Combofix Teil 2: PHP-Code:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52525:TCP"= 52525:TCP:TCP
"6969:UDP"= 6969:UDP:UDP
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [17.03.2009 19:59 135336]
R2 PStrip;PSTRIP;c:\windows\system32\drivers\pstrip.sys [15.07.2007 03:37 27992]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [04.03.2009 14:42 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [04.03.2009 14:42 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [04.03.2009 14:42 566296]
R3 npusbio;npusbio;c:\windows\system32\drivers\npusbio.sys [27.09.2009 15:45 36384]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [02.05.2008 18:50 176128]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [04.03.2009 14:42 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\programme\Gemeinsame Dateien\Creative Labs Shared\Service\CTAELicensing.exe [20.04.2009 16:46 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [04.03.2009 14:42 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [04.03.2009 14:42 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [04.03.2009 14:42 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [04.03.2009 14:42 566296]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;f:\dragon age\bin_ship\daupdatersvc.service.exe [13.11.2009 14:22 25832]
S3 NPUSB;NPUSB;c:\windows\system32\drivers\npusb.sys [06.05.2008 19:41 15360]
S3 SaiH0255;SaiH0255;c:\windows\system32\drivers\SaiH0255.sys [05.05.2008 19:57 121984]
S3 Sposerersrt;Sposerersrt; [x]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [03.05.2008 19:42 691696]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners
2010-07-29 c:\windows\Tasks\1-Klick-Wartung.job
- c:\zusatz\TuneUp Utilities 2008\OneClickStarter.exe [2008-05-03 16:47]
2008-07-21 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\programme\Microsoft LifeCam\LifeExp.exe [2007-05-17 21:45]
2010-01-01 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX1000_exe.job
- c:\windows\vVX1000.exe [2008-07-21 21:46]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.dufpy.com
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {C003CB0F-22D1-4F0A-BB98-4F63CBB89F02} = 192.168.2.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\dokumente und einstellungen\Akki\Anwendungsdaten\Mozilla\Firefox\Profiles\0dkdlpsc.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
FF - component: c:\dokumente und einstellungen\Akki\Anwendungsdaten\Mozilla\Firefox\Profiles\0dkdlpsc.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\dokumente und einstellungen\Akki\Anwendungsdaten\Mozilla\Firefox\Profiles\0dkdlpsc.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll
FF - plugin: c:\programme\DivX\DivX Plus Web Player\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX Richtlinien ----
c:\firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
MSConfigStartUp-nwiz - nwiz.exe
AddRemove-uTorrent - c:\programme\uTorrent\uTorrent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, hxxp://www.gmer.net
Rootkit scan 2010-07-29 18:18
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = c:\programme\Creative\Splash Screen\CTEaxSpl.EXE /run???????h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&??????\??? ??? ???\???\???????????5?7~e?7~\???\???????(@_??????C@?\???\??????s????\??????s\????&??A??s?&???C@?x???`|?w\?????@
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_USERS\S-1-5-21-1757981266-2077806209-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:61,9a,53,c6,fc,3e,90,20,ff,63,d9,4f,bc,bc,a7,8a,82,47,45,c9,36,e5,23,
aa,ae,b8,43,31,5e,ad,3d,ed,77,a0,6e,e2,a3,f0,54,67,d5,9b,c6,5d,b6,b8,52,42,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
[HKEY_USERS\S-1-5-21-1757981266-2077806209-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:b9,45,04,a4,06,3a,2a,79,a0,ec,ad,3a,25,de,f5,66,df,77,d1,7c,5f,
08,64,3d,3f,23,5e,76,bf,26,99,b7,48,da,4a,07,f9,6d,bf,2c,f3,04,95,3b,89,5c,\
"rkeysecu"=hex:c2,cf,3b,ed,e8,ef,68,03,0c,90,9a,71,fa,62,8e,8b
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\0BB4AB33ED50D261F5C8A2C244CF5435]
"1"=hex:df,c7,3a,96,ab,66,13,d2,36,78,6c,b8,10,1c,c4,b0,41,14,92,53,8b,f4,9f,
53,ff,8f,6c,08,d5,ab,f1,06
"2"=hex:7d,73,4a,d4,1d,ee,c7,5a
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:97,e4,84,cd,95,83,bf,82,bd,04,75,27,c9,a8,72,b1,55,38,49,8a,a6,16,a2,
28,28,eb,ee,eb,0f,d6,d6,b8,f4,df,4a,8d,b5,18,4f,2a,0d,c4,ee,cf,81,df,fe,df,\
"8"=hex:f4,00,a4,1f,f7,25,cd,0f,57,fc,c4,65,80,17,5e,c1,53,04,b1,f8,af,ae,1f,
e8,b6,14,18,f6,06,6f,91,34,22,a7,97,d7,c2,a9,65,7c,3c,9e,3b,e0,88,a1,87,c8
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\C4838B3D951212E6CDEE180D9201C56E]
"1"=hex:07,1f,1a,27,85,96,85,c3,38,71,53,58,52,6e,65,80,4c,0f,9a,93,b5,f7,5b,
e0
"2"=hex:af,48,68,fb,0f,c8,42,37
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,56,a7,02,9d,f0,a0,1d,
cc,28,d9,b1,18,9e,f1,8d,e8,54,e6,61,27,95,2e,52,cc,1c,f7,fa,64,bd,24,b7,82,\
"8"=hex:66,7d,d2,ce,a1,ac,d6,d8,15,33,49,a2,19,f2,db,fe,1d,ed,b1,0d,31,f2,d3,
c2,91,32,0a,fc,38,8f,2a,b6,f2,5d,73,01,67,d4,34,b1,b0,11,c5,89,89,4b,de,e9,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\DF7B54A6112C2A0959607A574D3D99D6]
"1"=hex:05,a5,52,27,27,68,21,41,63,83,05,15,ef,55,2c,92
"2"=hex:af,48,68,fb,0f,c8,42,37
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,56,a7,02,9d,f0,a0,1d,
cc,28,d9,b1,18,9e,f1,8d,e8,54,e6,61,27,95,2e,52,cc,1c,f7,fa,64,bd,24,b7,82,\
"8"=hex:66,7d,d2,ce,a1,ac,d6,d8,15,33,49,a2,19,f2,db,fe,1d,ed,b1,0d,31,f2,d3,
c2,91,32,0a,fc,38,8f,2a,b6,f2,5d,73,01,67,d4,34,b1,ad,a2,bd,96,61,05,7a,43,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Zeit der Fertigstellung: 2010-07-29 18:19:00
ComboFix-quarantined-files.txt 2010-07-29 16:18
Vor Suchlauf: 18 Verzeichnis(se), 62.894.030.848 Bytes frei
Nach Suchlauf: 21 Verzeichnis(se), 62.852.218.880 Bytes frei
WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - F5C754EAFDC4072F201AF5B3559DB96B
|
