Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: TR/Dropper.Gen in system32/tdlwsp.dll gefunden

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 07.11.2009, 10:10   #1
greyGargoyle
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Hallo bin neu hier und hoffe ihr könnt mir hier weiterhelfen.

Antivir hat folgendes gebracht:

In der Datei 'C:\WINDOWS\system32\tdlwsp.dll'
wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden.

Abgesicherter Modus ist nicht mehr ausführbar..

hiermal die logs von den ganzen Programmen:



Code:
ATTFilter
Malwarebytes' Anti-Malware 1.41
Datenbank Version: 3012
Windows 5.1.2600 Service Pack 2

06.11.2009 23:55:21
mbam-log-2009-11-06 (23-55-21).txt

Scan-Methode: Vollständiger Scan (C:\|F:\|)
Durchsuchte Objekte: 247790
Laufzeit: 48 minute(s), 36 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 5
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 9
Infizierte Verzeichnisse: 0
Infizierte Dateien: 3

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Userinit.exe (Security.Hijack) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe oqrk.pso dkhsx) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOKUME~1\LOCALS~1\ANWEND~1\MACROM~1\Common\feb000401.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\Dokumente und Einstellungen\pc\Anwendungsdaten\Macromedia\Common\feb000401.dll (Hijack.Sound) -> Quarantined and deleted successfully.
C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wuasirvy.dll (Trojan.Banker) -> Quarantined and deleted successfully.
         
Code:
ATTFilter
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\Dokumente und Einstellungen\pc\Anwendungsdaten\Macromedia\Common\feb000401.dll" not found!
Deletion of file "C:\Dokumente und Einstellungen\pc\Anwendungsdaten\Macromedia\Common\feb000401.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\msacm32.drv" deleted successfully.
File "C:\WINDOWS\wuasirvy.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.
         

Alt 07.11.2009, 10:13   #2
greyGargoyle
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Code:
ATTFilter
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Header 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
find.bat Version 2008.03.07 

Microsoft Windows XP [Version 5.1.2600]
Bootmodus: Normal 
  
eScan Version: 11.0.86 
Sprache: German 
C:\DOKUME~1\pc\LOKALE~1\Temp\MWAV.LOG
 
 
 
~~~~~~~~~~~ 
Dateien 
~~~~~~~~~~~ 
~~~~ Infected files 
~~~~~~~~~~~ 
Datei C:\WINDOWS\HKNTDLL.dll ist durch den Virus "Application.Generic.15152 (DB)" infiziert!  Maßnahme ergriffen: Keine Maßnahme ergriffen. 
Datei C:\WINDOWS\HKNTDLL.dll ist durch den Virus "Application.Generic.15152 (DB)" infiziert!  Maßnahme ergriffen: Keine Maßnahme ergriffen. 
Datei C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\MPAC3UAX\dotnetfx35setup[1].exe ist durch den Virus "NULL.Corrupted" infiziert!  Maßnahme ergriffen: Keine Maßnahme ergriffen. 
Datei C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Firefox_Setup_3.0.4-de.exe ist durch den Virus "Trojan.Generic.IS.519634 (DB)" infiziert!  Maßnahme ergriffen: Keine Maßnahme ergriffen. 
Datei C:\WINDOWS\HKNTDLL.dll ist durch den Virus "Application.Generic.15152 (DB)" infiziert!  Maßnahme ergriffen: Keine Maßnahme ergriffen. 
~~~~~~~~~~~ 
~~~~ Tagged files 
~~~~~~~~~~~ 
~~~~~~~~~~~ 
~~~~ Offending files 
~~~~~~~~~~~ 
Offending file found: C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\TrendMicro_Downloader\Agent\sqlite3.dll 
~~~~~~~~~~~ 
~~~~ Spyware (Vorsicht: Oft Fehlalarm!) 
~~~~~~~~~~~ 
eScan-Antiviren- und Antispyware-Werkzeugsatz. 
Antiviren- und Antispywaredatenbanken werden heruntergeladen... 
Indexed Spyware Databases Successfully Created... 
eScan-Antiviren- und Antispyware-Werkzeugsatz. 
Scannen Spyware: Aktiviert 
***** Registrierungsdatenbank und Dateisystem werden auf Schnüffelprogramme (Spyware) und werbefinanzierte Software (Adware) geprüft ***** 
Indexed Spyware Databases Successfully Created... 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{03C4C5F4-1893-444C-B8D8-002F0034DA92})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{11E2BC0C-5D4F-4E0C-B438-501FFE05A382})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{37587889-FC28-4507-B6D3-8557305F7511})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{4A5E947E-C407-4DCC-A0B5-5658E457153B})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{4FD5C4D3-6C15-4EA0-9EB9-EEE8FC74A91B})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{620D55B0-F2FB-464E-A278-B4308DB1DB2B})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{741BEEFD-AEC0-4AFF-84AF-4F61D15F5526})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{7A41359E-0407-470F-B3F7-7C6A0F7C449A})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{7C4A630A-DE98-4E3E-8093-E8F5E159BB72})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{7ED1E9B1-CB57-4FA0-84E8-FAE653FE8E6B})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{A6931B16-90FA-4D69-A49F-3ABFA2C04060})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{C5AA36A1-8BD1-47E0-90F8-47E7239C6EA1})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{CA3EB689-8F09-4026-AA10-B9534C691CE0})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\clsid\{FA2CBAFB-F7B1-4F41-9B7A-73329A6C1CB7})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\typelib\{4509D3CC-B642-4745-B030-645B79522C6D})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{0A95BE2D-1543-46BE-AD6D-18653034BF87})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{0B8EDB8D-4575-4942-9C34-55591E415909})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{278EAD7A-2A45-4D4E-ACB4-A1A4AD9BB54B})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{2B539D9C-127A-4F10-855F-EF31C83D2007})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{2D91877A-468C-4802-8CD7-21F6BF776790})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{3120A5E4-552D-4EDF-8C48-70C5D5FF22D2})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{31CE2164-4D5C-4508-BCA7-B10E11D08E6B})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{359A062F-CDA8-4A9C-9B28-588446D35098})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{35EFAD55-134A-47BF-912A-44A9D9FD556F})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{38F95B22-32BF-4378-B3EC-47B2C09DE1F5})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{3D177BA8-BF8C-45E2-8CA2-20ACA6269A68})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{3E1392BB-3B66-4A39-BBD0-259FC2BDC979})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{45128C11-A7E5-46D2-A164-3D1273E92C44})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{47146231-B550-4B13-B9E7-4257F740F39D})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{4897BBA6-48D9-468C-8EFA-846275D7701B})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{5C61669E-F0CE-4126-B365-316588E6228F})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{60E5F55E-236F-422D-A5F9-560F1778CCD4})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{62B6A513-3764-42CD-8410-9B81E8DFF135})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{6A5D680A-8F9F-4752-A056-2C0273F60B4E})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{6CCD925E-E833-4BE3-A62E-D3C8838C5D6D})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{6CDD1F89-FC3B-401C-B1F1-932C48F45EB5})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{78412EB9-E06B-4484-BC85-0B1594F6E23A})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{7EE495F3-345B-4CC1-AAB7-A255ED85EED2})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{82B58FCB-73F3-46DC-A52D-74D3FE359702})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{86797248-1A4E-41D0-A0C3-2175A36B3D0E})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{919DF860-D321-4D02-AC3D-1C25EFAE551A})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{AA6CCB5D-0F97-4A37-A077-8B49FB5BC60D})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{C18D120C-B7AB-4499-8BDC-0CD2BD0861FD})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{C1DFD382-E253-434D-B22D-2E47233B6147})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{C52D8C84-C5DD-457B-993B-04E997B330E5})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{CACB61E0-AEEA-404D-88E1-7F3BCA8B8726})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{CD5B9523-6EAF-4D63-8FE8-C081C51D1673})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{D45B0772-5801-4E61-9CBA-84120557A4D7})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{D7E6FB7C-A22F-4A9D-A89D-653D1AA37324})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{D80AC53D-E102-4A55-A265-529A626515E5})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{DBCAD616-BFD4-4C72-8D87-C5926921D378})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{E16F1874-C5B1-4400-A9F0-08E7FD4D3F8C})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{E3EC74BB-5522-462D-A00F-2728C53FCA04})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{EBB4EBA9-D546-4C85-A05A-167BF875FB83})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{F71D2854-2609-4A63-B4BF-BF2BA61A61CF})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{F7919641-3978-4668-8388-7310329C800E})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{F961CE9D-AE2B-4CFB-887C-3A055FF685C9})! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKEY_CLASSES_ROOT\interface\{FFBBDECE-4363-4B4D-B35E-39EFF228C723})! Action taken: Keine Maßnahme ergriffen. 
System found infected with Lsas.Trojan-Spy.DOS.Keycopy Corrupted Adware/Spyware (sqlite3.dll)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.AddressLists)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.MAPIFolder)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.MAPITable)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.MAPIUtils)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeAppointmentItem)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeContactItem)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeCurrentUser)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeDistList)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeJournalItem)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeMailItem)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeMeetingItem)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafePostItem)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\Redemption.SafeTaskItem)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\ToolBand.XTTBPos00.1)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\ToolBand.XTTBPos00)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\URLSearchHook.ToolbarURLSearchHook.1)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\URLSearchHook.ToolbarURLSearchHook)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\XTTB00001.IEToolbar.1)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\XTTB00001.IEToolbar)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\XTTB00001.XTTB00001.1)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCR\XTTB00001.XTTB00001)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKCU\SOFTWARE\XTTB00001)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\XTTB00001.XTTB00001Toolbar)! Action taken: Keine Maßnahme ergriffen. 
System found infected with combo Spyware/Adware (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run/Alcmtr)! Action taken: Keine Maßnahme ergriffen. 
System found infected with PersonalAntispy Corrupted Adware/Spyware (HKCU\Software\Mirabilis)! Action taken: Keine Maßnahme ergriffen. 
~~~~~~~~~~~ 
Ordner 
~~~~~~~~~~~ 
Offending Registry Entry found: HKCR\Redemption.MAPIFolder 
~~~~~~~~~~~ 
Registry 
~~~~~~~~~~~ 
Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{65e3a19d-1c31-11dd-8a6e-001e8c82a29d} !!! 
Offending Key found: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fe86e552-534f-11de-8cae-001e8c82a29d} !!! 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Diverses 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
~~~~~~~~~~~~~~~~~~~~~~ 
laufende Prozesse - commandline 
~~~~~~~~~~~~~~~~~~~~~~ 
System Idle Process - 
System - 
smss.exe - \SystemRoot\System32\smss.exe
csrss.exe - 
winlogon.exe - winlogon.exe
services.exe - C:\WINDOWS\system32\services.exe
lsass.exe - C:\WINDOWS\system32\lsass.exe
svchost.exe - C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe - 
svchost.exe - C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe - 
svchost.exe - 
brsvc01a.exe - C:\WINDOWS\System32\brsvc01a.exe
brss01a.exe - brss01a.exe
spoolsv.exe - C:\WINDOWS\system32\spoolsv.exe
sched.exe - "C:\Programme\Avira\AntiVir Desktop\sched.exe"
explorer.exe - C:\WINDOWS\Explorer.EXE
svchost.exe - 
mHotkey.exe - "C:\WINDOWS\mHotkey.exe" 
RTHDCPL.exe - "C:\WINDOWS\RTHDCPL.EXE" 
avgnt.exe - "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
rundll32.exe - "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
jusched.exe - "C:\Programme\Java\jre6\bin\jusched.exe" 
ctfmon.exe - "C:\WINDOWS\system32\ctfmon.exe" 
wcescomm.exe - "C:\Programme\Microsoft ActiveSync\wcescomm.exe" 
TeaTimer.exe - "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" 
StCenter.exe - "C:\Programme\FRITZ!DSL\StCenter.exe" 
GoogleCrashHandler.exe - "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.2.183.13\GoogleCrashHandler.exe" /crashhandler
rapimgr.exe - C:\PROGRA~1\MICROS~4\rapimgr.exe -Embedding
avguard.exe - "C:\Programme\Avira\AntiVir Desktop\avguard.exe"
AppleMobileDeviceService.exe - "C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
IGDCTRL.EXE - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
tbmux32.exe - C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
svchost.exe - C:\WINDOWS\System32\svchost.exe -k HTTPFilter
jqs.exe - "C:\Programme\Java\jre6\bin\jqs.exe" -service -config "C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf"
NBService.exe - "C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe"
nvsvc32.exe - C:\WINDOWS\system32\nvsvc32.exe
svchost.exe - C:\WINDOWS\System32\svchost.exe -k imgsvc
spnsrvnt.exe - C:\WINDOWS\system32\spnsrvnt.exe
ApchT2kW.exe - C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
ApchT2kW.exe - "TIS 2000 Apache Web Server" -Z ap2904_C1
java.exe - C:\PROGRA~1\COSIDS\JRE\bin\java.exe -Xmx512m  org.apache.jserv.JServ "C:\PROGRA~1\COSIDS\APACHE~1\APACHE~1\conf\jserv.properties" 
VideoAcceleratorService.exe - C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm
[verify-U]-Service.exe - "C:\Programme\[verify-U] AVS\[verify-U]-Service.exe"
VideoAcceleratorEngine.exe - "C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe"
wscntfy.exe - C:\WINDOWS\system32\wscntfy.exe
alg.exe - 
wuauclt.exe - "C:\WINDOWS\system32\wuauclt.exe"
cmd.exe - cmd /c ""C:\Dokumente und Einstellungen\pc\Desktop\Virus\find.bat" "
cscript.exe - cscript C:\escan\prclst.vbs //nologo 
wmiprvse.exe - 
~~~~~~~~~~~~~~~~~~~~~~ 
Scanfehler 
~~~~~~~~~~~~~~~~~~~~~~ 
ERROR!!! Invalid Entry {73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Programme\ICQLite\ICQLiteShell.dll (in key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved). No Action Taken. 
ERROR!!! Invalid Entry %SystemRoot%\System32\appmgmts.dll in HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt\Parameters. Action Taken: No Action Taken. 
ERROR!!! Invalid Entry %SystemRoot%\System32\hidserv.dll in HKLM\SYSTEM\CurrentControlSet\Services\HidServ\Parameters. Action Taken: No Action Taken. 
ERROR(3)!!! ScanFile fails for C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Jdownloader\downloads\OTIS0808.part01.rar 
~~~~~~~~~~~~~~~~~~~~~~ 
Hosts-Datei 
~~~~~~~~~~~~~~~~~~~~~~ 
DataBasePath: %SystemRoot%\System32\drivers\etc 
Zeilen die nicht dem Standard entsprechen: 
C:\WINDOWS\System32\drivers\etc\hosts:
C:\WINDOWS\System32\drivers\etc\hosts:127.0.0.1       localhost
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Statistiken: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunes.msi!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\163.75_forceware_winxp_32bit_international_whql.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\169.21_forceware_winxp_32bit_international_whql.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\182.50_geforce_winxp_32bit_international_whql.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\8final.rar!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Crysis_Patch_1_2.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\HTC_Mega_Packet.zip!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\iTunesSetup.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Jdownloader\downloads\Opel TIS 08.2008\IO940A_1.mdf!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\Nero-9.4.12.3_free.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\OOo_2.3.1_Win32Intel_install_de.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\OOo_2.4.1_Win32Intel_install_de.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Eigene Dateien\Downloads\TrendMicro_TIS_17.00_en-US_32-bit.exe!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Identities\{B8DE085B-50B6-4F2B-BEA2-2BFAE476B51B}\Microsoft\Outlook Express\Gelöschte Objekte.dbx!!! 
Zeit überschritten beim Scannen von C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Identities\{B8DE085B-50B6-4F2B-BEA2-2BFAE476B51B}\Microsoft\Outlook Express\Gesendete Objekte.dbx!!! 
Zeit überschritten beim Scannen von C:\MSOCache\All Users\{90120000-006E-0407-0000-0000000FF1CE}-C\OfficeLR.cab!!! 
Zeit überschritten beim Scannen von C:\MSOCache\All Users\{91120000-002F-0000-0000-0000000FF1CE}-C\HomeSrWW.cab!!! 
Zeit überschritten beim Scannen von !!! 
Zeit überschritten beim Scannen von C:\Programme\OpenOffice\openofficeorg3.cab!!! 
Zeit überschritten beim Scannen von C:\WINDOWS\Driver Cache\i386\driver.cab!!! 
Zeit überschritten beim Scannen von C:\WINDOWS\Installer\29608f6.msp!!! 
Zeit überschritten beim Scannen von C:\WINDOWS\Installer\36963f6.msp!!! 
Zeit überschritten beim Scannen von C:\WINDOWS\SoftwareDistribution\Download\ecd3943fb91c82f3266d39b3ea7ddb7e519f0c69!!! 
Zeit überschritten beim Scannen von F:\Packard Bell\Packard Bell\CD\Partners\GoogleSuite\GoogleSuite.exe!!! 
Zeit überschritten beim Scannen von F:\Packard Bell\Packard Bell\CD\Partners\Norton Internet Security\NIS\SV\NIS.exe!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Bin32\Crysis_Patch_1_2.exe!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Crysis_Patch_1_2.exe!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Localized\german.pak!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Localized\russian.pak!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Localized\Turkish.pak!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\LowSpec\LowSpec.pak!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Objects.pak!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\ShaderCache.pak!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Sounds.pak!!! 
Zeit überschritten beim Scannen von F:\Programme\Electronic Arts\Crytek\Crysis\Game\Textures.pak!!! 
Zahl der gescannten Objekte: 282965 
Zahl der kritischen Objekte: 6 
Zahl der desinfizierten Objekte: 0 
Zahl der umbenannten Objekte: 0 
Zahl der gelöschten Objekte: 0 
Zeit verstrichen: 01:26:14 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Scan-Optionen 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Speicherüberprüfung: Aktiviert 
Überprüfung der Registrierungsdatenbank: Aktiviert 
Überprüfung des Startordners: Aktiviert 
Überprüfung des Systemordners: Aktiviert 
Überprüfung der Dienste: Aktiviert 
Überprüfung der Laufwerke: Deaktiviert 
Überprüfung aller Laufwerke:Aktiviert 
Überprüfung der Ordner: Deaktiviert 
 
Batchstart:  9:30:58,14 
Batchende:  9:31:15,07
         
__________________


Alt 07.11.2009, 10:15   #3
greyGargoyle
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:39:23, on 07.11.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\FRITZ!DSL\StCenter.exe
C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\FRITZ!DSL\IGDCTRL.EXE
C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Java\jre6\bin\jqs.exe
C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spnsrvnt.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
C:\PROGRA~1\COSIDS\JRE\bin\java.exe
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
C:\Programme\[verify-U] AVS\[verify-U]-Service.exe
C:\PROGRA~1\SPEEDB~2\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\Programme\Avira\AntiVir Desktop\avwsc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) -  - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SBCONVERT - {31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B} - C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: GrabberObj Class - {FF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll
O3 - Toolbar: SpeedBit Video Downloader - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll
O4 - HKLM\..\Run: [SetDefPrt] C:\Programme\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware  (reboot)] "C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WAB] C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Macromedia\Common\feb0004019.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Programme\FRITZ!DSL\StCenter.exe
O4 - Global Startup: Status Monitor.lnk = C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\speedb~2\sblsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204917686280
O23 - Service: Adobe LM Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Programme\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: COSIDS_TB - TransAction Software, D 81737 Munich - C:\PROGRA~1\COSIDS\BIN\TbMux32.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SentinelSuperProNet Server (SuperProServer) - Rainbow Technologies - C:\WINDOWS\system32\spnsrvnt.exe
O23 - Service: TIS 2000 Apache Web Server - Unknown owner - C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe
O23 - Service: [verify-U]-Service ([verify-U]) - Cybit AG - C:\Programme\[verify-U] AVS\[verify-U]-Service.exe

--
End of file - 9569 bytes
         
__________________

Alt 07.11.2009, 10:17   #4
greyGargoyle
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Code:
ATTFilter
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Google Update" = ""C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe" /c" ["Google Inc."]
"H/PC Connection Agent" = ""C:\Programme\Microsoft ActiveSync\wcescomm.exe"" [MS]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer-Networking Ltd."]
"WAB" = "C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Macromedia\Common\feb0004019.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SetDefPrt" = "C:\Programme\Brother\Brmfl05a\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Programme\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"CHotkey" = "mHotkey.exe" ["Chicony"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"avgnt" = ""C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
" Malwarebytes Anti-Malware  (reboot)" = ""C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript" ["Malwarebytes Corporation"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
                   \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{31B27F2D-6BC6-451B-B3D2-4EAB36B2FC3B}\(Default) = "SBCONVERT"
  -> {HKLM...CLSID} = "SBCONVERT Class"
                   \InProcServer32\(Default) = "C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
  -> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]
{FF7C3CF0-4B15-11D1-ABED-709549C10000}\(Default) = "GrabberObj Class"
  -> {HKLM...CLSID} = "GrabberObj Class"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPEEDB~1\Toolbar\grabber.dll" ["Speedbit Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                   \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
  -> {HKLM...CLSID} = "Meine freigegebenen Ordner"
                   \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                   \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{94586423-855F-4EB2-9F6A-D9DA5658DBE3}" = "SxContextMenu1stConv"
  -> {HKLM...CLSID} = "Context menu"
                   \InProcServer32\(Default) = "C:\PROGRA~1\FREEM4~1\m4a_menu.dll" [null data]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
  -> {HKLM...CLSID} = "Mobiles Gerät"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Wcesview.dll" [MS]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"
  -> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
         

Alt 07.11.2009, 10:19   #5
greyGargoyle
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Code:
ATTFilter
Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ImgBurnBluRayBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BuildImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnBluRayBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BurnImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnHDDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BuildImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnHDDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BurnImage\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnPlayBluRayOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayBluRayOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayBluRayOnArrival_ReadDisc\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayCDAudioOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayCDAudioOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayCDAudioOnArrival_ReadDisc\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayDVDMovieOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayDVDMovieOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayDVDMovieOnArrival_ReadDisc\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

ImgBurnPlayHDDVDOnArrival_ReadDisc\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayHDDVDOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayHDDVDOnArrival_ReadDisc\Command\(Default) = ""C:\Programme\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

MSWMEncVCArrival\
"Provider" = "Codeur Windows Media Série 9"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Windows Media Components\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
  -> {HKLM...CLSID} = "WPDShextAutoplay"
                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay9LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 9\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
  -> {HKLM...CLSID} = "RealNetworks Scheduler"
                   \LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
  -> {HKLM...CLSID} = (no title provided)
                   \LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "pc" & "All Users" startup folders:
----------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"FRITZ!DSL Startcenter" -> shortcut to: "C:\Programme\FRITZ!DSL\StCenter.exe" ["AVM Berlin"]
"Status Monitor" -> shortcut to: "C:\Programme\Brother\Brmfcmon\BrMfcWnd.exe Brother MFC-215C /STARTUP" ["Brother Industries, Ltd."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"GoogleUpdateTaskUserS-1-5-21-448539723-162531612-725345543-1004Core" -> launches: "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskUserS-1-5-21-448539723-162531612-725345543-1004UA" -> launches: "C:\Dokumente und Einstellungen\pc\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\PROGRA~1\SPEEDB~2\sblsp.dll ["Speedbit Ltd."], 01 - 02, 16
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{0329E7D6-6F54-462D-93F6-F5C3118BADF2}"
  -> {HKLM...CLSID} = "SpeedBit Video Downloader"
                   \InProcServer32\(Default) = "C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll" [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{0329E7D6-6F54-462D-93F6-F5C3118BADF2}" = (no title provided)
  -> {HKLM...CLSID} = "SpeedBit Video Downloader"
                   \InProcServer32\(Default) = "C:\Programme\SpeedBit Video Downloader\Toolbar\tbcore3.dll" [null data]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
  -> {HKLM...CLSID} = "Create Mobile Favorite"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
  -> {HKLM...CLSID} = "Create Mobile Favorite"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\INetRepl.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search && Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\Programme\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6.5\ICQ.exe" ["ICQ, LLC."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

[verify-U]-Service, [verify-U], ""C:\Programme\[verify-U] AVS\[verify-U]-Service.exe"" ["Cybit AG"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Avira AntiVir Guard, AntiVirService, ""C:\Programme\Avira\AntiVir Desktop\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Planer, AntiVirSchedulerService, ""C:\Programme\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"]
AVM IGD CTRL Service, AVM IGD CTRL Service, "C:\Programme\FRITZ!DSL\IGDCTRL.EXE" ["AVM Berlin"]
BrSplService, Brother XP spl Service, "C:\WINDOWS\System32\brsvc01a.exe" ["brother Industries Ltd"]
COSIDS_TB, COSIDS_TB, "C:\PROGRA~1\COSIDS\BIN\TbMux32.exe" ["TransAction Software, D 81737 Munich"]
Java Quick Starter, JavaQuickStarterService, ""C:\Programme\Java\jre6\bin\jqs.exe" -service -config "C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Nero BackItUp Scheduler 4.0, Nero BackItUp Scheduler 4.0, "C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe" ["Nero AG"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
SentinelSuperProNet Server, SuperProServer, "C:\WINDOWS\system32\spnsrvnt.exe" ["Rainbow Technologies"]
TIS 2000 Apache Web Server, TIS 2000 Apache Web Server, "C:\PROGRA~1\COSIDS\APACHE~1\APACHE\ApchT2kW.exe" [null data]
VideoAcceleratorService, VideoAcceleratorService, "C:\PROGRA~1\SPEEDB~2\VideoAcceleratorService.exe -start -scm" ["Speedbit Ltd."]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2009-11-07 09:33:52)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 33 seconds, including 18 seconds for message boxes)
         


Alt 07.11.2009, 10:31   #6
Angel21
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Bitte starte noch eine GMER Rootkit suche, du bist überhaupt nicht sauber

Das was ich seh verleitet mich eher dazu dir zu sagen, dass du dein System Neuaufsetzen solltest. Aber versuchen wir mal unser Glück, wie gesagt erstmal mit Gmer
__________________
--> TR/Dropper.Gen in system32/tdlwsp.dll gefunden

Alt 07.11.2009, 13:33   #7
greyGargoyle
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



hi, also ich hab mir gerade jetzt Windows 7 gekauft.

und das auf meinen pc gespielt aber nicht als upgrade sondern benutzerdefinert installiert.

Formatieren hab ich auch ausgewählt aber das ging so schnell das ich glaube das war nur eine art quickformat..

Naja jetzt müssten doch eigentlich alle Viren weg sein oder nicht?

Alt 07.11.2009, 13:41   #8
Angel21
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



mache mal ein HijackThis log, und nochmal ein Malwarebytes scan. wenn die beide sagen sauber entlasse ich dich
__________________
Avira Upgrade 10 ist auf dem Markt!
Agressive Einstellung von Avira

What goes around comes around!

Alt 07.11.2009, 14:13   #9
greyGargoyle
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Code:
ATTFilter
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:12:16, on 07.11.2009
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETZWERKDIENST')
O13 - Gopher Prefix: 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

--
End of file - 2703 bytes
         

Alt 07.11.2009, 16:25   #10
greyGargoyle
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Code:
ATTFilter
Malwarebytes' Anti-Malware 1.41
Datenbank Version: 3115
Windows 6.1.7600

07.11.2009 16:24:32
mbam-log-2009-11-07 (16-24-31).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 140888
Laufzeit: 18 minute(s), 52 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
         

Alt 07.11.2009, 16:36   #11
Angel21
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Okeh, ich denke mal beim Neuaufsetzen haste nicht versehntlich infizierte Datein mit rübergezogen. Viel Spaß mit sauberem Rechner
__________________
Avira Upgrade 10 ist auf dem Markt!
Agressive Einstellung von Avira

What goes around comes around!

Alt 09.11.2009, 17:28   #12
marico
 
TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Standard

TR/Dropper.Gen in system32/tdlwsp.dll gefunden



Hallo,

mein Win XP scheint ebenfalls mit dem gleichen Trojaner infiziert, da die gleiche Datei (system32/tdlwsp.dll) (trotz mehrmaligem Löschen) gefunden wird.
Habe mal wie oben genannt mit GMER nen Scan gemacht:

Zitat:
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-09 17:15:30
Windows 5.1.2600 Service Pack 2
Running: 155p86r2.exe; Driver: C:\DOKUME~1\Marco\LOKALE~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT F7A712B6 ZwCreateKey
SSDT F7A712AC ZwCreateThread
SSDT F7A712BB ZwDeleteKey
SSDT F7A712C5 ZwDeleteValueKey
SSDT F7A712CA ZwLoadKey
SSDT F7A71298 ZwOpenProcess
SSDT F7A7129D ZwOpenThread
SSDT F7A712D4 ZwReplaceKey
SSDT F7A712CF ZwRestoreKey
SSDT F7A712C0 ZwSetValueKey
SSDT F7A712A7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF72E1380]
? System32\Drivers\hiber_WMILIB.SYS Das System kann den angegebenen Pfad nicht finden. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!GetSysColor 77D18E50 5 Bytes JMP 0041C110 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!GetSysColorBrush 77D18E83 5 Bytes JMP 0041C180 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!SetScrollInfo 77D1902C 7 Bytes JMP 0041C000 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!GetScrollPos 77D1F66F 5 Bytes JMP 0041BF90 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!SetScrollRange 77D1F6BB 5 Bytes JMP 0041C080 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!SetScrollPos 77D1F780 5 Bytes JMP 0041C040 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!GetScrollRange 77D1F7B7 5 Bytes JMP 0041BFC0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!ShowScrollBar 77D20142 5 Bytes JMP 0041C0D0 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!GetScrollInfo 77D23A2F 7 Bytes JMP 0041BF50 C:\WINDOWS\SMINST\Scheduler.exe
.text C:\WINDOWS\SMINST\Scheduler.exe[572] USER32.dll!EnableScrollBar 77D67BAD 7 Bytes JMP 0041BF10 C:\WINDOWS\SMINST\Scheduler.exe

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F72D49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP

[EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort0 [F72D49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP

[EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F72D49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP

[EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort2 [F72D49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP

[EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort3 [F72D49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP

[EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [F72D49F2] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP

[EAX+0xfc]}

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
Weitere Vorgehensweise? Vielen Dank schonmal!

Antwort

Themen zu TR/Dropper.Gen in system32/tdlwsp.dll gefunden
'tr/dropper.gen', 0xc0000034, datei, dateien, einstellungen, explorer.exe, failed, file, hijack.shell, logfile, malwarebytes, malwarebytes' anti-malware, microsoft, neu, object, opera.exe, programm, programme, registrierungsschlüssel, rootkits, rundll, rundll32.exe, security.hijack, software, system, system32, tdlwsp.dll, tr/dropper.gen, trojan, trojan.agent, userinit.exe, virus, windows, winlogon



Ähnliche Themen: TR/Dropper.Gen in system32/tdlwsp.dll gefunden


  1. C:\WINXP\system32\dllcache\explorer.exe (Trojan.Bootkit.Dropper)
    Log-Analyse und Auswertung - 30.08.2012 (13)
  2. Trojaner Dropper.Generic_c.MMI in C:\Windows\system32\services.exe
    Log-Analyse und Auswertung - 15.08.2012 (3)
  3. Tr/Ramnit.D und TR/Trash.GEn von Antivir gefunden, Symantec hat 097M.Dropper gefunden
    Log-Analyse und Auswertung - 20.04.2011 (7)
  4. TR Dropper.gen gefunden
    Log-Analyse und Auswertung - 13.01.2011 (29)
  5. Trojan.Dropper in ...System32/autorun/Drivers/...
    Plagegeister aller Art und deren Bekämpfung - 10.11.2010 (4)
  6. Trojaner TR/Dropper.Gen in C:\\windows\system32\sdra64.exe - was muss ich tun?
    Plagegeister aller Art und deren Bekämpfung - 21.05.2010 (34)
  7. TR/Dropper.Gen gefunden
    Plagegeister aller Art und deren Bekämpfung - 07.04.2010 (10)
  8. ungeübte Userin findet TR/Dropper.Gen in c:\windows\system32\cfmmon.exe
    Plagegeister aller Art und deren Bekämpfung - 20.03.2010 (6)
  9. Antivir meldet TR/Dropper.Gen in C:\WINDOWS\system32\ACF7EF\74BE16.EXE
    Plagegeister aller Art und deren Bekämpfung - 16.01.2010 (3)
  10. dropper.gen gefunden
    Log-Analyse und Auswertung - 15.01.2010 (8)
  11. Dropper.gen in system32/drivers/ip6fw.sys | eingefangen!!
    Plagegeister aller Art und deren Bekämpfung - 08.12.2009 (25)
  12. TR/Vundo.Gen in C:\WINDOWS\system32\tdlwsp.dll
    Plagegeister aller Art und deren Bekämpfung - 18.11.2009 (56)
  13. ebenfalls TR/Vundo.Gen in C:\WINDOWS\system32\tdlwsp.dll
    Plagegeister aller Art und deren Bekämpfung - 14.11.2009 (6)
  14. TR/Dropper.Gen (Gefunden) !!!
    Log-Analyse und Auswertung - 29.07.2009 (7)
  15. TR/Dropper.gen gefunden
    Log-Analyse und Auswertung - 24.07.2009 (1)
  16. TR/Dropper.Gen gefunden!!!
    Log-Analyse und Auswertung - 20.06.2008 (17)
  17. system32/ceqfkafx.dll nicht gefunden
    Plagegeister aller Art und deren Bekämpfung - 07.10.2007 (1)

Zum Thema TR/Dropper.Gen in system32/tdlwsp.dll gefunden - Hallo bin neu hier und hoffe ihr könnt mir hier weiterhelfen. Antivir hat folgendes gebracht: In der Datei 'C:\WINDOWS\system32\tdlwsp.dll' wurde ein Virus oder unerwünschtes Programm 'TR/Dropper.Gen' [trojan] gefunden. Abgesicherter Modus - TR/Dropper.Gen in system32/tdlwsp.dll gefunden...
Archiv
Du betrachtest: TR/Dropper.Gen in system32/tdlwsp.dll gefunden auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.