| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Infektion mit Zlob?Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
20.05.2008, 19:32
| #16 |
 |  Infektion mit Zlob? Teil 11 So ist nun von oben nach unte brav geordnet. Code:
ATTFilter SmitFraudFix v2.320
Scan done at 21:59:21.69, 19.05.2008
Run from C:\Users\***\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6000] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
::1 localhost
127.0.0.1 ***.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 **.008k.com
127.0.0.1 008k.com
127.0.0.1 ***.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 ***.032439.com
127.0.0.1 032439.com
127.0.0.1 ***.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 ***.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 ***.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 ***.10sek.com
127.0.0.1 10sek.com
127.0.0.1 ***.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 ***.132.com
127.0.0.1 132.com
127.0.0.1 ***.136136.net
127.0.0.1 136136.net
127.0.0.1 ***.139mm.com
127.0.0.1 139mm.com
127.0.0.1 ***.163ns.com
127.0.0.1 163ns.com
127.0.0.1 171203.com
127.0.0.1 17-plus.com
127.0.0.1 ***.1800searchonline.com
127.0.0.1 1800searchonline.com
127.0.0.1 ***.180searchassistant.com
127.0.0.1 180searchassistant.com
127.0.0.1 ***.180solutions.com
127.0.0.1 180solutions.com
127.0.0.1 ***.181.365soft.info
127.0.0.1 181.365soft.info
127.0.0.1 ***.1987324.com
127.0.0.1 1987324.com
127.0.0.1 ***.1-domains-registrations.com
127.0.0.1 1-domains-registrations.com
127.0.0.1 ***.1-extreme.biz
127.0.0.1 1-extreme.biz
127.0.0.1 ***.1sexparty.com
127.0.0.1 1sexparty.com
127.0.0.1 ***.1stantivirus.com
127.0.0.1 1stantivirus.com
127.0.0.1 ***.1stpagehere.com
127.0.0.1 1stpagehere.com
127.0.0.1 ***.1stsearchportal.com
127.0.0.1 1stsearchportal.com
127.0.0.1 2.82211.net
127.0.0.1 ***.2006ooo.com
127.0.0.1 ***.2007-download.com
127.0.0.1 2007-download.com
127.0.0.1 ***.2020search.com
127.0.0.1 2020search.com
127.0.0.1 20x2p.com
127.0.0.1 ***.24.365soft.info
127.0.0.1 24.365soft.info
127.0.0.1 ***.24-7pharmacy.info
127.0.0.1 24-7pharmacy.info
127.0.0.1 ***.24-7searching-and-more.com
127.0.0.1 24-7searching-and-more.com
127.0.0.1 ***.24teen.com
127.0.0.1 24teen.com
127.0.0.1 ***.2every.net
127.0.0.1 2every.net
127.0.0.1 2ndpower.com
127.0.0.1 ***.2search.com
127.0.0.1 2search.com
127.0.0.1 ***.2search.org
127.0.0.1 2search.org
127.0.0.1 ***.2squared.com
127.0.0.1 2squared.com
127.0.0.1 ***.3322.org
127.0.0.1 3322.org
127.0.0.1 365soft.info
127.0.0.1 ***.36site.com
127.0.0.1 36site.com
127.0.0.1 3721.com
127.0.0.1 39-93.com
127.0.0.1 ***.3abetterinternet.com
127.0.0.1 3abetterinternet.com
127.0.0.1 ***.3bay.it
127.0.0.1 3bay.it
127.0.0.1 ***.3ebay.it
127.0.0.1 3ebay.it
127.0.0.1 ***.3xclipsonline.com
127.0.0.1 3xclipsonline.com
127.0.0.1 ***.3xcurves.com
127.0.0.1 3xcurves.com
127.0.0.1 ***.3xfestival.com
127.0.0.1 3xfestival.com
127.0.0.1 ***.3x-festival.com
127.0.0.1 3x-festival.com
127.0.0.1 ***.3x-galls.com
127.0.0.1 3x-galls.com
127.0.0.1 ***.3xmiracle.com
127.0.0.1 3xmiracle.com
127.0.0.1 ***.3xmoviesblog.com
127.0.0.1 3xmoviesblog.com
127.0.0.1 ***.404dns.com
127.0.0.1 404dns.com
127.0.0.1 ***.4199.com
127.0.0.1 4199.com
127.0.0.1 ***.4corn.net
127.0.0.1 4corn.net
127.0.0.1 ***.4ebay.it
127.0.0.1 4ebay.it
127.0.0.1 4klm.com
127.0.0.1 ***.4mpg.com
127.0.0.1 4mpg.com
127.0.0.1 ***.4repubblica.it
127.0.0.1 4repubblica.it
127.0.0.1 ***.4softget.com
127.0.0.1 4softget.com
127.0.0.1 ***.5iscali.it
127.0.0.1 5iscali.it
127.0.0.1 ***.5repubblica.it
127.0.0.1 5repubblica.it
127.0.0.1 ***.5starvideos.com
127.0.0.1 5starvideos.com
127.0.0.1 ***.5tiscali.it
127.0.0.1 5tiscali.it
127.0.0.1 ***.5zgmu7o20kt5d8yq.com
127.0.0.1 5zgmu7o20kt5d8yq.com
127.0.0.1 ***.680180.net
127.0.0.1 680180.net
127.0.0.1 ***.6iscali.it
127.0.0.1 6iscali.it
127.0.0.1 ***.6njaga.com
127.0.0.1 6njaga.com
127.0.0.1 ***.6sek.com
127.0.0.1 6sek.com
127.0.0.1 ***.6tiscali.it
127.0.0.1 6tiscali.it
127.0.0.1 ***.70-music.com
127.0.0.1 70-music.com
127.0.0.1 ***.7322.com
127.0.0.1 7322.com
127.0.0.1 75tz.com
127.0.0.1 ***.777search.com
127.0.0.1 777search.com
127.0.0.1 ***.777top.com
127.0.0.1 777top.com
127.0.0.1 ***.7939.com
127.0.0.1 7939.com
127.0.0.1 ***.7search.com
127.0.0.1 7search.com
127.0.0.1 80gw6ry3i3x3qbrkwhxhw.032439.com
127.0.0.1 ***.80-music.com
127.0.0.1 80-music.com
127.0.0.1 82211.net
127.0.0.1 8866.org
127.0.0.1 ***.888.com
127.0.0.1 888.com
127.0.0.1 ***.8ad.com
127.0.0.1 8ad.com
127.0.0.1 ***.90-music.com
127.0.0.1 90-music.com
127.0.0.1 ***.9505.com
127.0.0.1 9505.com
127.0.0.1 ***.971searchbox.com
127.0.0.1 971searchbox.com
127.0.0.1 a.bestmanage.org
127.0.0.1 ***.aaabesthomepage.com
127.0.0.1 aaabesthomepage.com
127.0.0.1 aaasexypics.com
127.0.0.1 ***.aaawebfinder.com
127.0.0.1 aaawebfinder.com
127.0.0.1 ***.aaqadarsztriv.com
127.0.0.1 aaqadarsztriv.com
127.0.0.1 ***.aaqada-rsztriv.com
127.0.0.1 aaqada-rsztriv.com
127.0.0.1 ***.aaqadaueorn.com
127.0.0.1 aaqadaueorn.com
127.0.0.1 ***.aaqada-ueorn.com
127.0.0.1 aaqada-ueorn.com
127.0.0.1 ***.aaqada-ygco.com
127.0.0.1 aaqada-ygco.com
127.0.0.1 ***.aaqada-ymct.com
127.0.0.1 aaqada-ymct.com
127.0.0.1 aavc.com
127.0.0.1 ***.abcdperformance.com
127.0.0.1 abcdperformance.com
127.0.0.1 ***.abc-find.info
127.0.0.1 abc-find.info
127.0.0.1 ***.abcsearch.com
127.0.0.1 abcsearch.com
127.0.0.1 ***.abetterinternet.com
127.0.0.1 abetterinternet.com
127.0.0.1 ***.abnetsoft.info
127.0.0.1 abnetsoft.info
127.0.0.1 ***.aboutclicker.com
127.0.0.1 aboutclicker.com
127.0.0.1 ***.abrp.net
127.0.0.1 abrp.net
127.0.0.1 ***.absolutee.com
127.0.0.1 absolutee.com
127.0.0.1 ***.abyssmedia.com
127.0.0.1 abyssmedia.com
127.0.0.1 ***.ac66.cn
127.0.0.1 ac66.cn
127.0.0.1 access.Navinetwork.com
127.0.0.1 access.rapid-pass.net
127.0.0.1 ***.accessactivexvideo.com
127.0.0.1 accessactivexvideo.com
127.0.0.1 ***.accessclips.com
127.0.0.1 accessclips.com
127.0.0.1 ***.access-dvd.com
127.0.0.1 access-dvd.com
127.0.0.1 ***.accesskeygenerator.com
127.0.0.1 accesskeygenerator.com
127.0.0.1 ***.accessorygeeks.com
127.0.0.1 accessorygeeks.com
127.0.0.1 ***.accessthefuture.net
127.0.0.1 accessthefuture.net
127.0.0.1 ***.accessvid.net
127.0.0.1 accessvid.net
127.0.0.1 ***.acemedic.com
127.0.0.1 acemedic.com
127.0.0.1 ***.ace-webmaster.com
127.0.0.1 ace-webmaster.com
127.0.0.1 acjp.com
127.0.0.1 ***.acrobat-2007.com
127.0.0.1 acrobat-2007.com
127.0.0.1 ***.acrobat-8.com
127.0.0.1 acrobat-8.com
127.0.0.1 ***.acrobat-center.com
127.0.0.1 acrobat-center.com
127.0.0.1 ***.acrobat-hq.com
127.0.0.1 acrobat-hq.com
127.0.0.1 ***.acrobatreader-8.com
127.0.0.1 acrobatreader-8.com
127.0.0.1 ***.acrobat-reader-8.de
127.0.0.1 acrobat-reader-8.de
127.0.0.1 ***.acrobat-stop.com
127.0.0.1 acrobat-stop.com
127.0.0.1 ***.actionbreastcancer.org
127.0.0.1 actionbreastcancer.org
127.0.0.1 ***.activesearcher.info
127.0.0.1 activesearcher.info
127.0.0.1 ***.activexaccessobject.com
127.0.0.1 activexaccessobject.com
127.0.0.1 ***.activexaccessvideo.com
127.0.0.1 activexaccessvideo.com
127.0.0.1 ***.activexemedia.com
127.0.0.1 activexemedia.com
127.0.0.1 ***.activexmediaobject.com
127.0.0.1 activexmediaobject.com
127.0.0.1 ***.activexmediapro.com
127.0.0.1 activexmediapro.com
127.0.0.1 ***.activexmediasite.com
127.0.0.1 activexmediasite.com
127.0.0.1 ***.activexmediasoftware.com
127.0.0.1 activexmediasoftware.com
127.0.0.1 ***.activexmediasource.com
127.0.0.1 activexmediasource.com
127.0.0.1 ***.activexmediatool.com
127.0.0.1 activexmediatool.com
127.0.0.1 ***.activexmediatour.com
127.0.0.1 activexmediatour.com
127.0.0.1 ***.activexsoftwares.com
127.0.0.1 activexsoftwares.com
127.0.0.1 ***.activexsource.com
127.0.0.1 activexsource.com
127.0.0.1 ***.activexupdate.com
127.0.0.1 activexupdate.com
127.0.0.1 ***.activexvideo.com
127.0.0.1 activexvideo.com
127.0.0.1 ***.activexvideotool.com
127.0.0.1 activexvideotool.com
127.0.0.1 ***.ad.marketingsector.com
127.0.0.1 ad.marketingsector.com
127.0.0.1 ***.ad.mokead.com
127.0.0.1 ad.mokead.com
127.0.0.1 ad.oinadserver.com
127.0.0.1 ad.outerinfoads.com
127.0.0.1 ***.ad25.com
127.0.0.1 ad25.com
127.0.0.1 ***.ad45.com
127.0.0.1 ad45.com
127.0.0.1 ***.ad77.com
127.0.0.1 ad77.com
127.0.0.1 ***.ad86.com
127.0.0.1 ad86.com
127.0.0.1 ***.adamsupportgroup.org
127.0.0.1 adamsupportgroup.org
127.0.0.1 ***.adarmor.com
127.0.0.1 adarmor.com
127.0.0.1 ***.adasearch.com
127.0.0.1 adasearch.com
127.0.0.1 adaware.cc
127.0.0.1 ***.adawarenow.com
127.0.0.1 adawarenow.com
127.0.0.1 adchannel.contextplus.net
127.0.0.1 ***.addetect.com
127.0.0.1 addetect.com
127.0.0.1 ***.add-hhh.info
127.0.0.1 add-hhh.info
127.0.0.1 ***.addictivetechnologies.com
127.0.0.1 addictivetechnologies.com
127.0.0.1 ***.addictivetechnologies.net
127.0.0.1 addictivetechnologies.net
127.0.0.1 ***.addioerrori.com
127.0.0.1 addioerrori.com
127.0.0.1 ***.add-manager.com
127.0.0.1 add-manager.com
127.0.0.1 ***.adgate.info
127.0.0.1 adgate.info
127.0.0.1 ***.adintelligence.net
127.0.0.1 adintelligence.net
127.0.0.1 ***.adioserrores.com
127.0.0.1 adioserrores.com
127.0.0.1 ***.adipics.com
127.0.0.1 adipics.com
127.0.0.1 ***.adlogix.com
127.0.0.1 adlogix.com
127.0.0.1 ***.admin2cash.biz
127.0.0.1 admin2cash.biz
127.0.0.1 adnet-plus.com
127.0.0.1 ***.adnetserver.com
127.0.0.1 adnetserver.com
127.0.0.1 adobe-download-now.com
127.0.0.1 ***.adobe-downloads.com
127.0.0.1 adobe-downloads.com
127.0.0.1 ***.adobe-reader-8.fr
127.0.0.1 adobe-reader-8.fr
127.0.0.1 ***.adprotect.com
127.0.0.1 adprotect.com
127.0.0.1 ads.centralmedia.ws
127.0.0.1 ads.k8l.info
127.0.0.1 ads.kmpads.com
127.0.0.1 ads.kw.revenue.net
127.0.0.1 ads.marketingsector.com
127.0.0.1 ads.searchingbooth.com
127.0.0.1 ads.z-quest.com
127.0.0.1 ads1.revenue.net
127.0.0.1 ***.ads183.com
127.0.0.1 ads183.com
127.0.0.1 ***.adscontex.com
127.0.0.1 adscontex.com
127.0.0.1 ***.adservices1.enhance.com
127.0.0.1 adservices1.enhance.com
127.0.0.1 adservs.com
127.0.0.1 ***.adsextend.net
127.0.0.1 adsextend.net
127.0.0.1 ***.adshttp.com
127.0.0.1 adshttp.com
127.0.0.1 ***.adsniffer.com
127.0.0.1 adsniffer.com
127.0.0.1 ***.adson***.com
127.0.0.1 adson***.com
127.0.0.1 ***.adspics.com
127.0.0.1 adspics.com
127.0.0.1 ***.adsrevenue.net
127.0.0.1 adsrevenue.net
127.0.0.1 ***.adtrak.net
127.0.0.1 adtrak.net
127.0.0.1 adtrgt.com
127.0.0.1 ***.adult777search.info
127.0.0.1 adult777search.info
127.0.0.1 ***.adultan.com
127.0.0.1 adultan.com
127.0.0.1 ***.adult-engine-search.com
127.0.0.1 adult-engine-search.com
127.0.0.1 ***.adult-erotic-guide.net
127.0.0.1 adult-erotic-guide.net
127.0.0.1 ***.adultfilmsite.com
127.0.0.1 adultfilmsite.com
127.0.0.1 ***.adult-friends-finder.net
127.0.0.1 adult-friends-finder.net
127.0.0.1 adultgambling.org
127.0.0.1 adult-host.org
127.0.0.1 ***.adulthyperlinks.com
127.0.0.1 adulthyperlinks.com
127.0.0.1 ***.adultmovieplus.com
127.0.0.1 adultmovieplus.com
127.0.0.1 ***.adult-mpg.net
127.0.0.1 adult-mpg.net
127.0.0.1 adult-personal.us
127.0.0.1 adultsgames.net
127.0.0.1 ***.adultsonlyvids.com
127.0.0.1 adultsonlyvids.com
127.0.0.1 ***.adultsper.com
127.0.0.1 adultsper.com
127.0.0.1 ***.adulttds.com
127.0.0.1 adulttds.com
127.0.0.1 ***.adultzoneworld.com
127.0.0.1 adultzoneworld.com
127.0.0.1 ***.advcash.biz
127.0.0.1 advcash.biz
127.0.0.1 advert.exaccess.ru
127.0.0.1 ***.advertisemoney.info
127.0.0.1 advertisemoney.info
127.0.0.1 advertising.paltalk.com
127.0.0.1 ***.advertising-money.info
127.0.0.1 advertising-money.info
127.0.0.1 ad-ware.cc
127.0.0.1 ***.ad-w-a-r-e.com
127.0.0.1 ad-w-a-r-e.com
127.0.0.1 ***.a-d-w-a-r-e.com
127.0.0.1 a-d-w-a-r-e.com
127.0.0.1 ***.adware.pro
127.0.0.1 adware.pro
127.0.0.1 ***.adwarealert.com
127.0.0.1 adwarealert.com
127.0.0.1 ***.ad-warealert.com
127.0.0.1 ad-warealert.com
127.0.0.1 ***.adwarearrest.com
127.0.0.1 adwarearrest.com
127.0.0.1 ***.adwarebazooka.com
127.0.0.1 adwarebazooka.com
127.0.0.1 ***.adwarecommander.com
127.0.0.1 adwarecommander.com
127.0.0.1 ***.adwarefinder.com
127.0.0.1 adwarefinder.com
127.0.0.1 ***.adwaregold.com
127.0.0.1 adwaregold.com
127.0.0.1 ***.adwarepatrol.com
127.0.0.1 adwarepatrol.com
127.0.0.1 ***.adwareplatinum.com
127.0.0.1 adwareplatinum.com
127.0.0.1 ***.adwareprotectionsite.com
127.0.0.1 adwareprotectionsite.com
127.0.0.1 ***.adwarepunisher.com
127.0.0.1 adwarepunisher.com
127.0.0.1 ***.adwareremover.ws
127.0.0.1 adwareremover.ws
127.0.0.1 ***.adwaresafety.com
127.0.0.1 adwaresafety.com
127.0.0.1 ***.adwarexp.com
127.0.0.1 adwarexp.com
127.0.0.1 affiliate.idownload.com
127.0.0.1 ***.aflgate.com
127.0.0.1 aflgate.com
127.0.0.1 africaspromise.org
127.0.0.1 agava.com
127.0.0.1 agava.ru
127.0.0.1 agentstudio.com
127.0.0.1 ***.aginegialle.it
127.0.0.1 aginegialle.it
127.0.0.1 aifind.info
127.0.0.1 ***.aifind.info
127.0.0.1 ***.airtleworld.com
127.0.0.1 airtleworld.com
127.0.0.1 ***.aitalia.it
127.0.0.1 aitalia.it
127.0.0.1 akamai.downloadv3.com
127.0.0.1 ***.aklitalia.it
127.0.0.1 aklitalia.it
127.0.0.1 akril.com
127.0.0.1 alcatel.ws
127.0.0.1 ***.alertspy.com
|
|
21.05.2008, 21:01
| #17 |
| | Infektion mit Zlob? Hmm habe gerade nich bemekrt das auch virtumonde vorhanden ist, befürchte aber das da sonst noch ein paar Viren herum sitzen. Zlob Datein werden auch immer noch von Spybot gescannt.
__________________ |
|
21.05.2008, 22:17
| #18 |
| /// Winkelfunktion /// TB-Süch-Tiger™   |  Infektion mit Zlob? Das ist ein wenig unübersichtlich. Zippe die Reportdatei doch mal mit einem Packer Deiner Wahl, lad die komprimierte Datei bei File-Upload.net hoch und verlink es hier!
__________________
__________________ |
|
21.05.2008, 22:26
| #19 |
| | Infektion mit Zlob? |
|
22.05.2008, 19:18
| #20 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Infektion mit Zlob? Ich kann dort nix erkennen bin aber auch kein smitfraud-rapport experte  aber eins kann ich sagen  die vielen Einträge wie z.B. Code:
ATTFilter 127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 ***.032439.com
127.0.0.1 032439.com
127.0.0.1 ***.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 ***.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 ***.100sexlinks.com
 Sei doch mal bitte so frei und folge dem Link zu silentrunners. Bitte hier mit [code] tags umschlossen posten.
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
22.05.2008, 20:16
| #21 |
| | Infektion mit Zlob? Aha ok, danke habe mich schon gefragt von wo denn das alles kommt So hier nun der Log Teil 1 Code:
ATTFilter "Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"Acer Tour Reminder" = "(empty string)" [file not found]
"Veoh" = ""C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide" ["Veoh Networks"]
"(Default)" = "(empty string)" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"SynTPStart" = "C:\Program Files\Synaptics\SynTP\SynTPStart.exe" ["Synaptics, Inc."]
"eDataSecurity Loader" = "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" ["HiTRUST"]
"eAudio" = ""C:\Acer\Empowering Technology\eAudio\eAudio.exe"" ["CyberLink"]
"Acer Tour" = "(empty string)" [file not found]
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"LManager" = "C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" ["Dritek System Inc."]
"PlayMovie" = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe"" ["CyberLink Corp."]
"WarReg_PopUp" = "C:\Acer\WR_PopUp\WarReg_PopUp.exe" [null data]
"PLFSet" = "rundll32.exe C:\Windows\PLFSet.dll,PLFDefSetting" [MS]
"eRecoveryService" = "(empty string)" [file not found]
"Acer Tour Reminder" = "C:\Acer\AcerTour\Reminder.exe" ["Acer Inc."]
"Acrobat Assistant 8.0" = ""D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"" ["Adobe Systems Inc."]
"(Default)" = "(empty string)" [file not found]
"Adobe_ID0EYTHM" = "C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" ["Adobe Systems Incorporated"]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" [null data]
"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"NvSvc" = "RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"NortonAntiBot" = ""C:\Program Files\Symantec\Norton AntiBot\agent\bin\NortonAntiBot.exe"" ["Symantec"]
"ALUAlert" = "C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe" ["Symantec Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{074C1DC5-9320-4A9A-947D-C042949C6216}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ContributeBHO Class"
\InProcServer32\(Default) = "D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll" ["Adobe Systems Incorporated."]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)"
-> {HKLM...CLSID} = "Skype add-on (mastermind)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\(Default) = "NCO 2.0 IE BHO"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll" ["Symantec Corporation"]
{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\(Default) = "Symantec Intrusion Prevention"
-> {HKLM...CLSID} = "Symantec Intrusion Prevention"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll" ["Symantec Corporation"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
\InProcServer32\(Default) = "epm-po.dll" [file not found]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{7842554E-6BED-11D2-8CDB-B05550C10000}" = "Monitor"
-> {HKLM...CLSID} = "Monitor Class"
\InProcServer32\(Default) = "C:\Windows\system32\btncopy.dll" ["Broadcom Corporation."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "Meine freigegebenen Ordner"
\InProcServer32\(Default) = "C:\Program Files\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Sony Ericsson Datei-Manager"
-> {HKLM...CLSID} = "Sony Ericsson Datei-Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Sony Ericsson Datei-Manager"
-> {HKLM...CLSID} = "Sony Ericsson Datei-Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {HKLM...CLSID} = "Acrobat Elements Context Menu"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}
"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}
"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}
"EnableLUA" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}
"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}
"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}
"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\Web\Wallpaper\img24.jpg"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Windows\Web\Wallpaper\img24.jpg"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\acer.scr" [null data]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
AdobePremiereProCS3CameraArrival\
"Provider" = "Adobe Premiere Pro"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""D:\Program Files\Adobe\Adobe Premiere Pro CS3\Adobe Premiere Pro.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "D:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
|
|
22.05.2008, 20:21
| #22 |
| | Infektion mit Zlob? Und Teil 2 Code:
ATTFilter LightScribeOnArrivalAP\
"Provider" = "LightScribe Direct Disc Labeling"
"InvokeProgID" = "LightScribe.AutoPlayHandler"
"InvokeVerb" = "LabelLightScribeDisc"
HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command\(Default) = "C:\Program Files\Common Files\LightScribe\LsLauncher.exe" ["Hewlett-Packard Company"]
MDCBlankCDArrival\
"Provider" = "DVDivine"
"InvokeProgID" = "BlankCD"
"InvokeVerb" = "OpenWithMakeDisc"
HKLM\SOFTWARE\Classes\BlankCD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"]
MDCDVDBurningOnArrival\
"Provider" = "DVDivine"
"InvokeProgID" = "BlankDVD"
"InvokeVerb" = "OpenWithMakeDisc"
HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithMakeDisc\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe"" ["Acer Incorporated"]
NTIBurner\
"Provider" = "NTI CD-Maker"
"InvokeProgID" = "NTIBurnerOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\NTIBurnerOpen\shell\open\command\(Default) = ""C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\Cdmkr32.exe"" ["NewTech Infosystems, Inc."]
PlayMoviePlayDVDMovieOnArrival\
"Provider" = "Play Movie"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPlayMovie"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPlayMovie\Command\(Default) = ""C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe" "%L"" ["CyberLink Corp."]
PPCDBurningOnArrival\
"Provider" = "PowerProducer"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerProducer"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]
PPDCameraArrival\
"Provider" = "PowerProducer"
"InvokeProgID" = "Picture"
"InvokeVerb" = "OpenWithPowerProducer"
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"]
PPDVArrival\
"Provider" = "PowerProducer"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]
VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]
WIA_{4B01ADD5-6FC4-4F16-ADAD-8507626D7D04}\
"Provider" = "Microsoft Office Document Scanning"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files\Common Files\Microsoft Shared\MODI\12.0\MSPSCAN.EXE;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]
WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]
Startup items in "Marco" & "All Users" startup folders:
-------------------------------------------------------
C:\Users\Marco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
"OneNote 2007 Bildschirmausschnitt- und Startprogramm" -> shortcut to: "C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS]
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"Acer VCM" -> shortcut to: "C:\Program Files\Acer\Acer VCM\AcerVCM.exe" [null data]
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["Broadcom Corporation."]
"Empowering Technology Launcher" -> shortcut to: "C:\Acer\Empowering Technology\eAPLauncher.exe 9999" ["Acer Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000007\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
000000000008\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 31
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}"
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" ["Symantec Corporation"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided)
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]
"{D0943516-5076-4020-A3B5-AEFAF26AB263}" = "Veoh Video Finder"
-> {HKLM...CLSID} = "Veoh Browser Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll" ["Veoh Networks Inc"]
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
"{517BDDE4-E3A7-4570-B21E-2B52B6139FC7}" = (no title provided)
-> {HKLM...CLSID} = "Contribute Toolbar"
\InProcServer32\(Default) = "D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll" ["Adobe Systems Incorporated."]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" = "NCO Toolbar 2.0"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" ["Symantec Corporation"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
-> {HKLM...CLSID} = "Skype add-on (button)"
\InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-12650"
"Script" = "c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]
{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Program Files\ICQ6\ICQ.exe" ["ICQ, Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"]
Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe"" ["Symantec Corporation"]
Automatische WLAN-Konfiguration, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
Bluetooth-Unterstützungsdienst, BthServ, "C:\Windows\system32\svchost.exe -k bthsvcs" {"C:\Windows\System32\bthserv.dll" [MS]}
Bonjour-Dienst, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
CNG-Schlüsselisolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Computerbrowser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
eDSService.exe, eDataSecurity Service, ""C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe"" ["HiTRSUT"]
eLock Service, eLockService, "C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe" [null data]
eNet Service, eNet Service, "C:\Acer\Empowering Technology\eNet\eNet Service.exe" ["Acer Inc."]
ePower Service, WMIService, "C:\Acer\Empowering Technology\ePower\ePowerSvc.exe" ["acer"]
eRecovery Service, eRecoveryService, "C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe" [null data]
eSettings Service, eSettingsService, "C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe" [null data]
Extensible Authentication-Protokoll, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
FLEXnet Licensing Service, FLEXnet Licensing Service, ""C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"" ["Macrovision Europe Ltd."]
iPod-Dienst, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
LiveUpdate Notice, LiveUpdate Notice, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Messenger USN Journal Reader-Service für freigegebene Ordner, usnjsvc, ""C:\Program Files\Windows Live\Messenger\usnsvc.exe"" [MS]
MobilityService, MobilityService, "C:\Acer\Mobility Center\MobilityService.exe -p" [null data]
Raw Socket Service, RS_Service, "C:\Program Files\Acer\Acer VCM\RS_Service.exe" ["Acer Inc."]
Symantec Core LC, Symantec Core LC, "C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
SymantecAntiBotAgent, SymantecAntiBotAgent, ""C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABAgent.exe" SymantecAntiBotAgent" ["Symantec"]
SymantecAntiBotWatcher, SymantecAntiBotWatcher, "C:\Program Files\Symantec\Norton AntiBot\agent\Bin\NABWatcher.exe" ["Symantec"]
Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Windows-Sofortverbindung - Konfigurationsregistrierungsstelle, wcncsvc, "C:\Windows\System32\svchost.exe -k LocalService" {"C:\Windows\System32\wcncsvc.dll" [MS]}
XAudioService, XAudioService, "C:\Windows\system32\DRIVERS\xaudio.exe" ["Conexant Systems, Inc."]
Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "AdobePDF.dll" ["Adobe Systems Incorporated."]
Epson Inbox Language Monitor\Driver = "EP0SLM00.DLL" ["SEIKO EPSON CORPORATION"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]
---------- (launch time: 2008-05-22 21:12:40)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 284 seconds.
---------- (total run time: 361 seconds)
|
|
22.05.2008, 20:54
| #23 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Infektion mit Zlob? Hab dort nix mehr gesehen. Bekommst Du noch die zlob-typischen Einblendungen auf dem Desktop oder im Systemtray?
__________________ Logfiles bitte immer in CODE-Tags posten |
|
22.05.2008, 20:57
| #24 |
| | Infektion mit Zlob? Also aktiv habe ich nie etwas bemerkt. Habe nur mal mit Spybot gescannt und dann entdeckt, das er zlob Daien und auch virtumonde Dateien scannt. Habe aber mit Spybot mal etwas von zlob entfernt *BOUM* Ich bin ein Idiot hoch 3 und noch mehr -.- So wie ich das nun sehe, ist das was ich da gsehen habe nur die Datei nach der gescannt wird und nich was bei mir vorhanden ist. Tut mir leid für euren Aufwand  Geändert von Zebra (22.05.2008 um 21:12 Uhr) |
|
| Themen zu Infektion mit Zlob? |
| angezeigt, dateien, entfern, erkenn, erkennt, hallo zusammen, herausfinden, home, infektion, infiziert, leiste, mehrere, mehrere dateien, norton, sheriff, spybot, tagen, virus, vista, windows, windows vista, windows vista home, zlob, zufällig, zusammen |
Linear-Darstellung
