Trojaner TR/Agent.cx45

crispy_2209 · 06.05.2009, 10:51

Hi!

Hab haben den Trojaner TR/Agent.cx.45 auf meinem Notebook, wie bereits in einem anderen Tread geschrieben wurde, kommt alle 10 Sekunden eine Warnmeldung im Avira Antivir.
Ich habe nun die empfohlenen Schritte befolgt, also zuerst CCleaner dann Malwarebytes-Anti-Malware, es wurde aber nichts gefunden:

Code:

ATTFilter

 Malwarebytes' Anti-Malware 1.36
Datenbank Version: 2061
Windows 6.0.6001 Service Pack 1

04.05.2009 16:09:48
mbam-log-2009-05-04 (16-09-48).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 219846
Laufzeit: 3 hour(s), 47 minute(s), 16 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:36, on 06.05.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Users\xxx\AppData\Local\Temp\1416.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_AT&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_AT&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix: 
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6859 bytes

Hoffe, ihr könnt mir helfen...

lg

sorry, hab das vergessen

Code:

ATTFilter

Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.3 - Deutsch
ASL_HS_Installer32
Audacity 1.2.6
Avira AntiVir Personal - Free Antivirus
CCleaner (remove only)
CDex extraction audio
Compatibility Pack for the 2007 Office system
Conexant HD Audio
DivX Converter
DivX Player
DivX Web Player
FLV Player 2.0 (build 25)
FTDI USB Serial Converter Drivers
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent
HijackThis 2.0.2
HP Active Support Library
HP Customer Experience Enhancements
HP Easy Setup - Core
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.10 B9
HP QuickPlay 3.0
HP Update
HP User Guide 0041
HP Wireless Assistant
ICQ6.5
Java(TM) SE Runtime Environment 6
LimeWire 4.18.6
Malwarebytes' Anti-Malware
Microsoft Office Professional Edition 2003
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.10)
MSVC80_x86
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
Nokia Connectivity Cable Driver
Nokia Flashing Cable Driver
Nokia PC Suite
Nokia PC Suite
Nokia Software Updater
NVIDIA Drivers
PC Connectivity Solution
PhotoFiltre
PL-2303 USB-to-Serial
Roxio MyDVD Basic v9
Skype™ 4.0
Soft Data Fax Modem with SmartCP
Sonic Activation Module
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
TuneUp Utilities 2008
Windows Live Messenger
Windows-Treiberpaket - Nokia Modem  (02/15/2007 3.1)
Windows-Treiberpaket - Nokia Modem  (02/15/2007 3.1)
Windows-Treiberpaket - Nokia Modem  (05/22/2008 3.8)
Windows-Treiberpaket - Nokia Modem  (05/22/2008 7.00.0.1)
Windows-Treiberpaket - Nokia Modem  (05/24/2007 6.84.0.1)
Windows-Treiberpaket - Nokia pccsmcfd  (10/12/2007 6.85.4.0)
WinRAR

Chris4You · 06.05.2009, 11:01

Hi,

das Problem dürfte hier liegen:
C:\Users\xxx\AppData\Local\Temp\1416.exe
ein Start ist aber nicht zu finden...

Daher RSIT&Gmer:
Random's System Information Tool (RSIT) von random/random liest Systemdetails aus und erstellt ein aussagekräftiges Logfile.

* Lade Random's System Information Tool (RSIT) herunter http://filepony.de/download-rsit/
* speichere es auf Deinem Desktop.
* Starte mit Doppelklick die RSIT.exe.
* Klicke auf Continue, um die Nutzungsbedingungen zu akzeptieren.
* Wenn Du HijackThis nicht installiert hast, wird RSIT das für Dich herunterladen und installieren.
* In dem Fall bitte auch die Nutzungsbedingungen von Trend Micro (http://de.trendmicro.com/de/home) für HJT akzeptieren "I accept".
* Wenn Deine Firewall fragt, bitte RSIT erlauben, ins Netz zu gehen.
* Der Scan startet automatisch, RSIT checkt nun einige wichtige System-Bereiche und produziert Logfiles als Analyse-Grundlage.
* Wenn der Scan beendet ist, werden zwei Logfiles erstellt und in Deinem Editor geöffnet.
* Bitte poste den Inhalt von C:\rsit\log.txt und C:\rsit\info.txt (<= minimiert) hier in den Thread.

Gmer:
http://www.trojaner-board.de/74908-anleitung-gmer-rootkit-scanner.html
Den Downloadlink findest Du links oben (www.gmer.net/files), dort dann
auf den Button "Download EXE", dabei wird ein zufälliger Name generiert (den und den Pfad wo Du sie gespeichert hast bitte merken).
Starte GMER und schaue, ob es schon was meldet. Macht es das, bitte alle Fragen mit "nein" beantworten, auf den Reiter "rootkit" gehen, wiederum die Frage mit "nein" beantworten und mit Hilfe von copy den Bericht in den Thread einfügen. Meldet es so nichts, gehe auf den Reiter Rootkit und mache einen Scan. ist dieser beendet, wähle Copy und füge den Bericht ein.

chris

crispy_2209 · 06.05.2009, 12:11

Danke vielmals für die Hilfe!

Teil 1:
RSIT

Code:

ATTFilter

Logfile of random's system information tool 1.06 (written by random/random)
Run by Franzi at 2009-05-06 12:56:06
Microsoft® Windows Vista™ Home Premium  Service Pack 1
System drive C: has 51 GB (46%) free of 109 GB
Total RAM: 958 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:56:14, on 06.05.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Users\Franzi\AppData\Local\Temp\1416.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Franzi\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Franzi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.at/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_AT&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_AT&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix: 
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6729 bytes

======Scheduled tasks folder======

C:\Windows\tasks\1-Klick-Wartung.job
C:\Windows\tasks\User_Feed_Synchronization-{F28ECD83-F507-4F1E-ABE0-2DF756AD0C19}.job
C:\Windows\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0\bin\ssv.dll [2007-01-19 501384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-11-15 815104]
"HP Health Check Scheduler"=C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2006-12-04 46704]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2007-01-14 90191]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-01-14 7766016]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-01-14 81920]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aafd3c78-e492-11dc-91ec-001636eed035}]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f684a6b0-3f9b-11dd-bf11-001636eed035}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2009-05-06 12:56:06 ----D---- C:\rsit
2009-05-06 11:06:55 ----D---- C:\Program Files\Trend Micro
2009-04-30 17:00:00 ----D---- C:\Program Files\CCleaner
2009-04-30 16:59:04 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-04-30 16:58:20 ----D---- C:\Users\Franzi\AppData\Roaming\SUPERAntiSpyware.com
2009-04-30 16:58:20 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-30 14:01:22 ----D---- C:\Users\Franzi\AppData\Roaming\Malwarebytes
2009-04-30 14:01:13 ----D---- C:\ProgramData\Malwarebytes
2009-04-30 14:01:13 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-30 00:28:23 ----A---- C:\Windows\system32\dfshim.dll
2009-04-30 00:28:18 ----A---- C:\Windows\system32\mscoree.dll
2009-04-30 00:28:15 ----A---- C:\Windows\system32\netfxperf.dll
2009-04-30 00:27:56 ----A---- C:\Windows\system32\mscorier.dll
2009-04-30 00:27:47 ----A---- C:\Windows\system32\mscories.dll
2009-04-30 00:24:03 ----A---- C:\Windows\system32\mshtmled.dll
2009-04-30 00:24:03 ----A---- C:\Windows\system32\ieui.dll
2009-04-30 00:24:03 ----A---- C:\Windows\system32\icardie.dll
2009-04-30 00:24:02 ----A---- C:\Windows\system32\msls31.dll
2009-04-30 00:24:02 ----A---- C:\Windows\system32\mshtmler.dll
2009-04-30 00:24:02 ----A---- C:\Windows\system32\jsproxy.dll
2009-04-30 00:24:02 ----A---- C:\Windows\system32\admparse.dll
2009-04-30 00:23:54 ----A---- C:\Windows\system32\imgutil.dll
2009-04-30 00:23:54 ----A---- C:\Windows\system32\iernonce.dll
2009-04-30 00:23:54 ----A---- C:\Windows\system32\ieakeng.dll
2009-04-30 00:23:54 ----A---- C:\Windows\system32\dxtrans.dll
2009-04-30 00:23:54 ----A---- C:\Windows\system32\dxtmsft.dll
2009-04-30 00:23:54 ----A---- C:\Windows\system32\corpol.dll
2009-04-30 00:23:53 ----A---- C:\Windows\system32\webcheck.dll
2009-04-30 00:23:53 ----A---- C:\Windows\system32\occache.dll
2009-04-30 00:23:53 ----A---- C:\Windows\system32\msrating.dll
2009-04-30 00:23:53 ----A---- C:\Windows\system32\msfeedsbs.dll
2009-04-30 00:23:53 ----A---- C:\Windows\system32\licmgr10.dll
2009-04-30 00:23:53 ----A---- C:\Windows\system32\inseng.dll
2009-04-30 00:23:53 ----A---- C:\Windows\system32\iepeers.dll
2009-04-30 00:23:53 ----A---- C:\Windows\system32\ieaksie.dll
2009-04-30 00:23:52 ----A---- C:\Windows\system32\WinFXDocObj.exe
2009-04-30 00:23:52 ----A---- C:\Windows\system32\wextract.exe
2009-04-30 00:23:52 ----A---- C:\Windows\system32\pngfilt.dll
2009-04-30 00:23:52 ----A---- C:\Windows\system32\mstime.dll
2009-04-30 00:23:52 ----A---- C:\Windows\system32\msfeedssync.exe
2009-04-30 00:23:52 ----A---- C:\Windows\system32\msfeeds.dll
2009-04-30 00:23:52 ----A---- C:\Windows\system32\iesetup.dll
2009-04-30 00:23:52 ----A---- C:\Windows\system32\ieakui.dll
2009-04-30 00:23:52 ----A---- C:\Windows\system32\advpack.dll
2009-04-30 00:23:51 ----A---- C:\Windows\system32\vbscript.dll
2009-04-30 00:23:51 ----A---- C:\Windows\system32\jscript.dll
2009-04-30 00:23:51 ----A---- C:\Windows\system32\ieapfltr.dll
2009-04-30 00:23:50 ----A---- C:\Windows\system32\url.dll
2009-04-30 00:23:50 ----A---- C:\Windows\system32\iedkcs32.dll
2009-04-30 00:23:49 ----A---- C:\Windows\system32\mshta.exe
2009-04-30 00:23:49 ----A---- C:\Windows\system32\iexpress.exe
2009-04-30 00:23:48 ----A---- C:\Windows\system32\SetIEInstalledDate.exe
2009-04-30 00:23:48 ----A---- C:\Windows\system32\SetDepNx.exe
2009-04-30 00:23:48 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe
2009-04-30 00:23:48 ----A---- C:\Windows\system32\PDMSetup.exe
2009-04-30 00:23:48 ----A---- C:\Windows\system32\ieUnatt.exe
2009-04-30 00:23:48 ----A---- C:\Windows\system32\iesysprep.dll
2009-04-30 00:23:48 ----A---- C:\Windows\system32\iertutil.dll
2009-04-30 00:23:48 ----A---- C:\Windows\system32\ie4uinit.exe
2009-04-30 00:23:47 ----A---- C:\Windows\system32\wininet.dll
2009-04-30 00:23:47 ----A---- C:\Windows\system32\urlmon.dll
2009-04-30 00:23:45 ----A---- C:\Windows\system32\ieframe.dll
2009-04-30 00:23:43 ----A---- C:\Windows\system32\mshtml.dll
2009-04-21 22:07:17 ----D---- C:\Program Files\FLV Player
2009-04-21 22:02:21 ----D---- C:\Program Files\YouTube Downloader
2009-04-16 09:42:59 ----A---- C:\Windows\system32\winhttp.dll
2009-04-16 09:42:57 ----A---- C:\Windows\system32\xolehlp.dll
2009-04-16 09:42:57 ----A---- C:\Windows\system32\msdtcprx.dll
2009-04-16 09:42:48 ----A---- C:\Windows\system32\rpcss.dll
2009-04-16 09:42:48 ----A---- C:\Windows\system32\ntkrnlpa.exe
2009-04-16 09:42:47 ----A---- C:\Windows\system32\ntoskrnl.exe
2009-04-16 09:42:45 ----A---- C:\Windows\system32\sdohlp.dll
2009-04-16 09:42:45 ----A---- C:\Windows\system32\printfilterpipelinesvc.exe
2009-04-16 09:42:45 ----A---- C:\Windows\system32\printfilterpipelineprxy.dll
2009-04-16 09:42:44 ----A---- C:\Windows\system32\iasrecst.dll
2009-04-16 09:42:44 ----A---- C:\Windows\system32\iashost.exe
2009-04-16 09:42:44 ----A---- C:\Windows\system32\iasdatastore.dll
2009-04-16 09:42:44 ----A---- C:\Windows\system32\iasads.dll
2009-04-16 09:42:40 ----A---- C:\Windows\system32\lsasrv.dll
2009-04-16 09:42:40 ----A---- C:\Windows\system32\kernel32.dll
2009-04-16 09:42:39 ----A---- C:\Windows\system32\secur32.dll
2009-04-16 09:42:39 ----A---- C:\Windows\system32\apilogen.dll
2009-04-16 09:42:39 ----A---- C:\Windows\system32\amxread.dll

======List of files/folders modified in the last 1 months======

2009-05-06 12:56:12 ----D---- C:\Windows\Temp
2009-05-06 12:46:38 ----D---- C:\Windows\System32
2009-05-06 12:46:38 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-05-06 12:46:37 ----D---- C:\Windows\inf
2009-05-06 11:19:57 ----SHD---- C:\Windows\Installer
2009-05-06 11:17:04 ----SHD---- C:\System Volume Information
2009-05-06 11:06:55 ----RD---- C:\Program Files
2009-05-06 11:01:42 ----D---- C:\Users\Franzi\AppData\Roaming\Skype
2009-05-06 10:57:44 ----D---- C:\Users\Franzi\AppData\Roaming\skypePM
2009-05-06 10:53:06 ----D---- C:\Windows
2009-05-06 10:37:49 ----D---- C:\Windows\system32\catroot2
2009-05-06 10:37:25 ----D---- C:\Windows\system32\Tasks
2009-05-06 10:37:23 ----D---- C:\Windows\Tasks
2009-04-30 17:05:53 ----D---- C:\Windows\Debug
2009-04-30 16:59:04 ----HD---- C:\ProgramData
2009-04-30 16:57:36 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-04-30 15:04:30 ----D---- C:\Program Files\Mozilla Firefox
2009-04-30 14:01:18 ----D---- C:\Windows\system32\drivers
2009-04-30 11:44:16 ----D---- C:\Windows\rescache
2009-04-30 10:12:47 ----D---- C:\Windows\Microsoft.NET
2009-04-30 10:12:46 ----RSD---- C:\Windows\assembly
2009-04-30 10:07:38 ----D---- C:\Program Files\CONEXANT
2009-04-30 00:36:36 ----D---- C:\Program Files\Internet Explorer
2009-04-30 00:36:35 ----D---- C:\Windows\system32\de-DE
2009-04-30 00:36:30 ----D---- C:\Windows\system32\migration
2009-04-30 00:36:30 ----D---- C:\Windows\system32\en-US
2009-04-30 00:36:30 ----D---- C:\Windows\PolicyDefinitions
2009-04-30 00:35:29 ----D---- C:\Windows\winsxs
2009-04-30 00:34:23 ----D---- C:\Windows\system32\catroot
2009-04-30 00:20:34 ----D---- C:\Windows\Prefetch
2009-04-29 23:56:53 ----D---- C:\Program Files\Common Files\Sonic Shared
2009-04-29 23:54:08 ----D---- C:\Program Files\Roxio
2009-04-29 23:54:07 ----D---- C:\Program Files\Common Files
2009-04-28 10:38:35 ----D---- C:\Windows\system32\config
2009-04-28 10:38:28 ----D---- C:\Windows\system32\spool
2009-04-28 10:38:28 ----D---- C:\Windows\system32\Msdtc
2009-04-28 10:38:28 ----D---- C:\Windows\system32\CodeIntegrity
2009-04-28 10:38:27 ----D---- C:\Windows\system32\wbem
2009-04-28 10:38:27 ----D---- C:\Windows\registration
2009-04-24 12:17:54 ----D---- C:\Users\Franzi\AppData\Roaming\LimeWire
2009-04-16 12:00:33 ----D---- C:\Program Files\Windows Mail
2009-04-16 12:00:31 ----D---- C:\Windows\system32\manifeststore
2009-04-16 12:00:31 ----D---- C:\Windows\AppPatch

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys [2007-02-27 11840]
R1 avipbb;avipbb; C:\Windows\system32\DRIVERS\avipbb.sys [2008-11-12 75072]
R1 eabfiltr;eabfiltr; C:\Windows\system32\DRIVERS\eabfiltr.sys [2006-06-28 8192]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-04-28 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-04-28 72944]
R1 ssmdrv;ssmdrv; C:\Windows\system32\DRIVERS\ssmdrv.sys [2007-11-08 21248]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-20 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-05 8192]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys [2008-05-20 52032]
R3 BCM43XX;Treiber für Broadcom 802.11-Netzwerkadapter; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-17 534016]
R3 CmBatt;Treiber für Microsoft-ACPI-Kontrollmethodenkompatible Batterie; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 HBtnKey;HBtnKey; C:\Windows\system32\DRIVERS\cpqbttn.sys [2006-06-28 9472]
R3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDART.sys [2006-11-18 145920]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-19 986624]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-10-19 206848]
R3 NVENETFD;NVIDIA nForce-Netzwerkcontrollertreiber; C:\Windows\system32\DRIVERS\nvm60x32.sys [2006-11-02 429056]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-01-14 4452288]
R3 nvsmu;nvsmu; C:\Windows\system32\DRIVERS\nvsmu.sys [2006-09-15 11520]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2006-11-15 179256]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-19 659968]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2006-11-15 32256]
S2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2006-11-15 43520]
S2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-15 37376]
S3 BCM43XV;Broadcom Extensible 802.11-Netzwerkadaptertreiber; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-17 534016]
S3 drmkaud;Microsoft Kernel-DRM-Audioentschlüsselung; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 E100B;Intel(R) PRO-Adaptertreiber; C:\Windows\system32\DRIVERS\e100b325.sys [2006-11-02 163328]
S3 FTDIBUS;USB Serial Converter Driver; C:\Windows\system32\drivers\ftdibus.sys [2006-05-18 47249]
S3 FTSER2K;USB Serial Port Driver; C:\Windows\system32\drivers\ftser2k.sys [2006-05-18 61067]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-19 1380864]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Proxy für Streaming Clock; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Proxy für Streaming Quality Manager; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink-Konvertierung; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 nmwcd;Nokia USB Phone Parent; C:\Windows\system32\drivers\ccdcmb.sys [2008-09-15 17664]
S3 nmwcdc;Nokia USB Generic; C:\Windows\system32\drivers\ccdcmbo.sys [2008-09-15 22016]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent; C:\Windows\system32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic; C:\Windows\system32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\Windows\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]
S3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]
S3 upperdev;upperdev; C:\Windows\system32\DRIVERS\usbser_lowerflt.sys [2008-09-15 8064]
S3 usbser;USB Modem Driver; C:\Windows\system32\drivers\usbser.sys [2008-01-19 28160]
S3 UsbserFilt;UsbserFilt; C:\Windows\system32\DRIVERS\usbser_lowerfltj.sys [2008-09-15 8064]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Planer; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-28 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-28 151297]
R2 CLCapSvc;CyberLink Background Capture Service (CBCS); C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe [2006-11-25 270431]
R2 CLSched;CyberLink Task Scheduler (CTS); C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe [2006-11-25 118877]
R2 HP Health Check Service;HP Health Check Service; C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2006-12-04 58984]
R2 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-03 135168]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 61440]
R2 UxTuneUp;@%SystemRoot%\System32\uxtuneup.dll,-4096; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-05 386560]
R3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-08-07 575488]
S3 AddFiltr;AddFiltr; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe [2006-06-26 126976]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-06 887544]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe []
S3 TuneUp.Defrag;@%SystemRoot%\System32\TuneUpDefragService.exe,-1; C:\Windows\System32\TuneUpDefragService.exe [2008-03-28 307968]
S3 usnjsvc;Messenger USN Journal Reader-Service für freigegebene Ordner; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]

-----------------EOF-----------------

crispy_2209 · 06.05.2009, 12:12

Teil 2:

Code:

ATTFilter

info.txt logfile of random's system information tool 1.06 2009-05-06 12:56:20

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroBackItUp.exe /UNINSTALL
-->C:\Windows\UNNeroMediaHome.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNNeroVision.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 8.1.3 - Deutsch-->MsiExec.exe /I{AC76BA86-7AD7-1031-7B44-A81300000003}
ASL_HS_Installer32-->MsiExec.exe /I{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
CDex extraction audio-->"C:\Program Files\CDex_150\uninstall.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_HDAUDIO\HUFSetup.EXE -U -IwisR30B7.inf
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
FLV Player 2.0 (build 25)-->C:\Program Files\FLV Player\uninst.exe
FTDI USB Serial Converter Drivers-->C:\Windows\system32\ftdiunin.exe C:\Windows\system32\ftdiun2k.ini
Hewlett-Packard Active Check-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{21E62565-8639-457C-B64C-A3FF0A8B4D80}\setup.exe -runfromtemp -l0x0409
HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9  -removeonly
HP Easy Setup - Core-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}\setup.exe" -l0x9 
HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9  -removeonly
HP Help and Support-->MsiExec.exe /I{E4DDBA93-769B-49D8-BA33-8814E45ED0C1}
HP Photosmart Essential 2.5-->C:\Program Files\Hewlett-Packard\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Quick Launch Buttons 6.10 B9-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe" -l0x7  uninst
HP QuickPlay 3.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe"  -uninstall
HP Update-->MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP User Guide 0041-->MsiExec.exe /I{D5CEFEDA-38DF-4F94-A392-C86163CB9965}
HP Wireless Assistant-->MsiExec.exe /I{02F33FB0-F7D5-4C0A-B4AD-8CE5CE230BBE}
ICQ6.5-->"C:\Program Files\InstallShield Installation Information\{60DE4033-9503-48D1-A483-7846BD217CA9}\setup.exe" -runfromtemp -l0x0009 -removeonly
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LimeWire 4.18.6-->"C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110407-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110407-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{4EA2F95F-A537-4d17-9E7F-6B3FF8D9BBE3}
Mozilla Firefox (3.0.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nokia Connectivity Cable Driver-->MsiExec.exe /X{15AC0C5D-A6FB-4CE2-8CD0-28179EEB5625}
Nokia Flashing Cable Driver-->MsiExec.exe /X{D99C322D-C21B-40C7-AE71-EE51AA096B6E}
Nokia PC Suite-->C:\ProgramData\Installations\{A8C3710A-0BCA-4F10-9EC3-A302A1F1FA82}\Nokia_PC_Suite_rel_7_0_8_2_ger.exe
Nokia PC Suite-->MsiExec.exe /I{A8C3710A-0BCA-4F10-9EC3-A302A1F1FA82}
Nokia Software Updater-->MsiExec.exe /X{59367F7E-D7C1-4629-8AEC-71AA24A68F31}
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
PC Connectivity Solution-->MsiExec.exe /I{1A524CFE-DF85-4555-8BC2-0C89DBD8BC2C}
PhotoFiltre-->"C:\Program Files\PhotoFiltre\Uninst.exe"
PL-2303 USB-to-Serial-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setup.exe" -l0x9 Installed
Roxio MyDVD Basic v9-->MsiExec.exe /I{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_5045&SUBSYS_103C30B7\HXFSETUP.EXE -U -Iwis30B7z.inf
Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TuneUp Utilities 2008-->MsiExec.exe /I{5888428E-699C-4E71-BF71-94EE06B497DA}
Windows Live Messenger-->MsiExec.exe /X{2B091530-69AA-442E-AB09-39ED06B58220}
Windows-Treiberpaket - Nokia Modem  (02/15/2007 3.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\pccs_bluetooth.inf_48f6f624\pccs_bluetooth.inf
Windows-Treiberpaket - Nokia Modem  (02/15/2007 3.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\pccs_bluetooth.inf_51d2d3e1\pccs_bluetooth.inf
Windows-Treiberpaket - Nokia Modem  (05/22/2008 3.8)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokia_bluetooth.inf_5e0e55c3\nokia_bluetooth.inf
Windows-Treiberpaket - Nokia Modem  (05/22/2008 7.00.0.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokbtmdm.inf_dcd936c5\nokbtmdm.inf
Windows-Treiberpaket - Nokia Modem  (05/24/2007 6.84.0.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\System32\DriverStore\FileRepository\nokbtmdm.inf_e5643fdd\nokbtmdm.inf
Windows-Treiberpaket - Nokia pccsmcfd  (10/12/2007 6.85.4.0)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\Windows\system32\DRVSTORE\pccsmcfd_4A1E30386F4D0DEC8F5DF262CFBD8845EEBAB175\pccsmcfd.inf
WinRAR-->C:\Program Files\Winrar\uninstall.exe

======Security center information======

AS: Windows-Defender
AS: SUPERAntiSpyware

======System event log======

Computer Name: PIWA
Event Code: 7036
Message: Dienst "Windows Installer" befindet sich jetzt im Status "Beendet".
Record Number: 158229
Source Name: Service Control Manager
Time Written: 20090506092957.000000-000
Event Type: Informationen
User: 

Computer Name: PIWA
Event Code: 6013
Message: Die aktive Systemzeit ist 4992 Sekunden.
Record Number: 158230
Source Name: EventLog
Time Written: 20090506100003.000000-000
Event Type: Informationen
User: 

Computer Name: PIWA
Event Code: 7036
Message: Dienst "WinHTTP-Web Proxy Auto-Discovery-Dienst" befindet sich jetzt im Status "Ausgeführt".
Record Number: 158231
Source Name: Service Control Manager
Time Written: 20090506102742.000000-000
Event Type: Informationen
User: 

Computer Name: PIWA
Event Code: 7036
Message: Dienst "WinHTTP-Web Proxy Auto-Discovery-Dienst" befindet sich jetzt im Status "Beendet".
Record Number: 158232
Source Name: Service Control Manager
Time Written: 20090506104412.000000-000
Event Type: Informationen
User: 

Computer Name: PIWA
Event Code: 7036
Message: Dienst "WinHTTP-Web Proxy Auto-Discovery-Dienst" befindet sich jetzt im Status "Ausgeführt".
Record Number: 158233
Source Name: Service Control Manager
Time Written: 20090506104619.000000-000
Event Type: Informationen
User: 

=====Application event log=====

Computer Name: PIWA
Event Code: 10001
Message: Sitzung wird beendet: 1. 2009-05-06T09:19:45.967Z wird gestartet.
Record Number: 36824
Source Name: Microsoft-Windows-RestartManager
Time Written: 20090506091957.864942-000
Event Type: Informationen
User: PIWA\Franzi

Computer Name: PIWA
Event Code: 8224
Message: Der VSS-Dienst wird aufgrund eines Leerlaufzeitlimits heruntergefahren. 
Record Number: 36825
Source Name: VSS
Time Written: 20090506092126.000000-000
Event Type: Informationen
User: 

Computer Name: PIWA
Event Code: 1001
Message: Die Leistungsindikatoren für den Dienst WmiApRpl (WmiApRpl) wurden entfernt. Die Daten enthalten die neuen Werte der Registrierungseinträge "Last Counter" und "Last Help".
Record Number: 36826
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20090506104637.000000-000
Event Type: Informationen
User: 

Computer Name: PIWA
Event Code: 1000
Message: Die Leistungsindikatoren für den Dienst WmiApRpl (WmiApRpl) wurden erfolgreich geladen. Die Eintragsdaten im Datenbereich enthalten die neuen Indexwerte, die diesem Dienst zugeordnet sind.
Record Number: 36827
Source Name: Microsoft-Windows-LoadPerf
Time Written: 20090506104638.000000-000
Event Type: Informationen
User: 

Computer Name: PIWA
Event Code: 5
Message: Unsupported service control request (see data below)
Record Number: 36828
Source Name: LightScribeService
Time Written: 20090506105618.000000-000
Event Type: Informationen
User: 

=====Security event log=====

Computer Name: PIWA
Event Code: 5038
Message: Die Codeintegrität hat festgestellt, dass der Abbildhash einer Datei nicht gültig ist. Die Datei wurde möglicherweise durch eine nicht autorisierte Änderung beschädigt. Dieses Problem kann auch auf einen potenziellen Fehler des Datenträgergeräts hinweisen.

Dateiname:	\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys	
Record Number: 47351
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090506105612.880942-000
Event Type: Überwachung gescheitert
User: 

Computer Name: PIWA
Event Code: 5038
Message: Die Codeintegrität hat festgestellt, dass der Abbildhash einer Datei nicht gültig ist. Die Datei wurde möglicherweise durch eine nicht autorisierte Änderung beschädigt. Dieses Problem kann auch auf einen potenziellen Fehler des Datenträgergeräts hinweisen.

Dateiname:	\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys	
Record Number: 47352
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090506105612.957942-000
Event Type: Überwachung gescheitert
User: 

Computer Name: PIWA
Event Code: 5038
Message: Die Codeintegrität hat festgestellt, dass der Abbildhash einer Datei nicht gültig ist. Die Datei wurde möglicherweise durch eine nicht autorisierte Änderung beschädigt. Dieses Problem kann auch auf einen potenziellen Fehler des Datenträgergeräts hinweisen.

Dateiname:	\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys	
Record Number: 47353
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090506105613.006942-000
Event Type: Überwachung gescheitert
User: 

Computer Name: PIWA
Event Code: 5038
Message: Die Codeintegrität hat festgestellt, dass der Abbildhash einer Datei nicht gültig ist. Die Datei wurde möglicherweise durch eine nicht autorisierte Änderung beschädigt. Dieses Problem kann auch auf einen potenziellen Fehler des Datenträgergeräts hinweisen.

Dateiname:	\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys	
Record Number: 47354
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090506105613.054942-000
Event Type: Überwachung gescheitert
User: 

Computer Name: PIWA
Event Code: 5038
Message: Die Codeintegrität hat festgestellt, dass der Abbildhash einer Datei nicht gültig ist. Die Datei wurde möglicherweise durch eine nicht autorisierte Änderung beschädigt. Dieses Problem kann auch auf einen potenziellen Fehler des Datenträgergeräts hinweisen.

Dateiname:	\Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys	
Record Number: 47355
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090506105613.116942-000
Event Type: Überwachung gescheitert
User: 

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OnlineServices"=Online-Dienste
"OS"=Windows_NT
"Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PCBRAND"=Pavilion
"PLATFORM"=MCD
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 72 Stepping 2, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=4802
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%

-----------------EOF-----------------

gmer

Code:

ATTFilter

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-06 13:06:17
Windows 6.0.6001 Service Pack 1


---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\fastfat \Fat                 fltmgr.sys (Microsoft Dateisystem-Filter-Manager/Microsoft Corporation)
AttachedDevice  \Driver\kbdclass \Device\KeyboardClass0  Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

lg

Chris4You · 06.05.2009, 13:15

Hi,

Dein Rechner ist stark veraltet IE6 und SP1 sind nicht mehr up-to-date, unbedingt updaten;

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:

Als erstes versteckte Dateien anzeigen lassen!
(nur Punkt 1 durchführen!)

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“
und suche folgende Datei/Dateien:

Code:

ATTFilter

C:\Users\Franzi\AppData\Local\Temp\1416.exe
C:\Windows\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
C:\Windows\System32\drivers\tcpip.sys
C:\Windows\system32\DRIVERS\cpqbttn.sys

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

Wenn die 1416.exe erkannt wurde:
Anleitung Avenger (by swandog46)

1.) Lade dir das Tool Avenger und speichere es auf dem Desktop:

2.) Das Programm so einstellen wie es auf dem Bild zu sehen ist.

Kopiere nun folgenden Text in das weiße Feld:
(bei -> "input script here")

Code:

ATTFilter

Files to delete:
C:\Users\Franzi\AppData\Local\Temp\1416.exe
C:\Windows\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

Folders to delete:
C:\Users\Franzi\AppData\Local\Temp

3.) Schliesse nun alle Programme (vorher notfalls abspeichern!) und Browser-Fenster, nach dem Ausführen des Avengers wird das System neu gestartet.

4.) Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet!

5.) Nachdem das System neu gestartet ist, findest du hier einen Report vom Avenger -> C:\avenger.txt

Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Prevx:
http://www.prevx.com/freescan.asp
Falls das Tool was findet, nicht das Log posten sondern einen Screenshot des dann angezeigten Fensters...

chris

crispy_2209 · 06.05.2009, 14:21

Code:

ATTFilter

 Datei 1416.exe empfangen 2009.05.06 15:12:06 (CET)

Antivirus	Version	letzte aktualisierung	Ergebnis
a-squared	4.0.0.101	2009.05.06	-
AhnLab-V3	5.0.0.2	2009.05.06	Win-Trojan/Xema.variant
AntiVir	7.9.0.160	2009.05.06	TR/Agent.cx.45
Antiy-AVL	2.0.3.1	2009.05.06	-
Authentium	5.1.2.4	2009.05.06	-
Avast	4.8.1335.0	2009.05.05	Win32:Trojan-gen {Other}
AVG	8.5.0.327	2009.05.06	Agent2.FIH
BitDefender	7.2	2009.05.06	-
CAT-QuickHeal	10.00	2009.05.06	Trojan.Agent.ATV
ClamAV	0.94.1	2009.05.06	-
Comodo	1153	2009.05.06	-
DrWeb	5.0.0.12182	2009.05.06	-
eSafe	7.0.17.0	2009.05.05	-
eTrust-Vet	31.6.6492	2009.05.06	Win32/VMalum.FHRH
F-Prot	4.4.4.56	2009.05.06	-
Fortinet	3.117.0.0	2009.05.06	-
GData	19	2009.05.06	Win32:Trojan-gen {Other}
Ikarus	T3.1.1.49.0	2009.05.06	-
K7AntiVirus	7.10.723	2009.05.05	Trojan.Win32.Malware.4
Kaspersky	7.0.0.125	2009.05.06	-
McAfee	5606	2009.05.05	Generic Dropper.cx
McAfee+Artemis	5606	2009.05.05	Generic Dropper.cx
McAfee-GW-Edition	6.7.6	2009.05.06	Trojan.Agent.cx.45
Microsoft	1.4602	2009.05.06	-
NOD32	4055	2009.05.06	Win32/TrojanDownloader.FakeAlert.XY
Norman	6.01.05	2009.05.05	-
nProtect	2009.1.8.0	2009.05.06	-
Panda	10.0.0.14	2009.05.05	-
PCTools	4.4.2.0	2009.05.06	-
Prevx	3.0	2009.05.06	Medium Risk Malware
Rising	21.28.22.00	2009.05.06	Trojan.DL.Win32.Undef.egh
Sophos	4.41.0	2009.05.06	Mal/EncPk-HW
Sunbelt	3.2.1858.2	2009.05.06	-
Symantec	1.4.4.12	2009.05.06	Trojan Horse
TheHacker	6.3.4.1.319	2009.05.05	-
TrendMicro	8.950.0.1092	2009.05.06	Cryp_Xed-18
VBA32	3.12.10.4	2009.05.05	-
ViRobot	2009.5.6.1721	2009.05.06	-
VirusBuster	4.6.5.0	2009.05.05	-
weitere Informationen
File size: 98308 bytes
MD5...: 6bfcfe9fec3b896bce47c2a0d5a5d301
SHA1..: ea9f1070255b7e774b6f3ece5d1120da4ac180d5
SHA256: 08f125b9f0cc10ae2b8218dad5ae70c97b0f560afd6318d2320bcdc57454a97d
SHA512: f6dcdee9c3ae5dc1ffdd434003540248459206d55ed17ae242752674792de740<br>f6b4c504dda51b4d149c11d844503d7efda14db1f190c99c160d84ec5b446a74
ssdeep: 1536:MX1o34icugA9ad9s5NYpJbusMyTUU8Ugj0+V41/bgeULes88:MX1OJJ9UaM<br>JbuzyTUUQjN60D6s88<br>
PEiD..: -
TrID..: File type identification<br>Win32 Dynamic Link Library (generic) (55.5%)<br>Clipper DOS Executable (14.7%)<br>Generic Win/DOS Executable (14.6%)<br>DOS Executable Generic (14.6%)<br>VXD Driver (0.2%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x1202<br>timedatestamp.....: 0x483de439 (Wed May 28 23:01:13 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 5 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.CUFsgR 0x1000 0x3bc3 0x3c00 5.23 4ec42743c2e915d8103aab6ebf3cc89e<br>.kqzN 0x5000 0x11f01 0x12000 7.34 40a23d0d599ffd455e59183de18585ba<br>.DWAU 0x17000 0x1ace8 0xc00 0.00 d2a70550489de356a2cd6bfc40711204<br>.pgSX 0x32000 0x739 0x400 0.00 0f343b0931126a20f133d67c2b018a3b<br>.xyZZ 0x33000 0xa08 0x400 0.00 0f343b0931126a20f133d67c2b018a3b<br><br>( 4 imports ) <br>&gt; advapi32.dll: RegDeleteKeyA, RegEnumKeyW, RegQueryValueW, RegQueryInfoKeyW, RegLoadKeyW, RegDeleteValueA, RegCreateKeyExW, RegCreateKeyW, RegQueryInfoKeyA, RegEnumKeyExA, RegEnumKeyExW, RegOpenKeyExW, RegEnumValueW, RegOpenKeyW, RegQueryValueExW, RegEnumValueA<br>&gt; user32.dll: LoadMenuA, DrawTextA, CalcMenuBar, IsMenu, GetMenu, DrawIcon, DialogBoxParamA, GetFocus, InsertMenuA, AlignRects, DrawTextW, DrawIconEx, GetCursor, CopyRect, LoadCursorA, CopyImage, GetDC, GetDlgItem, CloseWindow, AppendMenuA<br>&gt; kernel32.dll: FreeLibrary, GetFileAttributesA, GlobalAlloc, GetLocalTime, lstrlenA, WideCharToMultiByte, GetLastError, GetModuleFileNameA, HeapAlloc, lstrcpynA, HeapFree, lstrcatA, lstrcpyA, GetStringTypeA, GetFileType, GetStringTypeW, lstrcmpA, GetCommandLineA, CloseHandle, GetCPInfo<br>&gt; comctl32.dll: ImageList_DragShowNolock, ImageList_Draw, ImageList_Remove, ImageList_AddIcon, ImageList_Merge, ImageList_Replace, ImageList_Create, ImageList_GetImageRect, ImageList_ReplaceIcon, ImageList_Read, ImageList_DrawEx, ImageList_GetIconSize, ImageList_DragLeave, ImageList_GetDragImage, ImageList_LoadImageA, ImageList_LoadImage, ImageList_GetImageInfo, ImageList_BeginDrag<br><br>( 0 exports ) <br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-
ThreatExpert info: &lt;a href='http://www.threatexpert.com/report.aspx?md5=6bfcfe9fec3b896bce47c2a0d5a5d301' target='_blank'&gt;http://www.threatexpert.com/report.aspx?md5=6bfcfe9fec3b896bce47c2a0d5a5d301&lt;/a&gt;
&lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=55D16841049B49B280BD01C6B6DD30000C2DFFB1' target='_blank'&gt;http://info.prevx.com/aboutprogramtext.asp?PX5=55D16841049B49B280BD01C6B6DD30000C2DFFB1&lt;/a&gt;

crispy_2209 · 06.05.2009, 14:33

Bei den Dateien
C:\Windows\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
C:\Windows\system32\DRIVERS\cpqbttn.sys
wurde nichts gefunden

Code:

ATTFilter

Datei tcpip.sys empfangen 2009.05.06 15:27:45 (CET)
Antivirus	Version	letzte aktualisierung	Ergebnis
a-squared	4.0.0.101	2009.05.06	-
AhnLab-V3	5.0.0.2	2009.05.06	-
AntiVir	7.9.0.160	2009.05.06	-
Antiy-AVL	2.0.3.1	2009.05.06	-
Authentium	5.1.2.4	2009.05.06	-
Avast	4.8.1335.0	2009.05.05	-
AVG	8.5.0.327	2009.05.06	-
BitDefender	7.2	2009.05.06	-
CAT-QuickHeal	10.00	2009.05.06	-
ClamAV	0.94.1	2009.05.06	-
Comodo	1153	2009.05.06	-
DrWeb	5.0.0.12182	2009.05.06	-
eSafe	7.0.17.0	2009.05.05	-
eTrust-Vet	31.6.6492	2009.05.06	-
F-Prot	4.4.4.56	2009.05.06	-
F-Secure	8.0.14470.0	2009.05.06	-
Fortinet	3.117.0.0	2009.05.06	-
GData	19	2009.05.06	-
Ikarus	T3.1.1.49.0	2009.05.06	-
K7AntiVirus	7.10.723	2009.05.05	-
Kaspersky	7.0.0.125	2009.05.06	-
McAfee	5606	2009.05.05	-
McAfee+Artemis	5606	2009.05.05	-
McAfee-GW-Edition	6.7.6	2009.05.06	-
Microsoft	1.4602	2009.05.06	-
NOD32	4055	2009.05.06	-
Norman	6.01.05	2009.05.05	-
nProtect	2009.1.8.0	2009.05.06	-
Panda	10.0.0.14	2009.05.05	-
PCTools	4.4.2.0	2009.05.06	-
Prevx	3.0	2009.05.06	-
Rising	21.28.22.00	2009.05.06	-
Sophos	4.41.0	2009.05.06	-
Sunbelt	3.2.1858.2	2009.05.06	-
Symantec	1.4.4.12	2009.05.06	-
TheHacker	6.3.4.1.319	2009.05.05	-
TrendMicro	8.950.0.1092	2009.05.06	-
VBA32	3.12.10.4	2009.05.05	suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)
ViRobot	2009.5.6.1721	2009.05.06	-
VirusBuster	4.6.5.0	2009.05.05	-
weitere Informationen
File size: 891448 bytes
MD5...: 82e266bee5f0167e41c6ecfdd2a79c02
SHA1..: f633629656e43452aa08611f0f72d24a46e7441c
SHA256: 1f462e882a662b2a133df035c435001b2ef6364f49a9ed6a6d98bd643093b666
SHA512: 68d9b06394cbedac12e7f7614e869a23d19e1b192d7073b54da9b52dce107b0a<br>a3728e42daadb142012dbe75c99c8804c3546d3d06b9cb37d10ba7548051e565
ssdeep: 24576:AU8e8jAyOLkAnwNfH7QijBpVptQ9xtoYA8pk2NoahI/9+6lG:XBmpExtUG<br>zh<br>
PEiD..: -
TrID..: File type identification<br>Win64 Executable Generic (87.2%)<br>Win32 Executable Generic (8.6%)<br>Generic Win/DOS Executable (2.0%)<br>DOS Executable Generic (2.0%)<br>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0xdb1b9<br>timedatestamp.....: 0x4812c4f1 (Sat Apr 26 06:00:17 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 9 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0xb845a 0xb8600 6.56 00a1233fe9746187447652d7dc3ffbc6<br>.rdata 0xba000 0xa624 0xa800 5.96 493d852e4c61e97ecccb7c0f9ef00453<br>.data 0xc5000 0x127bc 0x8200 0.73 4b04e70641bc018f3bb3ecfe21d14085<br>PAGE 0xd8000 0x998 0xa00 6.24 adb86400cc1779d55c23b4541ed877a5<br>.edata 0xd9000 0x49 0x200 0.85 bc4f6499041f7ae6ccd4f9bc34c9a0a6<br>PAGECONS 0xda000 0x78 0x200 1.25 c38c1652cc4ccd80c9fa5a4b7fd44dce<br>INIT 0xdb000 0x3e4a 0x4000 5.86 ae6a9304fa92558ccc9e7b58b71aea61<br>.rsrc 0xdf000 0x3e0 0x400 3.35 26021db0eb5acfd57a42b734b5c2a9bd<br>.reloc 0xe0000 0x6b2c 0x6c00 6.77 652655dbea4ffa2f4b600805faa41e67<br><br>( 8 imports ) <br>&gt; ntoskrnl.exe: MmUserProbeAddress, PsGetCurrentProcessId, ExAcquireResourceExclusiveLite, KeEnterCriticalRegion, KeLeaveCriticalRegion, ExReleaseResourceLite, ExDeleteResourceLite, ExInitializeResourceLite, RtlUnwind, RtlAnsiCharToUnicodeChar, MmProbeAndLockPages, RtlInitializeBitMap, RtlSetBit, RtlSetBits, ExInitializeLookasideListEx, ExDeleteLookasideListEx, KeBugCheckEx, DbgPrint, RtlEqualSid, RtlSubAuthoritySid, SeQueryInformationToken, ObOpenObjectByPointer, ZwQueryInformationToken, ExGetPreviousMode, ExUuidCreate, ExAllocatePoolWithQuotaTag, KeTickCount, IoGetCurrentProcess, KeInitializeMutex, KeBugCheck, KeDelayExecutionThread, SeSetAuditParameter, SeReportSecurityEventWithSubCategory, DbgBreakPoint, MmSizeOfMdl, MmUnmapLockedPages, ObLogSecurityDescriptor, SeCaptureSubjectContextEx, SeLockSubjectContext, IoGetFileObjectGenericMapping, SeAccessCheck, SeUnlockSubjectContext, SeReleaseSubjectContext, RtlCreateSecurityDescriptor, SeExports, RtlLengthSid, RtlCreateAcl, RtlAddAccessAllowedAceEx, RtlSetDaclSecurityDescriptor, ExInterlockedFlushSList, KeInitializeSemaphore, ExAllocatePoolWithTagPriority, MmUnlockPages, RtlVerifyVersionInfo, KeInitializeTimerEx, ExGetCurrentProcessorCounts, KeSetTimerEx, KeQueryActiveProcessors, KeQueryInterruptTime, KeFlushQueuedDpcs, KeCancelTimer, KeInitializeDpc, KeSetTargetProcessorDpc, KeSetImportanceDpc, KeWaitForMultipleObjects, KeInsertQueueDpc, IoAllocateWorkItem, IoQueueWorkItem, IoFreeWorkItem, MmBuildMdlForNonPagedPool, KeQueryMaximumProcessorCount, RtlInitializeGenericTableAvl, RtlGetVersion, KeQuerySystemTime, RtlLookupElementGenericTableFullAvl, ObDereferenceSecurityDescriptor, IoAllocateErrorLogEntry, IoWriteErrorLogEntry, ExNotifyCallback, KeIsExecutingDpc, PsGetProcessSessionId, InterlockedPushEntrySList, InterlockedPopEntrySList, KefAcquireSpinLockAtDpcLevel, IoAllocateMdl, IoBuildPartialMdl, KefReleaseSpinLockFromDpcLevel, IoFreeMdl, PsGetProcessId, MmMapLockedPagesSpecifyCache, ZwQuerySystemInformation, KeTestSpinLock, KeAcquireInStackQueuedSpinLockAtDpcLevel, KeReleaseInStackQueuedSpinLockFromDpcLevel, ObReferenceSecurityDescriptor, KeReleaseSemaphore, ExCreateCallback, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfReferenceObject, PsGetCurrentProcess, PsIsSystemThread, PsGetThreadProcess, KeGetCurrentThread, KeInitializeEvent, KeSetEvent, RtlEnumerateGenericTableLikeADirectory, RtlIpv4AddressToStringExW, RtlIpv6AddressToStringExW, RtlTimeToTimeFields, ExDeleteNPagedLookasideList, ExInitializeNPagedLookasideList, RtlLengthRequiredSid, RtlInitializeSid, RtlAddAccessAllowedAce, ObSetSecurityObjectByPointer, IoCreateDevice, IoDeleteDevice, KeWaitForSingleObject, KeQueryActiveProcessorCount, KeReleaseMutex, ZwOpenEvent, ObReferenceObjectByHandle, ZwClose, ObfDereferenceObject, KeReadStateEvent, IofCompleteRequest, IofCallDriver, IoWMIRegistrationControl, RtlCompareMemory, RtlInitUnicodeString, MmGetSystemRoutineAddress, RtlValidSid, RtlCopySid, ZwEnumerateKey, ObCloseHandle, RtlIpv4StringToAddressW, RtlIpv6StringToAddressW, RtlIntegerToUnicodeString, RtlConvertSidToUnicodeString, RtlFreeUnicodeString, ZwQueryValueKey, RtlUnicodeStringToInteger, ZwOpenKey, RtlCompareUnicodeString, PsSetCreateProcessNotifyRoutineEx, SeLocateProcessImageName, ZwCreateFile, RtlDowncaseUnicodeString, ZwOpenProcess, KeStackAttachProcess, ZwDuplicateToken, KeUnstackDetachProcess, IoDeleteSymbolicLink, IoCreateSymbolicLink, KeQueryTimeIncrement, PsReferenceImpersonationToken, PsDereferencePrimaryToken, PsReferencePrimaryToken, VerSetConditionMask, RtlFindSetBits, RtlAreBitsClear, RtlFindClearBits, RtlClearBits, ExAcquireResourceSharedLite, RtlClearBit, RtlClearAllBits, SeOpenObjectAuditAlarmForNonObObject, RtlTestBit, PsDereferenceImpersonationToken, RtlQueryRegistryValues, memset, memcpy, ExAllocatePoolWithTag, IoWMIWriteEvent, RtlSubAuthorityCountSid, ExFreePoolWithTag<br>&gt; NETIO.SYS: FsbAllocateAtDpcLevel, RtlInitializeTimerWheelEntry, NetioShutdownWorkQueue, RtlComputeToeplitzHash, RtlLookupEntryHashTable, RtlGetNextEntryHashTable, RtlInsertEntryHashTable, RtlRemoveEntryHashTable, RtlCleanupTimerWheelEntry, RtlReturnTimerWheelEntry, RtlGetNextExpiredTimerWheelEntry, RtlDeleteElementGenericTableBasicAvl, NetioInitializeWorkQueue, RtlInsertElementGenericTableBasicAvl, FsbAllocate, NetioAdvanceToLocationInNetBuffer, RtlCopyMdlToMdlIndirect, RtlUpdateCurrentTimerWheelTick, RtlEndTimerWheelEnumeration, RtlEnumerateNextTimerWheelEntry, RtlInitializeTimerWheelEnumeration, RtlCleanupTimerWheel, RtlDeleteHashTable, RtlCreateHashTable, RtlInitializeTimerWheel, RtlContractHashTable, RtlExpandHashTable, RtlEndEnumerationHashTable, RtlEnumerateEntryHashTable, RtlInitEnumerationHashTable, NetioFreeOpaquePerProcessorContext, NetioAllocateOpaquePerProcessorContext, TlDefaultRequestQueryDispatchEndpoint, TlDefaultRequestMessage, TlDefaultRequestQueryDispatch, RtlEndWeakEnumerationHashTable, RtlWeaklyEnumerateEntryHashTable, RtlInitWeakEnumerationHashTable, NsiSetAllParameters, RtlCopyMdlToBuffer, NetioFreeNetBufferAndNetBufferList, NetioAllocateAndReferenceNetBufferAndNetBufferList, RtlCopyBufferToMdl, NmrWaitForClientDeregisterComplete, NmrDeregisterClient, NmrClientDetachProviderComplete, NmrClientAttachProvider, NmrRegisterClient, NmrProviderDetachClientComplete, NmrRegisterProvider, NmrWaitForProviderDeregisterComplete, NmrDeregisterProvider, NetioRetreatNetBufferList, NetioAllocateAndReferenceCopyNetBufferListEx, NetioCompleteCopyNetBufferListChain, NetioFreeCopyNetBufferList, NetioInitializeNetBufferListContext, TlDefaultRequestCancel, TlDefaultRequestConnect, TlDefaultRequestListen, NetioReferenceNetBufferList, TlDefaultRequestIoControl, NetioDereferenceNetBufferListChain, NetioAllocateNetBufferMdlAndData, NetioAllocateAndReferenceNetBufferListNetBufferMdlAndData, NetioDereferenceNetBufferList, NetioFreeNetBuffer, NetioExtendNetBuffer, NetioFreeNetBufferList, FsbFree, RtlIndicateTimerWheelEntryTimerStart, NetioFreeMdl, NetioFreeNetBufferListNetBufferMdlAndDataPool, NetioAllocateNetBufferMdlAndDataPool, NetioAllocateNetBufferListNetBufferMdlAndDataPool, NetioFreeNetBufferMdlAndDataPool, RtlCleanupToeplitzHash, RtlInitializeToeplitzHash, WfpStartStreamShim, NetioAllocateMdl, NetioInsertWorkQueue, WfpStreamInspectRemoteDisconnect, WfpStreamInspectReceive, WfpStreamInspectDisconnect, WfpStreamInspectSend, WfpStreamEndpointCleanupBegin, NetioInitializeNetBufferListAndFirstNetBufferContext, NsiEnumerateObjectsAllParameters, NsiReferenceDefaultObjectSecurity, NsiDeregisterChangeNotification, NsiRegisterChangeNotification, NetioCompleteNetBufferListChain, RtlCopyMdlToMdl, NetioAllocateAndReferenceFragmentNetBufferList, SetWfpDeviceObject, IoctlKfdBatchUpdate, IoctlKfdDeleteIndex, IoctlKfdAddIndex, IoctlKfdAddCache, IoctlKfdResetState, IoctlKfdQueryLayerStatistics, IoctlKfdAbortTransaction, IoctlKfdCommitTransaction, IoctlKfdDeleteCache, KfdIsActiveCallout, HfCreateFactory, HfDestroyFactory, NsiSetObjectSecurity, NetioAllocateNetBuffer, NetioAllocateAndReferenceNetBufferList, PtGetNumNodes, PtCreateTable, PtDestroyTable, PtDeleteEntry, PtInsertEntry, PtGetExactMatch, PtEnumOverTable, PtGetLongestMatch, PtGetNextShorterMatch, RtlCompute37Hash, PtGetKey, PtSetData, PtGetData, NsiSetParameter, NsiAllocateAndGetTable, NsiFreeTable, NetioCompleteNetBufferAndNetBufferListChain, NetioQueryNetBufferListTrafficClass, NetioAllocateAndReferenceVacantNetBufferList, NetioAllocateAndReferenceCloneNetBufferListEx, NetioExpandNetBuffer, NetioUpdateNetBufferListContext, NetioAllocateAndReferenceCloneNetBufferList, NetioFreeCloneNetBufferList, NsiGetParameter, KfdCheckAcceptBypass, KfdCheckAndCacheAcceptBypass, KfdCheckConnectBypass, KfdCheckAndCacheConnectBypass, KfdGetLayerActionFromEnumTemplate, KfdEnumLayer, KfdGetNextFilter, KfdDerefFilterContext, KfdFreeEnumHandle, WfpScavangeLeastRecentlyUsedList, KfdAleInitializeFlowTable, WfpSetBucketsToEmptyLru, WfpExpireEntryLru, WfpInsertEntryLru, WfpDeleteEntryLru, WfpStreamIsFilterPresent, KfdToggleFilterActivation, NsiGetAllParameters, WfpInitializeLeastRecentlyUsedList, KfdAleNotifyFlowDeletion, FwppStreamDeleteDpcQueue, WfpUninitializeLeastRecentlyUsedList, KfdAleUninitializeFlowHandles, KfdAleInitializeFlowHandles, KfdGetOffloadEpoch, KfdIsLsoOffloadPossibleV6, KfdIsLsoOffloadPossibleV4, KfdIsV6InTransportFastEmpty, KfdIsV4InTransportFastEmpty, KfdIsV6OutTransportFastEmpty, KfdIsV4OutTransportFastEmpty, WfpRefreshEntryLru, NetioAdvanceNetBufferList, KfdCheckClassifyNeededAndUpdateEpoch, KfdAleAcquireFlowHandleForFlow, KfdClassify, KfdAleReleaseFlowHandleForFlow, KfdGetLayerCacheEpoch, KfdIsLayerEmpty, FwppStreamInject, FwppStreamContinue, FwppCopyStreamDataToBuffer, FwppAdvanceStreamDataPastOffset, FwppTruncateStreamDataAfterOffset, NetioUnRegisterProcessorAddCallback, NetioUnInitializeNetBufferListLibrary, NetioInitializeNetBufferListLibrary, NetioRegisterProcessorAddCallback, RtlInvokeStartRoutines, RtlInvokeStopRoutines, FsbDestroyPool, WfpStopStreamShim, FsbCreatePool, NsiGetParameterEx<br>&gt; NDIS.SYS: NdisDeregisterProtocolDriver, NdisRegisterProtocolDriver, NdisInitiateOffload, NdisInitializeTimer, NdisAcquireReadWriteLock, NdisGetSessionToCompartmentMappingEpochAndZero, NdisTerminateOffload, NdisUpdateOffload, NdisInvalidateOffload, NdisQueryOffloadState, NdisOidRequest, NdisDirectOidRequest, NdisCompleteNetPnPEvent, NdisCloseAdapterEx, NdisOpenAdapterEx, NdisSetTimer, NdisInitializeReadWriteLock, NdisCancelTimer, NdisCancelSendNetBufferLists, NdisSendNetBufferLists, NdisReleaseReadWriteLock, NdisReturnNetBufferLists, NdisOffloadTcpSend, NdisOffloadTcpReceive, NdisOffloadTcpReceiveReturn, NdisOffloadTcpDisconnect, NdisSetOptionalHandlers, NdisOffloadTcpForward, NdisGetDataBuffer, NetDmaRegisterClient, NetDmaDeregisterClient, NetDmaFreeChannel, NetDmaAllocateChannel, NdisGetProcessorInformation, NdisFreeNetBufferList, NetDmaNullTransfer, NetDmaIsDmaCopyComplete, NdisGetThreadObjectCompartmentId, NdisGetSessionCompartmentId, NdisAdjustNetBufferCurrentMdl, NdisAdvanceNetBufferDataStart, NdisRetreatNetBufferDataStart<br>&gt; FLTMGR.SYS: FltGetFileNameInformationUnsafe, FltReleaseFileNameInformation<br>&gt; fwpkclnt.sys: FwpsCalloutUnregisterByKey0, FwpmBfeStateSubscribeChangesWithoutDevice0, FwpmBfeStateUnsubscribeChanges0, FwpsClassifyOptionSet0, FwpmEngineClose0, FwpmEngineOpen0, FwpmSecureSocketDeleteByKeyAsync0, FwpmSecureSocketAddAsync0, FwpmEventProviderIsNetEventTypeEnabled0, FwpsRequestEndpointDeleteNotification0, FwppDispatchDevCtl0, IPsecDriverExpire, IPsecDriverInitiateAcquire, FwpmEventProviderFireNetEvent0, FwpsTcpIpDispatchTableClear0, FwpmEventProviderDestroy0, FwpmEventProviderCreate0, FwpsTcpIpDispatchTableSet0, FwpsCalloutRegisterWithoutDevice0<br>&gt; HAL.dll: KeGetCurrentIrql, KfReleaseSpinLock, KfLowerIrql, KfAcquireSpinLock, KeAcquireInStackQueuedSpinLock, KeReleaseInStackQueuedSpinLock, KeRaiseIrqlToDpcLevel, ExReleaseFastMutex, ExAcquireFastMutex, KfRaiseIrql, KeQueryPerformanceCounter<br>&gt; ksecdd.sys: BCryptDestroyHash, BCryptDecrypt, BCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptSetProperty, BCryptGetProperty, BCryptGenRandom, BCryptHashData, BCryptEncrypt, BCryptGenerateSymmetricKey, BCryptDestroyKey, BCryptFinishHash, BCryptCreateHash<br>&gt; msrpc.sys: NdrMesTypeDecode2, MesHandleFree, I_RpcExceptionFilter, MesDecodeBufferHandleCreate<br><br>( 1 exports ) <br>EQoSTestHook<br>
PDFiD.: -
RDS...: NSRL Reference Data Set<br>-

crispy_2209 · 06.05.2009, 14:51

avenger.txt

Code:

ATTFilter

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Users\Franzi\AppData\Local\Temp\1416.exe" deleted successfully.
File "C:\Windows\tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job" deleted successfully.
Folder "C:\Users\Franzi\AppData\Local\Temp" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

crispy_2209 · 06.05.2009, 15:03

Anbei befindet sich noch das Bild...

Chris4You · 06.05.2009, 15:55

Hi,

geht leider nicht hervor, Prevx vor Avenger abgefahren oder danach?
Wenn danach, dann ist es wieder da... dann gibt es versteckt irgendwo einen Loader... auch die tcpip.sys gefällt mir nicht...

.....RegisterySearch:
Download Registry Search by Bobbi Flekman
<http://virus-protect.org/artikel/tools/regsearch.html>
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

1416.exe

in edit und klicke "Ok".
Notepad wird sich oeffnen - poste den text

chris

crispy_2209 · 06.05.2009, 20:01

Code:

ATTFilter

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 06.05.2009 20:58:53 for strings:
;  '1416.exe'
; Strings excluded from search:
;  (None)
; Search in: 
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_USERS\S-1-5-21-3318146961-3867003620-525457802-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a4615823_0]
@="{0.0.0.00000000}.{418407b8-8a31-4d25-a7dc-25237c916fc5}|\\Device\\HarddiskVolume1\\Users\\Franzi\\AppData\\Local\\Temp\\1416.exe%b{00000000-0000-0000-0000-000000000000}"

; End Of The Log...

achja: Prevx nach avenger ausgeführt...

lg christina

Chris4You · 07.05.2009, 06:57

Hi,

lassen wir mal Combofix los, den brauchen wir nachher ev. sowieso...

Combofix
Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.
Weitere Anleitung unter:http://www.bleepingcomputer.com/combofix/de/wie-combofix-benutzt-wird
Hinweis: unter : C:\WINDOWS\erdnt
wird ein Backup angelegt.
Alternative downloads: http://subs.geekstogo.com/ComboFix.exe

chris

crispy_2209 · 07.05.2009, 11:11

Code:

ATTFilter

ComboFix 09-05-06.05 - Franzi 07.05.2009 11:51.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.43.1031.18.958.379 [GMT 2:00]
ausgeführt von:: c:\users\Franzi\Desktop\ComboFix.exe
.

(((((((((((((((((((((((   Dateien erstellt von 2009-04-07 bis 2009-05-07  ))))))))))))))))))))))))))))))
.

2009-05-07 09:33 . 2009-05-07 09:33	--------	d-----w	c:\program files\pdfforge Toolbar
2009-05-07 09:32 . 2001-10-28 15:42	116224	----a-w	c:\windows\system32\pdfcmnnt.dll
2009-05-07 09:32 . 1998-07-06 16:56	125712	----a-w	c:\windows\system32\VB6DE.DLL
2009-05-07 09:32 . 1998-07-06 16:55	158208	----a-w	c:\windows\system32\MSCMCDE.DLL
2009-05-07 09:32 . 1998-07-06 16:55	64512	----a-w	c:\windows\system32\MSCC2DE.DLL
2009-05-07 09:32 . 1998-07-05 23:00	23552	----a-w	c:\windows\system32\MSMPIDE.DLL
2009-05-07 09:32 . 2009-05-07 09:33	--------	d-----w	c:\program files\PDFCreator
2009-05-06 13:54 . 2009-05-06 13:54	22024	----a-w	c:\windows\system32\drivers\pxscan.sys
2009-05-06 13:54 . 2009-05-06 13:54	27656	----a-w	c:\windows\system32\drivers\pxsec.sys
2009-05-06 13:54 . 2009-05-06 13:54	--------	d-----w	c:\program files\Prevx
2009-05-06 13:54 . 2009-05-07 08:40	--------	d-----w	c:\programdata\PrevxCSI
2009-05-06 13:54 . 2009-05-07 08:40	--------	d-----w	c:\users\All Users\PrevxCSI
2009-05-06 10:56 . 2009-05-06 10:56	--------	d-----w	C:\rsit
2009-05-06 09:06 . 2009-05-06 09:06	--------	d-----w	c:\program files\Trend Micro
2009-04-30 15:00 . 2009-04-30 15:00	--------	d-----w	c:\program files\CCleaner
2009-04-30 14:59 . 2009-04-30 14:59	--------	d-----w	c:\programdata\SUPERAntiSpyware.com
2009-04-30 14:59 . 2009-04-30 14:59	--------	d-----w	c:\users\All Users\SUPERAntiSpyware.com
2009-04-30 14:58 . 2009-04-30 14:58	--------	d-----w	c:\program files\SUPERAntiSpyware
2009-04-30 14:58 . 2009-04-30 14:58	--------	d-----w	c:\users\Franzi\AppData\Roaming\SUPERAntiSpyware.com
2009-04-30 12:01 . 2009-04-30 12:01	--------	d-----w	c:\users\Franzi\AppData\Roaming\Malwarebytes
2009-04-30 12:01 . 2009-04-06 13:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-04-30 12:01 . 2009-04-06 13:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 12:01 . 2009-04-30 12:01	--------	d-----w	c:\programdata\Malwarebytes
2009-04-30 12:01 . 2009-04-30 12:01	--------	d-----w	c:\users\All Users\Malwarebytes
2009-04-30 12:01 . 2009-04-30 12:01	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-04-29 22:28 . 2008-07-27 18:03	96760	----a-w	c:\windows\system32\dfshim.dll
2009-04-29 22:28 . 2008-07-27 18:03	282112	----a-w	c:\windows\system32\mscoree.dll
2009-04-29 22:28 . 2008-07-27 18:03	41984	----a-w	c:\windows\system32\netfxperf.dll
2009-04-29 22:27 . 2008-07-27 18:03	158720	----a-w	c:\windows\system32\mscorier.dll
2009-04-29 22:27 . 2008-07-27 18:03	83968	----a-w	c:\windows\system32\mscories.dll
2009-04-29 22:24 . 2009-03-08 11:32	72704	----a-w	c:\windows\system32\admparse.dll
2009-04-29 22:24 . 2009-03-08 11:31	48128	----a-w	c:\windows\system32\mshtmler.dll
2009-04-29 22:24 . 2009-03-08 11:22	156160	----a-w	c:\windows\system32\msls31.dll
2009-04-29 21:58 . 2009-04-29 21:58	--------	d-sh--w	c:\windows\system32\config\systemprofile\Lokale Einstellungen
2009-04-21 20:07 . 2009-04-21 20:07	--------	d-----w	c:\program files\FLV Player
2009-04-21 20:02 . 2009-04-21 20:02	--------	d-----w	c:\program files\YouTube Downloader

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 07:44 . 2007-03-22 14:59	25248	----a-w	c:\users\Franzi\AppData\Roaming\nvModes.dat
2009-04-30 14:57 . 2008-03-28 15:51	--------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2009-04-30 14:48 . 2006-11-02 15:33	618442	----a-w	c:\windows\system32\perfh007.dat
2009-04-30 14:48 . 2006-11-02 15:33	122648	----a-w	c:\windows\system32\perfc007.dat
2009-04-30 11:58 . 2006-11-02 10:25	51200	----a-w	c:\windows\inf\infpub.dat
2009-04-30 11:58 . 2006-11-02 10:25	143360	----a-w	c:\windows\inf\infstrng.dat
2009-04-30 08:07 . 2007-01-19 03:06	--------	d-----w	c:\program files\CONEXANT
2009-04-29 21:56 . 2007-01-19 03:26	--------	d-----w	c:\program files\Common Files\Sonic Shared
2009-04-29 21:54 . 2007-01-19 03:23	--------	d-----w	c:\program files\Roxio
2009-04-16 10:00 . 2006-11-02 11:18	--------	d-----w	c:\program files\Windows Mail
2009-03-20 10:04 . 2009-03-20 09:58	--------	d-----w	c:\program files\ICQ6.5
2009-03-20 10:01 . 2008-05-14 05:59	--------	d-----w	c:\program files\ICQ6
2009-03-19 14:59 . 2008-04-22 12:51	--------	d-----w	c:\program files\Common Files\Adobe
2009-03-17 03:38 . 2009-04-16 07:42	13824	----a-w	c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 07:42	24064	----a-w	c:\windows\system32\amxread.dll
2009-03-09 17:16 . 2009-03-09 17:16	--------	d-----w	c:\program files\CDex_150
2009-03-08 11:34 . 2009-04-29 22:23	914944	----a-w	c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-04-29 22:23	43008	----a-w	c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-04-29 22:23	18944	----a-w	c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-04-29 22:23	109056	----a-w	c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-04-29 22:23	109568	----a-w	c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-04-29 22:23	132608	----a-w	c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-04-29 22:23	107520	----a-w	c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-04-29 22:23	107008	----a-w	c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-04-29 22:23	103936	----a-w	c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-04-29 22:23	420352	----a-w	c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-04-29 22:23	71680	----a-w	c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-04-29 22:23	66560	----a-w	c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-04-29 22:23	169472	----a-w	c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-04-29 22:23	34816	----a-w	c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-04-29 22:23	45568	----a-w	c:\windows\system32\mshta.exe
2009-03-03 04:46 . 2009-04-16 07:42	3599328	----a-w	c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-16 07:42	3547632	----a-w	c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-16 07:42	183296	----a-w	c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-16 07:42	551424	----a-w	c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-16 07:42	26112	----a-w	c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-16 07:42	98304	----a-w	c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-16 07:42	54784	----a-w	c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-16 07:42	44032	----a-w	c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-16 07:42	666624	----a-w	c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-16 07:42	17408	----a-w	c:\windows\system32\iashost.exe
2009-02-13 08:49 . 2009-04-16 07:42	72704	----a-w	c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-16 07:42	1255936	----a-w	c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 12:33	2033152	----a-w	c:\windows\system32\win32k.sys
2008-10-17 07:29 . 2006-11-02 12:50	174	--sha-w	c:\program files\desktop.ini
.

((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
2009-01-30 13:12	650752	----a-w	c:\program files\pdfforge Toolbar\WidgiToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B922D405-6D13-4A2B-AE89-08A030DA4402}"= "c:\program files\pdfforge Toolbar\WidgiToolbarIE.dll" [2009-01-30 650752]

[HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-01-30 992256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05	356352	----a-w	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"Windows Mail"=c:\program files\Windows Mail\WinMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
"QlbCtrl"=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
"QPService"="c:\program files\HP\QuickPlay\QPService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A48C03BA-2FCB-43FE-8E68-D5C07EB45395}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{EA52B341-D4A2-41F2-9D55-C39BCE58F04D}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{463E3BDB-BBF4-40AA-A9F6-7DF4A087FB80}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{D44A46DD-CD23-447A-B997-D4F54C403717}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{C1D229ED-E4F6-4853-B036-0E218ADF729C}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{31D45353-8D67-4521-8157-98487394ECEE}"= TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{0E1C44A1-E48B-49DB-91BE-EBF5549A7197}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1C349EC2-1507-47CE-867C-53462267C800}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{5CE4CEC2-F186-407B-B24C-FB0DBBBE6768}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{B011640D-E94E-4B7D-8B4F-5856E6949DC8}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{EC5E5C67-9519-48C2-865B-22177093F00E}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ Library
"TCP Query User{3969A7BC-6C30-4A4C-B830-7A6D6CA28028}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{D5A08472-2435-406F-A8D0-E5A7B8110FE1}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ Library
"TCP Query User{72C156BD-449C-4ADD-AA3B-E3A3D894ABEF}c:\\program files\\icq6.5\\icq.exe"= UDP:c:\program files\icq6.5\icq.exe:ICQ
"UDP Query User{E5992C25-B7E7-4D4F-9AFE-1AB3967E584B}c:\\program files\\icq6.5\\icq.exe"= TCP:c:\program files\icq6.5\icq.exe:ICQ

R0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [06.05.2009 15:54 22024]
R0 pxsec;pxsec;c:\windows\System32\drivers\pxsec.sys [06.05.2009 15:54 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28.04.2009 11:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28.04.2009 11:33 72944]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [06.05.2009 15:54 4368952]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28.04.2009 11:33 7408]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [01.02.2008 16:17 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [01.02.2008 16:17 8320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aafd3c78-e492-11dc-91ec-001636eed035}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f684a6b0-3f9b-11dd-bf11-001636eed035}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhalt des "geplante Tasks" Ordners

2009-05-07 c:\windows\Tasks\1-Klick-Wartung.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-03-28 08:58]

2009-05-06 c:\windows\Tasks\User_Feed_Synchronization-{F28ECD83-F507-4F1E-ABE0-2DF756AD0C19}.job
- c:\windows\system32\msfeedssync.exe [2009-04-29 11:31]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe


.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.at/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_AT&c=71&bd=Pavilion&pf=laptop
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Franzi\AppData\Roaming\Mozilla\Firefox\Profiles\b77tehog.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at/
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\users\Franzi\AppData\Roaming\Mozilla\Firefox\Profiles\b77tehog.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000004.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 11:56
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:0000000a

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(1444)
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ger.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
Zeit der Fertigstellung: 2009-05-07 11:58
ComboFix-quarantined-files.txt  2009-05-07 09:58

Vor Suchlauf: 23 Verzeichnis(se), 52.368.220.160 Bytes frei
Nach Suchlauf: 23 Verzeichnis(se), 52.348.211.200 Bytes frei

236	--- E O F ---	2009-04-29 22:33

Chris4You · 07.05.2009, 15:21

Hi,

Die nachfolgenden Zeilen (ohne Zitat!) abkopieren und in den Windows-Editor(start->Programme->zubehör->edior)
kopieren und auf dem Desktop unter dem Namen "CFScript.txt" speichern (ohne Anführungszeichen!).

Code:

ATTFilter

Registry::
[HKEY_USERS\S-1-5-21-3318146961-3867003620-525457802-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a4615823_0]
@=-

collect::
C:\Users\Franzi\AppData\Local\Temp\1416.exe

Danach die CFScript.txt mit der Mause anklicken und gedrückt halten und über dem ComboFix-Symbol fallen lassen
(Maustaste loslassen, nennt man "Drag-and-Drop";o).
Jetzt sollte combofix starten und das script ausführen, poste das combofix-Log und ein neues HJ-Log...

Nachdem das Log im Notepad aufgegegangen ist, erscheint ein Popup
Dies mit Ok wegklicken und es öffnet sich Dein Browser. In diesem Browser Fenster "Durchsuchen" auswählen und dann auf Deinem Desktop die neue .Zip Datei ([4]-Submit_Jahr-Monat-Tag_Uhrzeit.71.zip) auswählen. Dann mit Klick auf "Send" senden. So kann der Author die Erkennungsroutine des Programms verbessern.

chris

crispy_2209 · 07.05.2009, 15:42

So, erstmal der ComboFix:

Code:

ATTFilter

ComboFix 09-05-06.05 - Franzi 07.05.2009 16:29.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.43.1031.18.958.334 [GMT 2:00]
ausgeführt von:: c:\users\Franzi\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\users\Franzi\Desktop\CFScript.txt
.

(((((((((((((((((((((((   Dateien erstellt von 2009-04-07 bis 2009-05-07  ))))))))))))))))))))))))))))))
.

2009-05-07 09:33 . 2009-05-07 09:33	--------	d-----w	c:\program files\pdfforge Toolbar
2009-05-07 09:32 . 2001-10-28 15:42	116224	----a-w	c:\windows\system32\pdfcmnnt.dll
2009-05-07 09:32 . 1998-07-06 16:56	125712	----a-w	c:\windows\system32\VB6DE.DLL
2009-05-07 09:32 . 1998-07-06 16:55	158208	----a-w	c:\windows\system32\MSCMCDE.DLL
2009-05-07 09:32 . 1998-07-06 16:55	64512	----a-w	c:\windows\system32\MSCC2DE.DLL
2009-05-07 09:32 . 1998-07-05 23:00	23552	----a-w	c:\windows\system32\MSMPIDE.DLL
2009-05-07 09:32 . 2009-05-07 09:33	--------	d-----w	c:\program files\PDFCreator
2009-05-06 13:54 . 2009-05-06 13:54	22024	----a-w	c:\windows\system32\drivers\pxscan.sys
2009-05-06 13:54 . 2009-05-06 13:54	27656	----a-w	c:\windows\system32\drivers\pxsec.sys
2009-05-06 13:54 . 2009-05-06 13:54	--------	d-----w	c:\program files\Prevx
2009-05-06 13:54 . 2009-05-07 08:40	--------	d-----w	c:\programdata\PrevxCSI
2009-05-06 13:54 . 2009-05-07 08:40	--------	d-----w	c:\users\All Users\PrevxCSI
2009-05-06 10:56 . 2009-05-06 10:56	--------	d-----w	C:\rsit
2009-05-06 09:06 . 2009-05-06 09:06	--------	d-----w	c:\program files\Trend Micro
2009-04-30 15:00 . 2009-04-30 15:00	--------	d-----w	c:\program files\CCleaner
2009-04-30 14:59 . 2009-04-30 14:59	--------	d-----w	c:\programdata\SUPERAntiSpyware.com
2009-04-30 14:59 . 2009-04-30 14:59	--------	d-----w	c:\users\All Users\SUPERAntiSpyware.com
2009-04-30 14:58 . 2009-04-30 14:58	--------	d-----w	c:\program files\SUPERAntiSpyware
2009-04-30 14:58 . 2009-04-30 14:58	--------	d-----w	c:\users\Franzi\AppData\Roaming\SUPERAntiSpyware.com
2009-04-30 12:01 . 2009-04-30 12:01	--------	d-----w	c:\users\Franzi\AppData\Roaming\Malwarebytes
2009-04-30 12:01 . 2009-04-06 13:32	15504	----a-w	c:\windows\system32\drivers\mbam.sys
2009-04-30 12:01 . 2009-04-06 13:32	38496	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 12:01 . 2009-04-30 12:01	--------	d-----w	c:\programdata\Malwarebytes
2009-04-30 12:01 . 2009-04-30 12:01	--------	d-----w	c:\users\All Users\Malwarebytes
2009-04-30 12:01 . 2009-04-30 12:01	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-04-29 22:28 . 2008-07-27 18:03	96760	----a-w	c:\windows\system32\dfshim.dll
2009-04-29 22:28 . 2008-07-27 18:03	282112	----a-w	c:\windows\system32\mscoree.dll
2009-04-29 22:28 . 2008-07-27 18:03	41984	----a-w	c:\windows\system32\netfxperf.dll
2009-04-29 22:27 . 2008-07-27 18:03	158720	----a-w	c:\windows\system32\mscorier.dll
2009-04-29 22:27 . 2008-07-27 18:03	83968	----a-w	c:\windows\system32\mscories.dll
2009-04-29 22:24 . 2009-03-08 11:32	72704	----a-w	c:\windows\system32\admparse.dll
2009-04-29 22:24 . 2009-03-08 11:31	48128	----a-w	c:\windows\system32\mshtmler.dll
2009-04-29 22:24 . 2009-03-08 11:22	156160	----a-w	c:\windows\system32\msls31.dll
2009-04-29 21:58 . 2009-04-29 21:58	--------	d-sh--w	c:\windows\system32\config\systemprofile\Lokale Einstellungen
2009-04-21 20:07 . 2009-04-21 20:07	--------	d-----w	c:\program files\FLV Player
2009-04-21 20:02 . 2009-04-21 20:02	--------	d-----w	c:\program files\YouTube Downloader

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 14:20 . 2007-03-22 14:59	25248	----a-w	c:\users\Franzi\AppData\Roaming\nvModes.dat
2009-04-30 14:57 . 2008-03-28 15:51	--------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2009-04-30 14:48 . 2006-11-02 15:33	618442	----a-w	c:\windows\system32\perfh007.dat
2009-04-30 14:48 . 2006-11-02 15:33	122648	----a-w	c:\windows\system32\perfc007.dat
2009-04-30 11:58 . 2006-11-02 10:25	51200	----a-w	c:\windows\inf\infpub.dat
2009-04-30 11:58 . 2006-11-02 10:25	143360	----a-w	c:\windows\inf\infstrng.dat
2009-04-30 08:07 . 2007-01-19 03:06	--------	d-----w	c:\program files\CONEXANT
2009-04-29 21:56 . 2007-01-19 03:26	--------	d-----w	c:\program files\Common Files\Sonic Shared
2009-04-29 21:54 . 2007-01-19 03:23	--------	d-----w	c:\program files\Roxio
2009-04-16 10:00 . 2006-11-02 11:18	--------	d-----w	c:\program files\Windows Mail
2009-03-20 10:04 . 2009-03-20 09:58	--------	d-----w	c:\program files\ICQ6.5
2009-03-20 10:01 . 2008-05-14 05:59	--------	d-----w	c:\program files\ICQ6
2009-03-19 14:59 . 2008-04-22 12:51	--------	d-----w	c:\program files\Common Files\Adobe
2009-03-17 03:38 . 2009-04-16 07:42	13824	----a-w	c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 07:42	24064	----a-w	c:\windows\system32\amxread.dll
2009-03-09 17:16 . 2009-03-09 17:16	--------	d-----w	c:\program files\CDex_150
2009-03-08 11:34 . 2009-04-29 22:23	914944	----a-w	c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2009-04-29 22:23	43008	----a-w	c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2009-04-29 22:23	18944	----a-w	c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2009-04-29 22:23	109056	----a-w	c:\windows\system32\iesysprep.dll
2009-03-08 11:33 . 2009-04-29 22:23	109568	----a-w	c:\windows\system32\PDMSetup.exe
2009-03-08 11:33 . 2009-04-29 22:23	132608	----a-w	c:\windows\system32\ieUnatt.exe
2009-03-08 11:33 . 2009-04-29 22:23	107520	----a-w	c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 11:33 . 2009-04-29 22:23	107008	----a-w	c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 11:33 . 2009-04-29 22:23	103936	----a-w	c:\windows\system32\SetDepNx.exe
2009-03-08 11:33 . 2009-04-29 22:23	420352	----a-w	c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2009-04-29 22:23	71680	----a-w	c:\windows\system32\iesetup.dll
2009-03-08 11:32 . 2009-04-29 22:23	66560	----a-w	c:\windows\system32\wextract.exe
2009-03-08 11:32 . 2009-04-29 22:23	169472	----a-w	c:\windows\system32\iexpress.exe
2009-03-08 11:31 . 2009-04-29 22:23	34816	----a-w	c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2009-04-29 22:23	45568	----a-w	c:\windows\system32\mshta.exe
2009-03-03 04:46 . 2009-04-16 07:42	3599328	----a-w	c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-16 07:42	3547632	----a-w	c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-16 07:42	183296	----a-w	c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-16 07:42	551424	----a-w	c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-16 07:42	26112	----a-w	c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-16 07:42	98304	----a-w	c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-16 07:42	54784	----a-w	c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-16 07:42	44032	----a-w	c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-16 07:42	666624	----a-w	c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-16 07:42	17408	----a-w	c:\windows\system32\iashost.exe
2009-02-13 08:49 . 2009-04-16 07:42	72704	----a-w	c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-16 07:42	1255936	----a-w	c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 12:33	2033152	----a-w	c:\windows\system32\win32k.sys
2008-10-17 07:29 . 2006-11-02 12:50	174	--sha-w	c:\program files\desktop.ini
.

(((((((((((((((((((((((((((((   SnapShot@2009-05-07_09.56.47   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-19 03:16 . 2009-05-07 14:22	54402              c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-05-07 14:22	72902              c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2007-03-20 15:50 . 2009-05-07 07:46	13224              c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3318146961-3867003620-525457802-1000_UserData.bin
+ 2007-03-20 15:50 . 2009-05-07 14:22	13224              c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3318146961-3867003620-525457802-1000_UserData.bin
+ 2009-05-07 11:17 . 2009-05-07 11:17	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-05-07 11:17 . 2009-05-07 11:17	32768              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-05-07 11:17 . 2009-05-07 11:17	16384              c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-07 14:20 . 2009-05-07 14:20	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-07 07:44 . 2009-05-07 07:44	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-05-07 07:44 . 2009-05-07 07:44	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-07 14:20 . 2009-05-07 14:20	2048              c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-05-07 11:17 . 2009-05-07 11:17	245760              c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2006-11-02 10:22 . 2009-05-07 09:33	7077888              c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2006-11-02 10:22 . 2009-05-07 11:44	7077888              c:\windows\System32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B922D405-6D13-4A2B-AE89-08A030DA4402}]
2009-01-30 13:12	650752	----a-w	c:\program files\pdfforge Toolbar\WidgiToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B922D405-6D13-4A2B-AE89-08A030DA4402}"= "c:\program files\pdfforge Toolbar\WidgiToolbarIE.dll" [2009-01-30 650752]

[HKEY_CLASSES_ROOT\clsid\{b922d405-6d13-4a2b-ae89-08a030da4402}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-01-13 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-01-13 7766016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-01-13 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SearchSettings"="c:\program files\pdfforge Toolbar\SearchSettings.exe" [2009-01-30 992256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05	356352	----a-w	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"ehTray.exe"=c:\windows\ehome\ehTray.exe
"Windows Mail"=c:\program files\Windows Mail\WinMail.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
"QlbCtrl"=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
"QPService"="c:\program files\HP\QuickPlay\QPService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A48C03BA-2FCB-43FE-8E68-D5C07EB45395}"= UDP:c:\program files\HP\QuickPlay\QP.exe:QP
"{EA52B341-D4A2-41F2-9D55-C39BCE58F04D}"= TCP:c:\program files\HP\QuickPlay\QP.exe:QP
"{463E3BDB-BBF4-40AA-A9F6-7DF4A087FB80}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{D44A46DD-CD23-447A-B997-D4F54C403717}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{C1D229ED-E4F6-4853-B036-0E218ADF729C}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{31D45353-8D67-4521-8157-98487394ECEE}"= TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{0E1C44A1-E48B-49DB-91BE-EBF5549A7197}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{1C349EC2-1507-47CE-867C-53462267C800}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{5CE4CEC2-F186-407B-B24C-FB0DBBBE6768}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{B011640D-E94E-4B7D-8B4F-5856E6949DC8}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{EC5E5C67-9519-48C2-865B-22177093F00E}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ Library
"TCP Query User{3969A7BC-6C30-4A4C-B830-7A6D6CA28028}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{D5A08472-2435-406F-A8D0-E5A7B8110FE1}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ Library
"TCP Query User{72C156BD-449C-4ADD-AA3B-E3A3D894ABEF}c:\\program files\\icq6.5\\icq.exe"= UDP:c:\program files\icq6.5\icq.exe:ICQ
"UDP Query User{E5992C25-B7E7-4D4F-9AFE-1AB3967E584B}c:\\program files\\icq6.5\\icq.exe"= TCP:c:\program files\icq6.5\icq.exe:ICQ

R0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [06.05.2009 15:54 22024]
R0 pxsec;pxsec;c:\windows\System32\drivers\pxsec.sys [06.05.2009 15:54 27656]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28.04.2009 11:33 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28.04.2009 11:33 72944]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [06.05.2009 15:54 4368952]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28.04.2009 11:33 7408]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [01.02.2008 16:17 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [01.02.2008 16:17 8320]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aafd3c78-e492-11dc-91ec-001636eed035}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f684a6b0-3f9b-11dd-bf11-001636eed035}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhalt des "geplante Tasks" Ordners

2009-05-07 c:\windows\Tasks\1-Klick-Wartung.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-03-28 08:58]

2009-05-06 c:\windows\Tasks\User_Feed_Synchronization-{F28ECD83-F507-4F1E-ABE0-2DF756AD0C19}.job
- c:\windows\system32\msfeedssync.exe [2009-04-29 11:31]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.at/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_AT&c=71&bd=Pavilion&pf=laptop
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Franzi\AppData\Roaming\Mozilla\Firefox\Profiles\b77tehog.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.at/
FF - component: c:\program files\Mozilla Firefox\extensions\{B922D405-6D13-4A2B-AE89-08A030DA4402}\components\pdfforgeToolbarFF.dll
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\users\Franzi\AppData\Roaming\Mozilla\Firefox\Profiles\b77tehog.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071302000004.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 16:34
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse... 

Scanne versteckte Autostarteinträge... 

Scanne versteckte Dateien... 

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:0000000a

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'Explorer.exe'(204)
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ger.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
Zeit der Fertigstellung: 2009-05-07 16:36
ComboFix-quarantined-files.txt  2009-05-07 14:36
ComboFix2.txt  2009-05-07 09:58

Vor Suchlauf: 23 Verzeichnis(se), 52.326.772.736 Bytes frei
Nach Suchlauf: 23 Verzeichnis(se), 52.264.128.512 Bytes frei

255	--- E O F ---	2009-04-29 22:33