Bitte um überprüfung von HJT Log

08.12.2007, 19:21

Hallo
als erstes möchte ich eun Hallo hier ins Forum werfen. Habe mich eben neu angemedet und hoffe auf Hilfe da ich selbst nicht mehr weiter komme.

Ich habe heute ein Online Scan mit Symantec gemacht, Ad Aware laufen lassen und Anti Vir. Jeweils alles upgedatet. Alle drei Programme haben keine Viren gefunden. Eben schalte ich den PC ein starte den Firefox und klack Anti Vir geht auf. Meldung war das sich hier C:\WINDOWS\system32\geebb.dll ein Trojaner verbirgt. Hab die Datei dann gelöscht.

Da ich aber auf nummer sicher gehen möchte, da ich viele Dateien und Programm (für Privat als auch geschäftliche nutzen) auf dem Rechner habe und ich kein Risiko eingehnen möchte poste ich hier mal mein HijackThis Report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:37:14, on 08.12.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
D:\EXT~1.HAR\SIDEWI~1\common\swtrayv4.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Ext.Hardware\Logitech Wheel\lwemon.exe
C:\Dokumente und Einstellungen\xxx\Desktop\EasyToolz.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
D:\Programme\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exe
D:\Programme\3ds Max 8\mentalray\satellite\raysat_3dsmax8server.exe
D:\Programme\Kerio Personal Firewall\Personal Firewall 4\kpf4gui.exe
D:\Programme\3ds Max 8\plugins\Brazil\sfmgr\sfmgr.exe
D:\Programme\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
D:\Programme\Kerio Personal Firewall\Personal Firewall 4\kpf4gui.exe
D:\Programme\ICQ\Icq.exe
D:\Programme\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe Reader 7\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {740267D5-4FD0-4E34-AEA6-740E4C68D2AA} - C:\WINDOWS\system32\efcyabx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SideWinderTrayV4] d:\EXT~1.HAR\SIDEWI~1\common\swtrayv4.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "D:\Ext.Hardware\Logitech Wheel\lwemon.exe" /noui
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: EasyToolz.lnk = C:\Dokumente und Einstellungen\xxx\Desktop\EasyToolz.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = D:\Programme\Adobe Reader 7\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Spiele\Party Poker\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - D:\Spiele\Party Poker\PartyPokerNet\RunPF.exe
O9 - Extra button: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Programme\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FC398E74-4F33-422B-9881-3638C380B8CA}: NameServer = 217.237.151.142 217.237.150.188
O20 - Winlogon Notify: efcyabx - C:\WINDOWS\SYSTEM32\efcyabx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Programme\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - D:\Programme\3ds Max 8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - D:\Programme\3ds Max 8\plugins\Brazil\sfmgr\sfmgr.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\WINDOWS\

--
End of file - 7042 bytes

Hoffe ihr könnt mir hier weiter helfen, 6 Jahre ohne Virus und Trojaner und dann das

mfg
Marco

08.12.2007, 19:29

Hi
eben wieder ein Anti Vir Pop Up bekommen.

Habe die Datei gelöscht.

Komisch finde ich das laut Dieser Seite es sich immer um Browser Helper Object (BHO) Dateien handelt.

mfg
Marco

ordell1234 · 08.12.2007, 19:41

Grüße zurück,

alles hast du noch nicht erwischt. Fixe mit HJT folgende Einträge:

Zitat:

O2 - BHO: (no name) - {740267D5-4FD0-4E34-AEA6-740E4C68D2AA} - C:\WINDOWS\system32\efcyabx.dll
O20 - Winlogon Notify: efcyabx - C:\WINDOWS\SYSTEM32\efcyabx.dll

Dann gehe in dem Programm HJT auf Config -> Misc Tools -> delete file on reboot: C:\windows\system32\efcyabx.dll. Noch keinen Neustart.

1.Vundofix

* Lade dir vundofix.exe
* Doppelklick VundoFix.exe
* Klicke "Scan" --> Vundo button.
* Nach dem Scannen, klicke den "Remove" Vundo button.
* Man wird nun gefragt, ob man "remove" will --> klicke YES
* Danach werden alle Desktop-Symbole verschwinden
* Dann wird man gefragt, ob der PC neustarten soll --> klicke OK.

2. Erstelle eine log mit filelist.zip und poste bitte die Einträge der letzten 30 Tage.

3. Silentrunners Logfile
-Lade dir das Tool -> Silentrunners
-Entpacke das Script in einen Ordner deiner Wahl
-Doppelklick auf -> Silent Runners -> Option Supplementary Searches auswählen
-System wird nun überprüft, nach Beendigung wird eine Log-Datei erstellt
(Dein Antiviren-Scanner könnte eine Meldung wegen „bösartigem Script“
erstellen, ignoriere dieses und arbeite weiter!)
-Dann öffne die Silent Runners xxx.txt mit einem Editor und kopiere den gesamten Inhalt ab und füge ihn in einen Beitrag ein.
(Strg+A markieren -> Strg+C kopieren -> Strg+V einfügen)

4. Lade dir autoruns runter, entpacke das zip-Archiv und kopiere die autorunsc.exe nach c:\.

Kopiere den folgenden Text, speicher ihn als autoruns.bat ab.

Code:

ATTFilter

echo off
cd %systemdrive%
cd\
reg add HKCU\Software\Sysinternals\autoruns /f /v EulaAccepted /t REG_DWORD /d 1
autorunsc -acmv >> %temp%\autoruns.log
findstr /v (Verified) %temp%\autoruns.log >> %temp%\autoruns.txt
notepad %temp%\autoruns.txt
exit

Starte die autoruns.bat und poste das log. Autoruns baut eine Verbindung ins Netz zur Signaturprüfung auf, also gib bei deiner Firewall bitte grünes Licht.

Schaun mer mal...

08.12.2007, 20:17

Hi
also bin so vorgegangen
1. die zwei dateien ein häckchen gesetzt
2. auf fix checked --> yes
3. config -> Misc Tools -> delete file on reboot: C:\windows\system32\efcyabx.dll keinen neustart gemacht

4. VundoFix ausgeführt --> keine dateien gefunden worden
5. Filelist Log --> habe einfach doppelklick auf die bat gemacht und di eltzten 3ß tage abgezählt, war das richtig so ?.
----- Root -----------------------------
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7495-4187

Verzeichnis von C:\

08.12.2007 20:17 1.610.612.736 pagefile.sys
08.12.2007 20:15 210 VundoFix.txt
01.11.2006 20:21 2.824 LGSInst.Log
01.08.2006 12:01 44 01_[HTTP_1_0 200 OK] http___62_75_176_40_80_bigfm-cbr-128.wav
24.07.2006 15:27 44 01_bigFM.wav
23.05.2006 23:28 227 boot.ini
21.03.2006 15:21 34 hcwclear.txt
21.03.2006 01:48 251.712 ntldr
21.03.2006 00:41 0 MSDOS.SYS
21.03.2006 00:41 0 AUTOEXEC.BAT
21.03.2006 00:41 0 CONFIG.SYS
21.03.2006 00:41 0 IO.SYS
04.08.2004 13:00 4.952 bootfont.bin
04.08.2004 13:00 47.564 NTDETECT.COM
14 Datei(en) 1.610.920.347 Bytes
0 Verzeichnis(se), 8.082.821.120 Bytes frei

----- System32 -------------------------
Volume in Laufwerk C: hat keine Bezeichnung.
Volumeseriennummer: 7495-4187

Verzeichnis von C:\WINDOWS\system32

08.12.2007 20:19 2.206 wpa.dbl
08.12.2007 03:25 130.096 FNTCACHE.DAT
08.12.2007 01:51 38.912 efcyabx.dll
17.11.2007 00:04 5.686 jupdate-1.6.0_03-b05.log
02.11.2007 08:12 18.238.072 MRT.exe
29.10.2007 16:07 373.760 xpsp3res.dll
28.10.2007 11:57 401.064 perfh009.dat
28.10.2007 11:57 62.344 perfc009.dat
28.10.2007 11:57 74.996 perfc007.dat
28.10.2007 11:57 415.470 perfh007.dat
28.10.2007 11:57 966.250 PerfStringBackup.INI
25.10.2007 17:42 8.501.248 shell32.dll
27.09.2007 14:43 107.888 CmdLineExt.dll
24.09.2007 23:31 69.632 javacpl.cpl
24.09.2007 23:31 139.264 javaws.exe
24.09.2007 22:30 135.168 javaw.exe
24.09.2007 22:30 135.168 java.exe
29.08.2007 19:10 249.852 TZLog.log
22.08.2007 13:56 671.232 wininet.dll
22.08.2007 13:56 620.032 urlmon.dll
22.08.2007 13:56 1.498.112 shdocvw.dll
22.08.2007 13:56 474.624 shlwapi.dll
22.08.2007 13:56 39.424 pngfilt.dll
22.08.2007 13:56 449.024 mshtmled.dll
22.08.2007 13:56 532.480 mstime.dll
22.08.2007 13:56 146.432 msrating.dll
22.08.2007 13:56 3.085.824 mshtml.dll
22.08.2007 13:56 357.888 dxtmsft.dll
22.08.2007 13:56 1.056.256 danim.dll
22.08.2007 13:56 205.824 dxtrans.dll

6.Silenntrunners Log erstellen wolle, musste aber erst das Windows script Hosting in der Regystrie aktivieren

Sielenntrunners Log
"Silent Runners.vbs", revision 53, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Start WingMan Profiler" = ""D:\Ext.Hardware\Logitech Wheel\lwemon.exe" /noui" ["Logitech Inc."]
"Steam" = (empty string) [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"SideWinderTrayV4" = "d:\EXT~1.HAR\SIDEWI~1\common\swtrayv4.exe" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"ATICCC" = ""C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"Easy-PrintToolBox" = "C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "D:\Programme\Adobe Reader 7\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}\(Default) = "Canon Easy Web Print Helper"
-> {HKLM...CLSID} = "EWPBrowseObject Class"
\InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\EWPBrowseLoader.dll" [null data]
{740267D5-4FD0-4E34-AEA6-740E4C68D2AA}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\efcyabx.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{262E6512-1611-4d54-B6F5-58A6719B31EC}" = "SigmaTel MSCN PlayerShell Hook"
-> {HKLM...CLSID} = "SigmaTel MSCN PlayerShell Hook"
\InProcServer32\(Default) = "MSCNh.dll" ["SigmaTel, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Programme\WinRar\rarext.dll" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {HKLM...CLSID} = "ICQ Shell Extension"
\InProcServer32\(Default) = "D:\Programme\ICQ\ICQShExt.dll" ["ICQ"]
"{45C6AFA5-2C13-402f-BC5D-45CC8172EF6B}" = "Bluetooth"
-> {HKLM...CLSID} = "Bluetooth-Informationsaustausch"
\InProcServer32\(Default) = "C:\WINDOWS\system32\TosBtExt.dll" [file not found]
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
-> {HKLM...CLSID} = "IZArc DragDrop Menu"
\InProcServer32\(Default) = "D:\Programme\7z\IZArcCM.dll" [null data]
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "D:\Programme\7z\IZArcCM.dll" [null data]
"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"
-> {HKLM...CLSID} = "ACDWFTHMBPRXY"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Autodesk Shared\AcDwfThmbPrxy16.dll" ["Autodesk"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\Programme\Unlocker\UnlockerCOM.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{740267D5-4FD0-4E34-AEA6-740E4C68D2AA}" = "*]" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\efcyabx.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> efcyabx\DLLName = "efcyabx.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Programme\Adobe Reader 7\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "D:\Programme\7z\IZArcCM.dll" [null data]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
tosBtShllExt\(Default) = "{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}"
-> {HKLM...CLSID} = "Bluetooth File Extenstion"
\InProcServer32\(Default) = "C:\WINDOWS\system32\TosBtShell.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Programme\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "D:\Programme\7z\IZArcCM.dll" [null data]
tosBtShllExt\(Default) = "{6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1}"
-> {HKLM...CLSID} = "Bluetooth File Extenstion"
\InProcServer32\(Default) = "C:\WINDOWS\system32\TosBtShell.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Programme\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\Programme\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Programme\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\Programme\Unlocker\UnlockerCOM.dll" [null data]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Startup items in "Marco" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\Marco\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"EasyToolz" -> shortcut to: "C:\Dokumente und Einstellungen\Marco\Desktop\EasyToolz.exe" [null data]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Gamma Loader" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader - Schnellstart" -> shortcut to: "D:\Programme\Adobe Reader 7\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Microsoft Office" -> shortcut to: "D:\Programme\Microsoft Office 2000\Office\OSA9.EXE -b -l" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {HKLM...CLSID} = "Easy-WebPrint"
\InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [null data]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Programme\Canon\Easy-WebPrint\Toolband.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]

{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "D:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{F4430FE8-2638-42E5-B849-800749B94EED}\
"ButtonText" = "PartyPoker.net"
"MenuText" = "PartyPoker.net"
"Exec" = "D:\Spiele\Party Poker\PartyPokerNet\RunPF.exe" [empty string]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@C:\Programme\Messenger\Msgslang.dll,-61144"
"MenuText" = "@C:\Programme\Messenger\Msgslang.dll,-61144"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Service, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir Scheduler, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Programme\Gemeinsame Dateien\Autodesk Shared\Service\AdskScSrv.exe"" ["Autodesk"]
C-DillaSrv, C-DillaSrv, "C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE" ["C-Dilla Ltd"]
CaReTaKeR-CT NetMgr 1.2.1, sfmgr, "D:\Programme\3ds Max 8\plugins\Brazil\sfmgr\sfmgr.exe" [null data]
Kerio Personal Firewall 4, KPF4, ""D:\Programme\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exe"" ["Kerio Technologies"]
RaySat_3dsmax8 Server, mi-raysat_3dsmax8, ""D:\Programme\3ds Max 8\mentalray\satellite\raysat_3dsmax8server.exe"" [null data]
StarWind iSCSI Service, StarWindService, "D:\Programme\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor iP3300\Driver = "CNMLM84.DLL" ["CANON INC."]
CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]

---------- (launch time: 2007-12-08 20:28:58)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 25 seconds, including 4 seconds for message boxes)

ordell1234 · 08.12.2007, 20:30

Dann hole bitte jetzt - falls noch nicht geschehen - den Neustart nach und poste die restlichen logs.

08.12.2007, 20:43

6. autoruns log
Entry Location,Entry,Enabled,Description,Publisher,Image Path
HKLM\System\CurrentControlSet\Services,AntiVirScheduler,enabled,"Dienst zur Planung und Steuerung von Prüf- und Updateaufgaben der AntiVir PersonalEdition Classic.","(Not verified) Avira GmbH","c:\programme\antivir personaledition classic\sched.exe"
HKLM\System\CurrentControlSet\Services,AntiVirService,enabled,"Echtzeit Virenschutz durch H+BEDV AntiVir Engine","(Not verified) Avira GmbH","c:\programme\antivir personaledition classic\avguard.exe"
HKLM\System\CurrentControlSet\Services,Autodesk Licensing Service,enabled,"Anchor service for Autodesk products licensed with SafeCast","(Not verified) Autodesk","c:\programme\gemeinsame dateien\autodesk shared\service\adskscsrv.exe"
HKLM\System\CurrentControlSet\Services,C-DillaSrv,enabled,"C-Dilla RTS Service","(Not verified) C-Dilla Ltd","c:\windows\system32\drivers\cdantsrv.exe"
HKLM\System\CurrentControlSet\Services,KPF4,enabled,"Kerio Personal Firewall-Engine","(Not verified) Kerio Technologies","d:\programme\kerio personal firewall\personal firewall 4\kpf4ss.exe"
HKLM\System\CurrentControlSet\Services,mi-raysat_3dsmax8,enabled,"mental ray 3.4 Satellite",,"d:\programme\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe"
HKLM\System\CurrentControlSet\Services,sfmgr,enabled,"",,"d:\programme\3ds max 8\plugins\brazil\sfmgr\sfmgr.exe"
HKLM\System\CurrentControlSet\Services,StarWindService,enabled,"Enables network access to local devices via iSCSI protocol.","(Not verified) Rocket Division Software","d:\programme\alcohol 120%\alcohol 120\starwind\starwindservice.exe"
HKLM\System\CurrentControlSet\Services,as6eio,enabled,"",,"c:\windows\system32\drivers\as6eio.sys"
HKLM\System\CurrentControlSet\Services,Changer,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
HKLM\System\CurrentControlSet\Services,CO_Mon,enabled,"",,"c:\windows\system32\drivers\co_mon.sys"
HKLM\System\CurrentControlSet\Services,fwdrv,enabled,"","(Not verified) Kerio Technologies","c:\windows\system32\drivers\fwdrv.sys"
HKLM\System\CurrentControlSet\Services,i2omgmt,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys"
HKLM\System\CurrentControlSet\Services,khips,enabled,"Kerio Host Intrusion Prevention Driver",,"c:\windows\system32\drivers\khips.sys"
HKLM\System\CurrentControlSet\Services,lbrtfdc,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
HKLM\System\CurrentControlSet\Services,NuVision,enabled,"USBVision Streaming Class Driver","(Not verified) Hauppauge Computer Works","c:\windows\system32\drivers\nuvision.sys"
HKLM\System\CurrentControlSet\Services,papycpu2,enabled,"",,"c:\windows\system32\drivers\papycpu2.sys"
HKLM\System\CurrentControlSet\Services,papyjoy,enabled,"",,"c:\windows\system32\drivers\papyjoy.sys"
HKLM\System\CurrentControlSet\Services,PCIDump,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
HKLM\System\CurrentControlSet\Services,PDCOMP,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
HKLM\System\CurrentControlSet\Services,PDFRAME,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
HKLM\System\CurrentControlSet\Services,PDRELI,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
HKLM\System\CurrentControlSet\Services,PDRFRAME,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
HKLM\System\CurrentControlSet\Services,PxHelp20,enabled,"Px Engine Device Driver for Windows 2000/XP","(Not verified) Sonic Solutions","c:\windows\system32\drivers\pxhelp20.sys"
HKLM\System\CurrentControlSet\Services,toshidpt,enabled,"Toshiba Bluetooth HID mini port driver","(Not verified) TOSHIBA Corporation.","c:\windows\system32\drivers\toshidpt.sys"
HKLM\System\CurrentControlSet\ServicesEntry Location,Entry,Enabled,Description,Publisher,Image Path
HKLM\System\CurrentControlSet\Services,AntiVirScheduler,enabled,"Dienst zur Planung und Steuerung von Prüf- und Updateaufgaben der AntiVir PersonalEdition Classic.","(Not verified) Avira GmbH","c:\programme\antivir personaledition classic\sched.exe"
HKLM\System\CurrentControlSet\Services,AntiVirService,enabled,"Echtzeit Virenschutz durch H+BEDV AntiVir Engine","(Not verified) Avira GmbH","c:\programme\antivir personaledition classic\avguard.exe"
HKLM\System\CurrentControlSet\Services,Autodesk Licensing Service,enabled,"Anchor service for Autodesk products licensed with SafeCast","(Not verified) Autodesk","c:\programme\gemeinsame dateien\autodesk shared\service\adskscsrv.exe"
HKLM\System\CurrentControlSet\Services,C-DillaSrv,enabled,"C-Dilla RTS Service","(Not verified) C-Dilla Ltd","c:\windows\system32\drivers\cdantsrv.exe"
HKLM\System\CurrentControlSet\Services,KPF4,enabled,"Kerio Personal Firewall-Engine","(Not verified) Kerio Technologies","d:\programme\kerio personal firewall\personal firewall 4\kpf4ss.exe"
HKLM\System\CurrentControlSet\Services,mi-raysat_3dsmax8,enabled,"mental ray 3.4 Satellite",,"d:\programme\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe"
HKLM\System\CurrentControlSet\Services,sfmgr,enabled,"",,"d:\programme\3ds max 8\plugins\brazil\sfmgr\sfmgr.exe"
HKLM\System\CurrentControlSet\Services,StarWindService,enabled,"Enables network access to local devices via iSCSI protocol.","(Not verified) Rocket Division Software","d:\programme\alcohol 120%\alcohol 120\starwind\starwindservice.exe"
HKLM\System\CurrentControlSet\Services,as6eio,enabled,"",,"c:\windows\system32\drivers\as6eio.sys"
HKLM\System\CurrentControlSet\Services,Changer,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
HKLM\System\CurrentControlSet\Services,CO_Mon,enabled,"",,"c:\windows\system32\drivers\co_mon.sys"
HKLM\System\CurrentControlSet\Services,fwdrv,enabled,"","(Not verified) Kerio Technologies","c:\windows\system32\drivers\fwdrv.sys"
HKLM\System\CurrentControlSet\Services,i2omgmt,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys"
HKLM\System\CurrentControlSet\Services,khips,enabled,"Kerio Host Intrusion Prevention Driver",,"c:\windows\system32\drivers\khips.sys"
HKLM\System\CurrentControlSet\Services,lbrtfdc,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
HKLM\System\CurrentControlSet\Services,NuVision,enabled,"USBVision Streaming Class Driver","(Not verified) Hauppauge Computer Works","c:\windows\system32\drivers\nuvision.sys"
HKLM\System\CurrentControlSet\Services,papycpu2,enabled,"",,"c:\windows\system32\drivers\papycpu2.sys"
HKLM\System\CurrentControlSet\Services,papyjoy,enabled,"",,"c:\windows\system32\drivers\papyjoy.sys"
HKLM\System\CurrentControlSet\Services,PCIDump,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
HKLM\System\CurrentControlSet\Services,PDCOMP,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
HKLM\System\CurrentControlSet\Services,PDFRAME,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
HKLM\System\CurrentControlSet\Services,PDRELI,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
HKLM\System\CurrentControlSet\Services,PDRFRAME,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
HKLM\System\CurrentControlSet\Services,PxHelp20,enabled,"Px Engine Device Driver for Windows 2000/XP","(Not verified) Sonic Solutions","c:\windows\system32\drivers\pxhelp20.sys"
HKLM\System\CurrentControlSet\Services,toshidpt,enabled,"Toshiba Bluetooth HID mini port driver","(Not verified) TOSHIBA Corporation.","c:\windows\system32\drivers\toshidpt.sys"
HKLM\System\CurrentControlSet\ServicesEntry Location,Entry,Enabled,Description,Publisher,Image Path
HKLM\System\CurrentControlSet\Services,AntiVirScheduler,enabled,"Dienst zur Planung und Steuerung von Prüf- und Updateaufgaben der AntiVir PersonalEdition Classic.","(Not verified) Avira GmbH","c:\programme\antivir personaledition classic\sched.exe"
HKLM\System\CurrentControlSet\Services,AntiVirService,enabled,"Echtzeit Virenschutz durch H+BEDV AntiVir Engine","(Not verified) Avira GmbH","c:\programme\antivir personaledition classic\avguard.exe"
HKLM\System\CurrentControlSet\Services,Autodesk Licensing Service,enabled,"Anchor service for Autodesk products licensed with SafeCast","(Not verified) Autodesk","c:\programme\gemeinsame dateien\autodesk shared\service\adskscsrv.exe"
HKLM\System\CurrentControlSet\Services,C-DillaSrv,enabled,"C-Dilla RTS Service","(Not verified) C-Dilla Ltd","c:\windows\system32\drivers\cdantsrv.exe"
HKLM\System\CurrentControlSet\Services,KPF4,enabled,"Kerio Personal Firewall-Engine","(Not verified) Kerio Technologies","d:\programme\kerio personal firewall\personal firewall 4\kpf4ss.exe"
HKLM\System\CurrentControlSet\Services,mi-raysat_3dsmax8,enabled,"mental ray 3.4 Satellite",,"d:\programme\3ds max 8\mentalray\satellite\raysat_3dsmax8server.exe"
HKLM\System\CurrentControlSet\Services,sfmgr,enabled,"",,"d:\programme\3ds max 8\plugins\brazil\sfmgr\sfmgr.exe"
HKLM\System\CurrentControlSet\Services,StarWindService,enabled,"Enables network access to local devices via iSCSI protocol.","(Not verified) Rocket Division Software","d:\programme\alcohol 120%\alcohol 120\starwind\starwindservice.exe"
HKLM\System\CurrentControlSet\Services,as6eio,enabled,"",,"c:\windows\system32\drivers\as6eio.sys"
HKLM\System\CurrentControlSet\Services,Changer,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
HKLM\System\CurrentControlSet\Services,CO_Mon,enabled,"",,"c:\windows\system32\drivers\co_mon.sys"
HKLM\System\CurrentControlSet\Services,fwdrv,enabled,"","(Not verified) Kerio Technologies","c:\windows\system32\drivers\fwdrv.sys"
HKLM\System\CurrentControlSet\Services,i2omgmt,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys"
HKLM\System\CurrentControlSet\Services,khips,enabled,"Kerio Host Intrusion Prevention Driver",,"c:\windows\system32\drivers\khips.sys"
HKLM\System\CurrentControlSet\Services,lbrtfdc,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
HKLM\System\CurrentControlSet\Services,NuVision,enabled,"USBVision Streaming Class Driver","(Not verified) Hauppauge Computer Works","c:\windows\system32\drivers\nuvision.sys"
HKLM\System\CurrentControlSet\Services,papycpu2,enabled,"",,"c:\windows\system32\drivers\papycpu2.sys"
HKLM\System\CurrentControlSet\Services,papyjoy,enabled,"",,"c:\windows\system32\drivers\papyjoy.sys"
HKLM\System\CurrentControlSet\Services,PCIDump,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
HKLM\System\CurrentControlSet\Services,PDCOMP,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
HKLM\System\CurrentControlSet\Services,PDFRAME,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
HKLM\System\CurrentControlSet\Services,PDRELI,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
HKLM\System\CurrentControlSet\Services,PDRFRAME,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
HKLM\System\CurrentControlSet\Services,PxHelp20,enabled,"Px Engine Device Driver for Windows 2000/XP","(Not verified) Sonic Solutions","c:\windows\system32\drivers\pxhelp20.sys"
HKLM\System\CurrentControlSet\Services,toshidpt,enabled,"Toshiba Bluetooth HID mini port driver","(Not verified) TOSHIBA Corporation.","c:\windows\system32\drivers\toshidpt.sys"
HKLM\System\CurrentControlSet\Services,tosporte,enabled,"TOSHIBA Bluetooth Port Emulation Driver","(Not verified) TOSHIBA Corporation","c:\windows\system32\drivers\tosporte.sys"
HKLM\System\CurrentControlSet\Services,Tosrfbd,enabled,"Bluetooth RF Bus Driver","(Not verified) TOSHIBA CORPORATION","c:\windows\system32\drivers\tosrfbd.sys"
HKLM\System\CurrentControlSet\Services,Tosrfbnp,enabled,"Bluetooth RFBNEP Driver","(Not verified) TOSHIBA Corporation","c:\windows\system32\drivers\tosrfbnp.sys"
HKLM\System\CurrentControlSet\Services,Tosrfcom,enabled,"Bluetooth RFCOMM Driver","(Not verified) TOSHIBA Corporation","c:\windows\system32\drivers\tosrfcom.sys"
HKLM\System\CurrentControlSet\Services,Tosrfhid,enabled,"Bluetooth HID Driver from TOSHIBA","(Not verified) TOSHIBA Corporation.","c:\windows\system32\drivers\tosrfhid.sys"
HKLM\System\CurrentControlSet\Services,tosrfnds,enabled,"Bluetooth BNEP Driver","(Not verified) TOSHIBA Corporation.","c:\windows\system32\drivers\tosrfnds.sys"
HKLM\System\CurrentControlSet\Services,TosRfSnd,enabled,"Bluetooth Audio Driver (WDM)","(Not verified) TOSHIBA Corporation","c:\windows\system32\drivers\tosrfsnd.sys"
HKLM\System\CurrentControlSet\Services,Tosrfusb,enabled,"Bluetooth USB Miniport Driver","(Not verified) TOSHIBA CORPORATION","c:\windows\system32\drivers\tosrfusb.sys"
HKLM\System\CurrentControlSet\Services,Vax347b,enabled,"Plug and Play BIOS Extension","(Not verified) ","c:\windows\system32\drivers\vax347b.sys"
HKLM\System\CurrentControlSet\Services,Vax347s,enabled,"SCSI miniport","(Not verified) ","c:\windows\system32\drivers\vax347s.sys"
HKLM\System\CurrentControlSet\Services,WDICA,enabled,"",,"File not found: C:\WINDOWS\System32\Drivers\WDICA.sys"
HKLM\System\CurrentControlSet\Services,xlink,enabled,"USBIO Driver","(Not verified) Thesycon GmbH, Germany","c:\windows\system32\drivers\xlink.sys"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify,efcyabx,enabled,"",,"c:\windows\system32\efcyabx.dll"
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors,CutePDF Writer Monitor,enabled,"",,"c:\windows\system32\cpwmon2k.dll"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,SideWinderTrayV4,enabled,"MS SideWinder Tray Application","(Not verified) Microsoft Corporation","d:\ext.hardware\sidewinder precision racing wheel\common\swtrayv4.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,NeroFilterCheck,enabled,"NeroCheck","(Not verified) Ahead Software Gmbh","c:\windows\system32\nerocheck.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,avgnt,enabled,"Antivirus System Tray Tool","(Not verified) Avira GmbH","c:\programme\antivir personaledition classic\avgnt.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ATICCC,enabled,"CLI Application (Command Line Interface)","(Not verified) ATI Technologies Inc.","c:\programme\ati technologies\ati.ace\cli.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Easy-PrintToolBox,enabled,"BJPSMAIN","(Not verified) CANON INC.","c:\programme\canon\easy-printtoolbox\bjpsmain.exe"
HKLM\SOFTWARE\Classes\Protocols\Filter,application/octet-stream,enabled,"Microsoft .NET Runtime Execution Engine","(Not verified) Microsoft Corporation","c:\windows\system32\mscoree.dll"
HKLM\SOFTWARE\Classes\Protocols\Filter,application/x-complus,enabled,"Microsoft .NET Runtime Execution Engine","(Not verified) Microsoft Corporation","c:\windows\system32\mscoree.dll"
HKLM\SOFTWARE\Classes\Protocols\Filter,application/x-msdownload,enabled,"Microsoft .NET Runtime Execution Engine","(Not verified) Microsoft Corporation","c:\windows\system32\mscoree.dll"
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components,0,enabled,"",,"File not found: About:Home"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components,n/a,enabled,"Microsoft .NET IE SECURITY REGISTRATION","(Not verified) Microsoft Corporation","c:\windows\system32\mscories.dll"
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart,Adobe Gamma Loader.lnk,enabled,"Adobe Gamma Loader","(Not verified) Adobe Systems, Inc.","c:\programme\gemeinsame dateien\adobe\calibration\adobe gamma loader.exe"
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart,Adobe Reader - Schnellstart.lnk,enabled,"Adobe Acrobat SpeedLauncher","(Not verified) Adobe Systems Incorporated","d:\programme\adobe reader 7\reader\reader_sl.exe"
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart,Microsoft Office.lnk,enabled,"Microsoft Office 2000 component","(Not verified) Microsoft Corporation","d:\programme\microsoft office 2000\office\osa9.exe"
C:\Dokumente und Einstellungen\Marco\Startmenü\Programme\Autostart,Adobe Gamma.lnk,enabled,"Adobe Gamma Loader","(Not verified) Adobe Systems, Inc.","c:\programme\gemeinsame dateien\adobe\calibration\adobe gamma loader.exe"
C:\Dokumente und Einstellungen\Marco\Startmenü\Programme\Autostart,EasyToolz.lnk,enabled,"",,"c:\dokumente und einstellungen\marco\desktop\easytoolz.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run,Start WingMan Profiler,enabled,"Logitech WingMan Event Monitor","(Not verified) Logitech Inc.","d:\ext.hardware\logitech wheel\lwemon.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects,EWPBrowseObject Class,enabled,"Easy-WebPrint EWPBrowseLoader Module",,"c:\programme\canon\easy-webprint\ewpbrowseloader.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects,{740267D5-4FD0-4E34-AEA6-740E4C68D2AA},enabled,"",,"c:\windows\system32\efcyabx.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks,efcyabx.dll,enabled,"",,"c:\windows\system32\efcyabx.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,CPL-Erweiterung für Anzeigeverschiebung,enabled,"",,"File not found: deskpan.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,Fusion Cache,enabled,"Microsoft .NET Runtime Execution Engine","(Not verified) Microsoft Corporation","c:\windows\system32\mscoree.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,ShellLink for Application References,enabled,"Application Deployment Support Library","(Not verified) Microsoft Corporation","c:\windows\system32\dfshim.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,Shell Icon Handler for Application References,enabled,"Application Deployment Support Library","(Not verified) Microsoft Corporation","c:\windows\system32\dfshim.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,Catalyst Context Menu extension,enabled,"ACE Context Menu",,"c:\programme\ati technologies\ati.ace\atiacmxx.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,SigmaTel MSCN PlayerShell Hook,enabled,"SigmaTel MSCN Audio Player Shell Extension","(Not verified) SigmaTel, Inc.","c:\windows\system32\mscnh.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,WinRAR shell extension,enabled,"",,"d:\programme\winrar\rarext.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,Shell Extension for Malware scanning,enabled,"ShlExt.dll","(Not verified) Avira GmbH","c:\programme\antivir personaledition classic\shlext.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,AlcoholShellEx,enabled,"AXShlEx.dll","(Not verified) Alcohol Soft Development Team","d:\programme\alcohol 120%\alcohol 120\axshlex.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,ICQ Shell Extension,enabled,"ICQ Shell Extension","(Not verified) ICQ","d:\programme\icq\icqshext.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,Bluetooth,enabled,"",,"File not found: C:\WINDOWS\system32\TosBtExt.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,IZArc DragDrop Menu,enabled,"",,"d:\programme\7z\izarccm.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,IZArc Shell Context Menu,enabled,"",,"d:\programme\7z\izarccm.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved,UnlockerShellExtension,enabled,"",,"d:\programme\unlocker\unlockercom.dll"
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers,PDF Shell Extension,enabled,"PDF Shell Extension","(Not verified) Adobe Systems, Inc.","d:\programme\adobe reader 7\activex\pdfshell.dll"
HKLM\Software\Microsoft\Internet Explorer\Toolbar,Easy-WebPrint,enabled,"Easy-WebPrint",,"c:\programme\canon\easy-webprint\toolband.dll"
HKLM\Software\Microsoft\Internet Explorer\Extensions,ICQ,enabled,"ICQ","(Not verified) ICQ Inc.","d:\programme\icq\icq.exe"
HKLM\Software\Microsoft\Internet Explorer\Extensions,PartyPoker.net,enabled,"RunApp MFC Application",,"d:\spiele\party poker\partypokernet\runpf.exe"

Brauchst du noch einen log etwas anderes ?.

mfg
Marco

08.12.2007, 21:09

Hi
jetzt bekomme ich auch von Anti Vir die Meldung das die Datei
C:\Windows\system32\jkkjk.dll den Trojaner TR/Vundo.Gen
enthält.

mfg
Marco

08.12.2007, 19:29	#2
Marco Gast	Bitte um überprüfung von HJT Log Hi eben wieder ein Anti Vir Pop Up bekommen. Habe die Datei gelöscht. Komisch finde ich das laut Dieser Seite es sich immer um Browser Helper Object (BHO) Dateien handelt. mfg Marco __________________

08.12.2007, 21:09	#7
Marco Gast	Bitte um überprüfung von HJT Log Hi jetzt bekomme ich auch von Anti Vir die Meldung das die Datei C:\Windows\system32\jkkjk.dll den Trojaner TR/Vundo.Gen enthält. mfg Marco

Bitte um überprüfung von HJT Log

Log-Analyse und Auswertung: Bitte um überprüfung von HJT Log