2.0.3.7 2010.04.30 -
Authentium 5.2.0.5 2010.05.04 -
Avast 4.8.1351.0 2010.05.04 -
Avast5 5.0.332.0 2010.05.04 -
AVG 9.0.0.787 2010.05.03 -
BitDefender 7.2 2010.05.04 -
CAT-QuickHeal 10.00 2010.05.03 -
ClamAV 0.96.0.3-git 2010.05.04 -
Comodo 4758 2010.05.04 -
DrWeb 5.0.2.03300 2010.05.04 -
eSafe 7.0.17.0 2010.05.03 -
eTrust-Vet 35.2.7467 2010.05.04 Win32/Conficker
F-Prot 4.5.1.85 2010.05.03 -
F-Secure 9.0.15370.0 2010.05.04 Worm:W32/Downadup.EX
Fortinet 4.0.14.0 2010.05.03 -
GData 21 2010.05.04 -
Ikarus T3.1.1.80.0 2010.05.04 -
Jiangmin 13.0.900 2010.05.04 -
Kaspersky 7.0.0.125 2010.05.04 -
McAfee 5.400.0.1158 2010.05.04 -
McAfee-GW-Edition 6.8.5 2010.05.04 Trojan.Drop.Softomat.AN
Microsoft 1.5703 2010.05.04 -
NOD32 5083 2010.05.03 -
Norman 6.04.12 2010.05.03 -
nProtect 2010-05-04.01 2010.05.04 -
Panda 10.0.2.7 2010.05.03 -
PCTools 7.0.3.5 2010.05.04 -
Prevx 3.0 2010.05.04 -
Rising 22.46.01.01 2010.05.04 -
Sophos 4.53.0 2010.05.04 Mal/Conficker-A
Sunbelt 6258 2010.05.04 -
Symantec 20091.2.0.41 2010.05.04 -
TheHacker 6.5.2.0.275 2010.05.03 W32/Kido.gj
TrendMicro 9.120.0.1004 2010.05.04 -
VBA32 3.12.12.4 2010.05.03 -
ViRobot 2010.5.3.2301 2010.05.04 -
VirusBuster 5.0.27.0 2010.05.03 -

weitere Informationen
File size: 159140 bytes
MD5   : 7642c4fa5f55269b3d1664e303cef72b
SHA1  : 674511b36e55faafad8732ec62284a050e184fd7
SHA256: 1a2a971621ad653aea59ac341a520af6792790cf54394d16036055a46e4c7e03
TrID  : File type identification VXD Driver (81.5%) Autodesk FLIC Image File (extensions: flc, fli, cel) (18.4%)
ssdeep: 3072:ktORhCkTeLvh+9j2oE2oG8maiOihpZ+MvyZXOgwWzrr6c:AORhCkf6qzaiOEpzvKwTc
sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned 
PEiD  : -
RDS   : NSRL Reference Data Set -

Gruß

cosinus

04.05.2010 09:30

Ich hätte das Herumdoktorn sein lassen. Eine Kiste kann man ja noch so gerade bereinigen aber bei 15 hört der Spaß auf, v.a. weil es keinen allgemeingültigen Weg gibt, der für alle Rechner gleich ist.

Snewi

04.05.2010 09:54

Alles wird gut möchte wenigstens meinen PC ohne Neuinstallation bereinigt bekommen!
Was sagt also Virustotal und was kann ich tun?
Oder verweigerst du mir jetzt deine Hilfe? :heulen:

Gruß

cosinus

04.05.2010 10:13

Was Virustotal sagt steht da doch. Aber Du hast nichtmal geschrieben welche Datei (kompletter Pfad) Du da ausgewertet hast. Ward as diese => C:\WINDOWS\system32\dlzlnti.dll ?

Snewi

04.05.2010 10:35

Das war die dlzlnti.ar die jetzt in system32 gefunden wurde! Die .dll ist weg!

P.S. Gibt es den Avenger auch für Windows 2003

Gruß

cosinus

04.05.2010 10:52

Zitat:

P.S. Gibt es den Avenger auch für Windows 2003

Anscheinend nicht: The Avenger is fully compatible with 32-bit Windows Vista, XP, and 2000. Please do not attempt to use it on any other operating system.

Aber Du kannst mit Live-CDs arbeiten (zB Linux oder das OTLPE) und darüber Dateien verschieben, umbenennen oder so.

Snewi

04.05.2010 12:13

Einen Server hab ich noch gefunden der die Quelle (DomainController) sein könnte!
Ist aber Windoes 2003 Server BS! Gibt es hier ne Möglichkeit wie bei dem Avenger vorzugehen?

Log:

Code:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-04 13:08:38

Windows 5.2.3790 Service Pack 2

Running: gmer.exe; Driver: C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\kxroapoc.sys
 
 

---- Kernel code sections - GMER 1.0.15 ----
 

_LTEXT          C:\WINDOWS\system32\DRIVERS\sntie.sys                                               entry point in "_LTEXT" section [0xB5A37160]
 

---- User code sections - GMER 1.0.15 ----
 

.text           C:\WINDOWS\System32\svchost.exe[884] ntdll.dll!NtQueryInformationProcess            7C94759D 5 Bytes  JMP 01799DC2 

.text           C:\WINDOWS\System32\svchost.exe[884] NETAPI32.dll!NetpwPathCanonicalize             71A59511 5 Bytes  JMP 01799D62 
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                              TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Ip                                                            tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                           tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\Udp                                                           tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                         tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice  \FileSystem\Fastfat \Fat                                                            fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice  \FileSystem\Fastfat \Fat                                                            TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
 

---- Services - GMER 1.0.15 ----
 

Service         C:\WINDOWS\system32\svchost.exe (*** hidden *** )                                   [AUTO] udchbxvo                                                                                                                                                                                                                                                                                                                                     <-- ROOTKIT !!!
 

---- Registry - GMER 1.0.15 ----
 

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo@DisplayName                         Update Universal

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo@Type                                32

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo@Start                               2

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo@ErrorControl                        0

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo@ImagePath                           %SystemRoot%\system32\svchost.exe -k netsvcs

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo@ObjectName                          LocalSystem

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo@Description                         L?st NetBIOS-Namen f?r TCP/IP-Clients auf, indem Netzwerkdienste, die NetBIOS verwenden, ermittelt werden. Netzwerk-NetBIOS-Dienste funktionieren nicht einwandfrei, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, k?nnen die Dienste, die von diesem Dienst ausschlie?lich abh?ngig sind, nicht mehr gestartet werden.

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo\Parameters                          

Reg             HKLM\SYSTEM\CurrentControlSet\Services\udchbxvo\Parameters@ServiceDll               C:\WINDOWS\system32\mcvbosa.dll

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo@DisplayName                             Update Universal

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo@Type                                    32

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo@Start                                   2

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo@ErrorControl                            0

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo@ImagePath                               %SystemRoot%\system32\svchost.exe -k netsvcs

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo@ObjectName                              LocalSystem

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo@Description                             L?st NetBIOS-Namen f?r TCP/IP-Clients auf, indem Netzwerkdienste, die NetBIOS verwenden, ermittelt werden. Netzwerk-NetBIOS-Dienste funktionieren nicht einwandfrei, falls dieser Dienst beendet wird. Falls dieser Dienst deaktiviert wird, k?nnen die Dienste, die von diesem Dienst ausschlie?lich abh?ngig sind, nicht mehr gestartet werden.

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo\Parameters (not active ControlSet)      

Reg             HKLM\SYSTEM\ControlSet002\Services\udchbxvo\Parameters@ServiceDll                   C:\WINDOWS\system32\mcvbosa.dll

Reg             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime          963815

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs              

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout  15

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota     10000

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler                   yes

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk                  

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout  90

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota    10000

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DesktopHeapLogging        1

Reg             HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERPostMessageLimit      100000
 

---- EOF - GMER 1.0.15 ----

cosinus

04.05.2010 13:41

Zitat:

Ist aber Windoes 2003 Server BS! Gibt es hier ne Möglichkeit wie bei dem Avenger vorzugehen?

Mit OSAM versuchen die "bösen" Dienste zu löschen...

Snewi

06.05.2010 07:22

So wie es aussieht ist der Virus weg! Es kommt aufjedenfall keine Meldung mehr auf irgendeinem Client oder Server :Boogie:

Die Frage ist ob er auch wirklich weg ist und ob man das noch irgendwie überprüfen kann oder ist es jetzt mehr Glück?:D

Danke nochmal an Cosinus der viel Geduld mit mir haben musste aber der eine echt große große Hilfe war! Also DANKE :party:

Gruß

Alle Zeitangaben in WEZ +1. Es ist jetzt 03:12 Uhr.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131