- silentrunners
- blacklight (blacklight nur durchlaufen lassen und den Report posten, wenn es versteckte Objekte gefunden hat)
- combofix
Das lässt sich nicht öffnen,Verbindung zum Server unterbrochen!

Zitat:

Zitat von koile

- silentrunners
- blacklight (blacklight nur durchlaufen lassen und den Report posten, wenn es versteckte Objekte gefunden hat)
- combofix
Das lässt sich nicht öffnen,Verbindung zum Server unterbrochen!

Alle Programme lassen sich nicht öffnen?

Nein,keins davon geht.
Jedesmal verbindung unterbrochen.Was bedeutet Warez-Plattform??

Zitat:

Zitat von koile

Nein,keins davon geht.
Jedesmal verbindung unterbrochen.Was bedeutet Warez-Plattform??

Warez = gecrackte Programme
Ich lad Dir die Programme mal eben hoch und hoffe, dass Du sie dann herunterladen kannst. Ich meld mich gleich noch mal.

@ root24 : Ok besten dank!!!

@ Comspec:Heisst das soviel wie rchner plattmachen und Windows neu aufziehen?Oder den Rechner in die Tonne werfen?

@koile: Klick mal auf diesen Link => File-Upload.net - Ihr kostenloser File Hoster!

Du kannst Dir darin als zip-Datei die drei Programme herunterladen. Es ist sicherheitshalber mit dem Paßwort "tb" (ohne Anführungszeichen) versehen, darin enthalten sind diese Dateien:

123.vbs -> silentrunners
abcfsbl.com -> blacklight
xyzcf.com -> combofix


Aus Sicherheitsgründen habe ich die Dateinamen umbenannt. Führe sie bitte in dieser genannten Reihenfolge auch aus und poste die Logs.

silentrunners:

"Silent Runners.vbs", revision 58, Silent Runners - Adware? Disinfect, don't reformat!
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ICQ" = ""D:\ICQ6\ICQ.exe" silent" ["ICQ, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NWEReboot" = "(empty string)" [file not found]
"RegistryMechanic" = "(empty string)" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"ZoneAlarm Client" = ""C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{055FD26D-3A88-4e15-963D-DC8493744B1D}\(Default) = "XTTBPos00"
-> {HKLM...CLSID} = "XTTBPos00 Class"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{221BBF54-3327-4548-9006-84385B1A5840}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Module"
\InProcServer32\(Default) = "ssymman.dll" [file not found]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
-> {HKLM...CLSID} = "AVG Safe Search"
\InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgssie.dll" [file not found]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{82B8E0B5-45F5-4779-966A-C474164F8F7F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "DVA Media"
\InProcServer32\(Default) = "C:\WINDOWS\temlxopqgdk.dll" [file not found]
{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\vtUnmMde.dll" [file not found]
{AECB328C-AD19-A18C-386F-35A24BB56081}\(Default) = "Macromedia Movie"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system\bfdtsc32.dll" [file not found]
{D19BB6AF-D04D-474D-B4FF-14BDC4900971}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\urqOGXrS.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{84FEBFF8-945B-4F9A-B9B8-B68EC5020770}" = "*Z" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\vtUnmMde.dll" [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\urqOGXrS"

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> vtUnmMde\DLLName = "vtUnmMde.dll" [file not found]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Maik\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

HPGGPhotoEventHandler\
"Provider" = "HP Photosmart Essential"
"InvokeProgID" = "HP.acquireautoplayG"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\HP.acquireautoplayG\shell\open\DropTarget\CLSID = "{F3A39B00-BE67-4d7d-BED7-53E9C510EC5B}"
-> {HKLM...CLSID} = "HP AcquireAutoPlay2 Class"
\InProcServer32\(Default) = "C:\Programme\HP\Photosmart Essential\AcquireAutoPlay.dll" [empty string]

HPUnloadAutoplay\
"Provider" = "HP Übertragung und Schnelldruck"
"InvokeProgID" = "HpqUnApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Programme\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"]

MMJBAutoplayBURNERPLUS\
"Provider" = "MUSICMATCH Burner Plus"
"InvokeProgID" = "MMJB.BURN"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\MMJB.BURN\shell\Burn\Command\(Default) = ""C:\Programme\Musicmatch\Musicmatch Jukebox\mmfwlaunch.exe""-mmjb"" ["Musicmatch, Inc."]

MMJBPlayCDAudioOnArrival\
"Provider" = "Musicmatch Jukebox"
"InvokeProgID" = "MMJB.AUDIOCD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\MMJB.AUDIOCD\shell\Play\command\(Default) = ""C:\Programme\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" /AudioCD "%1"" ["Musicmatch, Inc."]

MMJBPlayMediaOnArrival\
"Provider" = "Musicmatch Jukebox"
"InvokeProgID" = "MMJB.MMJB"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\MMJB.MMJB\shell\Play\command\(Default) = ""C:\Programme\Musicmatch\Musicmatch Jukebox\mmjblaunch.exe" "%1"" ["Musicmatch, Inc."]

NeroAutoPlay7CDAudio\
"Provider" = "Nero SoundTrax"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Programme\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe /" [file not found]

NeroAutoPlay7CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "PlayMusicFilesOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayMusicFilesOnArrival_CopyCD\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /DialogiscCopy /Drive:%L" [file not found]

NeroAutoPlay7PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay3"
"InvokeVerb" = "PlayCDAudioOnArrival_PlayAudioCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayCDAudioOnArrival_PlayAudioCD\command\(Default) = "C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play /Drive:%L" [file not found]


Enabled Scheduled Tasks:
------------------------

"HPpromotions journeysoftware" -> launches: "C:\Programme\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe /N "journeysoftware" -r" ["hp"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]

blacklight:

05/20/08 00:11:27 [Info]: BlackLight Engine 1.0.70 initialized
05/20/08 00:11:27 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/20/08 00:11:27 [Note]: 7019 4
05/20/08 00:11:27 [Note]: 7005 0
05/20/08 00:11:29 [Note]: 7006 0
05/20/08 00:11:29 [Note]: 7011 1528
05/20/08 00:11:29 [Note]: 7035 0
05/20/08 00:11:29 [Note]: 7026 0
05/20/08 00:11:29 [Note]: 7026 0
05/20/08 00:11:32 [Note]: FSRAW library version 1.7.1024
05/20/08 00:14:13 [Note]: 7007 0

Zitat:

Zitat von koile

@ Comspec:Heisst das soviel wie rchner plattmachen und Windows neu aufziehen?

Die Hardware behälst Du bitte und wenn Du Dich ihrer entledigen willst, dann beim städtischen Recyclinghof.

Noch gibt es gar keinen Befund. Aber die Symptome deuten auf einen halbwegs gut ins System integrierten Schädling hin. Bei vernünftig programmierter Schadsoftware sollte man mMn das Handtuch werfen und neu installieren.
root24 wird Dir nach der Analyse schon sagen wie es um Deine Windowsinstallation bestellt ist.

%ComSpec%

Wie root24 bereits bemerkte ist Dein Rechner unter Umständen zu einer Dateiaustauschplattform geworden (würde den Speicherplatzverlust erklären). Die Symptomatik ist derart unangenehm, dass man von Bereinigungsversuchen absehen sollte (Totes Pferd ...). Vertrauen würde ich diesem System auch nach erfolgreicher Behebung der Symptome nicht mehr.

%ComSpec%