Upload nahezu nicht vorhanden, Surfen eine Plage

habla2k · 02.08.2008, 15:21

Blacklight habe ich schon benutzt, hat nichts gefunden.
Silentrunners hab ich nicht zum Laufen bekommen weil das nur ne .vbs Datei war.
Malwarebytes hab ich auch schon gemacht hat 2 Sachen gefunden aber nicht den Shark.
Die 2 anderen kleineren Sachen wurden auch behoben.

Combofix mach ich dann jetzt mal.

cosinus · 02.08.2008, 15:26

Zitat:

Zitat von habla2k

Silentrunners hab ich nicht zum Laufen bekommen weil das nur ne .vbs Datei war.

Einfach doppelklicken....

Wenn das nicht funktioniert solltest Du zumindest die Fehlermeldung posten, sonst kann ich Dir nicht helfen.

habla2k · 02.08.2008, 15:43

Ja lief jetzt auch, Problem vorher war, dass Firefox die vbs Datei geöffnet hat anstatt runterzuladen.
Hier also die Ergebnisse:

Silentrunner:

Code:

ATTFilter

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"AWMON" = ""D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"" ["Lavasoft Sweden"]
"TuneUp MemOptimizer" = ""D:\TuneUp Utilities 2007\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]
"StartCCC" = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [file not found]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Programme\ICQLite\ICQLite.exe -trayboot" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Logitech Hardware Abstraction Layer" = ""C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE"" ["Logitech Inc."]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"NeroFilterCheck" = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"FreePDF Assistant" = "C:\Programme\FreePDF_XP\fpassist.exe" [null data]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
  -> {HKLM...CLSID} = "AVG Safe Search"
                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "Eigene Logitech-Bilder"
  -> {HKLM...CLSID} = "Eigene Logitech-Bilder"
                   \InProcServer32\(Default) = "C:\Programme\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
  -> {HKLM...CLSID} = "KbLogiExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
  -> {HKLM...CLSID} = "LogiExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
                   \InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
  -> {HKLM...CLSID} = "TuneUp Theme Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
  -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
                   \InProcServer32\(Default) = "C:\Programme\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
  -> {HKLM...CLSID} = "Meine freigegebenen Ordner"
                   \InProcServer32\(Default) = "C:\Programme\Windows Live\Messenger\fsshext.8.5.1302.1018.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                   \InProcServer32\(Default) = "D:\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
                   \InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
  -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
                   \InProcServer32\(Default) = "C:\Programme\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
DaemonShellExtImage\(Default) = "{40966797-8FFE-46C8-9EF8-7003F33CCF0F}"
  -> {HKLM...CLSID} = "DaemonShellExtImage Class"
                   \InProcServer32\(Default) = "D:\DAEMON Tools Pro\imgshl32.dll" ["DT Soft Ltd."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
  -> {HKLM...CLSID} = "MCLiteShellExt Class"
                   \InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [file not found]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
  -> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
                   \InProcServer32\(Default) = "D:\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "D:\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "D:\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSMBalloonTip" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\a\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

ImgBurnCDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOBUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnCDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOWRITE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BuildImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOBUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]

ImgBurnDVDBurningOnArrival_BurnImage\
"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""D:\ImgBurn\ImgBurn.exe" /MODE ISOWRITE /DEST "%1"" ["LIGHTNING UK!"]

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

LogitechQuickSync\
"Provider" = "Logitech QuickSync"
"InvokeProgID" = "Applications\QSync.exe"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Applications\QSync.exe\shell\open\command\(Default) = "C:\Programme\Logitech\Video\QSync.exe" ["Logitech Inc."]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
  -> {HKLM...CLSID} = "WPDShextAutoplay"
                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay7AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay7CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe -w /New:AudioCD" ["Nero AG"]

NeroAutoPlay7CopyCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

NeroAutoPlay7DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "DataDisc_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe -w /New:ISODisc" ["Nero AG"]

NeroAutoPlay7LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

NeroAutoPlay7PlayAudioCD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay7PlayDVD\
"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]

NeroAutoPlay7RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

NeroAutoPlay7TranscodeVideo\
"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

NeroAutoPlay7VideoCapture\
"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Programme\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlay7ViewPhotos\
"Provider" = "Nero PhotoSnap Viewer"
"InvokeProgID" = "Nero.AutoPlay7"
"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Programme\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
  -> {HKLM...CLSID} = "RealNetworks Scheduler"
                   \LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe  /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = "C:\Programme\Real\RealPlayer\RealPlay.exe /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "D:\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "D:\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


Startup items in "Ryan" & "All Users" startup folders:
------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Logitech SetPoint" -> shortcut to: "C:\Programme\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]


Enabled Scheduled Tasks:
------------------------

"1-Klick-Wartung" -> launches: "D:\TuneUp Utilities 2007\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

habla2k · 02.08.2008, 15:45

Sorry wegen Doppelpost aber die Logs sind zu groß und passen nicht in einen Beitrag:

Teil 2:

Code:

ATTFilter

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\
"ButtonText" = "PartyPoker.com"
"MenuText" = "PartyPoker.com"
"Exec" = "D:\PartyGaming\PartyPoker\RunApp.exe" [empty string]

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" [file not found]

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6\ICQ.exe" ["ICQ, Inc."]

{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\Programme\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]

{F4430FE8-2638-42E5-B849-800749B94EED}\
"ButtonText" = "PartyPoker.net"
"MenuText" = "PartyPoker.net"
"Exec" = "D:\PartyGaming.Net\PartyPokerNet\RunPF.exe" [file not found]


Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Capture Device Service, Capture Device Service, ""C:\Programme\Gemeinsame Dateien\InterVideo\DeviceService\DevSvc.exe"" ["InterVideo Inc."]
Messenger USN Journal Reader-Service für freigegebene Ordner, usnjsvc, ""C:\Programme\Windows Live\Messenger\usnsvc.exe"" [MS]
NMIndexingService, NMIndexingService, ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]
O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
Viewpoint Manager Service, Viewpoint Manager Service, ""C:\Programme\Viewpoint\Common\ViewpointService.exe"" ["Viewpoint Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Redirected Port\Driver = "redmonnt.dll" [null data]


---------- (launch time: 2008-08-02 16:24:19)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 35 seconds, including 11 seconds for message boxes)

Combofix:

Code:

ATTFilter

ComboFix 08-08-01.04 - Ryan 2008-08-02 16:32:59.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.1356 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\a\Desktop\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
 ADS - svchost.exe: deleted 68 bytes in 1 streams. 

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\a\new.txt

.
(((((((((((((((((((((((   Dateien erstellt von 2008-07-02 bis 2008-08-02  ))))))))))))))))))))))))))))))
.

2008-08-02 14:08 . 2008-08-02 14:08	250	--a------	C:\WINDOWS\gmer.ini
2008-08-02 04:56 . 2008-08-02 04:56	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-02 04:56 . 2008-08-02 04:56	<DIR>	d--------	C:\Dokumente und Einstellungen\a\Anwendungsdaten\Malwarebytes
2008-08-02 04:56 . 2008-07-30 20:07	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 04:56 . 2008-07-30 20:07	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 04:47 . 2008-08-02 04:47	<DIR>	d--------	C:\Deckard
2008-08-01 11:31 . 2008-08-02 02:12	23,552	--ahs----	C:\WINDOWS\system32\Thumbs.db
2008-07-21 20:20 . 2008-03-05 15:56	3,786,760	--a------	C:\WINDOWS\system32\D3DX9_37.dll
2008-07-21 20:20 . 2007-10-12 15:14	3,734,536	--a------	C:\WINDOWS\system32\d3dx9_36.dll
2008-07-21 20:20 . 2008-03-05 15:56	1,420,824	--a------	C:\WINDOWS\system32\D3DCompiler_37.dll
2008-07-21 20:20 . 2007-10-12 15:14	1,374,232	--a------	C:\WINDOWS\system32\D3DCompiler_36.dll
2008-07-21 20:20 . 2008-03-05 16:03	479,752	--a------	C:\WINDOWS\system32\XAudio2_0.dll
2008-07-21 20:20 . 2008-02-05 23:07	462,864	--a------	C:\WINDOWS\system32\d3dx10_37.dll
2008-07-21 20:20 . 2007-10-02 09:56	444,776	--a------	C:\WINDOWS\system32\d3dx10_36.dll
2008-07-21 20:20 . 2007-10-22 03:39	267,272	--a------	C:\WINDOWS\system32\xactengine2_10.dll
2008-07-21 20:20 . 2008-03-05 16:03	238,088	--a------	C:\WINDOWS\system32\xactengine3_0.dll
2008-07-21 20:20 . 2008-03-05 16:00	25,608	--a------	C:\WINDOWS\system32\X3DAudio1_3.dll
2008-07-02 11:24 . 2008-07-02 11:24	<DIR>	d--------	C:\Programme\TiffSplitter
2008-07-02 11:21 . 2008-07-02 11:21	<DIR>	d--------	C:\Programme\MainMedia

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 14:29	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-08-02 02:06	---------	d-----w	C:\Programme\DivX
2008-08-02 02:06	---------	d-----w	C:\Programme\bfgclient
2008-08-02 02:06	---------	d-----w	C:\Programme\Avanquest update
2008-08-02 01:22	---------	d-----w	C:\Dokumente und Einstellungen\a\Anwendungsdaten\Skype
2008-07-26 14:35	---------	d-----w	C:\Programme\Wisdom-soft AutoScreenRecorder Free
2008-07-26 09:39	---------	d-----w	C:\Dokumente und Einstellungen\a\Anwendungsdaten\uTorrent
2008-07-18 17:20	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-07-06 14:33	---------	d--h--w	C:\Programme\InstallShield Installation Information
2008-07-04 07:09	96,520	----a-w	C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-04 07:09	10,520	----a-w	C:\WINDOWS\system32\avgrsstx.dll
2008-07-01 16:47	---------	d-----w	C:\Programme\ICQ6
2008-07-01 16:47	---------	d-----w	C:\Dokumente und Einstellungen\a\Anwendungsdaten\ICQ
2008-06-21 00:08	---------	d-----w	C:\Programme\AIM6
2008-06-20 17:39	247,296	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:57	273,024	----a-w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-06 20:00	---------	d-----w	C:\Programme\Gemeinsame Dateien\PlayOnline
2008-06-06 19:45	---------	d-----w	C:\Programme\PlayOnline
2008-06-06 16:45	---------	d-----w	C:\Programme\Gemeinsame Dateien\buhl data service
2008-06-06 15:44	107,888	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2008-06-06 15:18	---------	d-----w	C:\Programme\Gemeinsame Dateien\BioWare
2008-06-05 18:45	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AOL OCP
2008-06-05 18:43	---------	d-----w	C:\Programme\Viewpoint
2008-06-05 18:43	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Viewpoint
2008-05-07 05:14	1,293,312	----a-w	C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00 15360]
"AWMON"="D:\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe" [2005-05-25 12:12 517632]
"TuneUp MemOptimizer"="D:\TuneUp Utilities 2007\MemOptimizer.exe" [2007-04-26 20:08 313352]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"Logitech Hardware Abstraction Layer"="C:\Programme\Gemeinsame Dateien\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 13:03 94208]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2007-04-25 21:05 311296]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 13:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"P17Helper"="P17.dll" [2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll]
"AtiPTA"="atiptaxx.exe" [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 14:00 15360]

C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\
Logitech SetPoint.lnk - C:\Programme\Logitech\SetPoint\SetPoint.exe [2007-01-06 19:10:51 671744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIVF"= DivX412.dll

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader - Schnellstart.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader - Schnellstart.lnk
backup=C:\WINDOWS\pss\Adobe Reader - Schnellstart.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^a^Startmenü^Programme^Autostart^Adobe Gamma.lnk]
path=C:\Dokumente und Einstellungen\a\Startmenü\Programme\Autostart\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
--a------ 2005-06-08 15:44 196608 C:\Programme\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2005-06-08 16:24 458752 C:\Programme\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2005-06-08 16:14 217088 C:\Programme\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 14:03 36975 C:\Programme\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-11-15 12:20 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HostManager"=C:\Programme\Gemeinsame Dateien\AOL\1159212728\ee\AOLSoftware.exe
"IPHSend"=C:\Programme\Gemeinsame Dateien\AOL\IPHSend\IPHSend.exe
"MessengerPlus3"="C:\Programme\MessengerPlus! 3\MsgPlus.exe"
"iTunesHelper"="D:\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"BluetoothAuthenticationAgent"=rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
"NeroFilterCheck"=C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
"FreePDF Assistant"=C:\Programme\FreePDF_XP\fpassist.exe
"AtiPTA"=atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\NetMeeting\\conf.exe"=
"D:\\Steam\\SteamApps\\son-goku@cs-maddogs.de\\counter-strike\\hl.exe"=
"D:\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Programme\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Programme\\Gemeinsame Dateien\\AOL\\Loader\\aolload.exe"=
"C:\\Programme\\Gemeinsame Dateien\\AOL\\1159212728\\ee\\aolsoftware.exe"=
"C:\\Programme\\Gemeinsame Dateien\\AOL\\1159212728\\ee\\aim6.exe"=
"D:\\mIRC\\mirc.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Programme\\Gemeinsame Dateien\\Ahead\\Nero Web\\SetupX.exe"=
"D:\\downloads\\utorrent.exe"=
"D:\\iTunes\\iTunes.exe"=
"C:\\Programme\\Motorola\\Software Update\\msu.exe"=
"D:\\eMule\\emule.exe"=
"D:\\Codemasters\\Der Herr der Ringe Online\\lotroclient.exe"=
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programme\\AVG\\AVG8\\avgupd.exe"=
"D:\\Mass Effect\\Binaries\\MassEffect.exe"=
"D:\\Mass Effect\\MassEffectLauncher.exe"=
"C:\\Programme\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"D:\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-04 09:09]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 09:09]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 13:32]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-03-11 13:58]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2002-12-31 14:00]
R2 Vcs;Vcs support;C:\WINDOWS\system32\Drivers\Vcs.sys [2004-11-14 13:01]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Programme\Viewpoint\Common\ViewpointService.exe [2007-01-04 23:38]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys []
S3 npkycryp;npkycryp;D:\RO\npkycryp.sys []
S3 p17filt;p17filt;C:\WINDOWS\system32\drivers\p17filt.sys [2006-03-20 18:34]
S3 scramby_out;Scramby Output;C:\WINDOWS\system32\drivers\scramby_out.sys [2007-08-08 09:31]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys []
S3 xlink;XLINK Driver (xlink.sys);C:\WINDOWS\system32\Drivers\xlink.sys [2003-01-31 19:41]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4bdb6542-a1ab-11da-b414-806d6172696f}]
\Shell\AutoRun\command - E:\ASUSACPI.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98ce8efa-c862-11da-b1ec-0015f23c72ef}]
\Shell\AutoRun\command - F:\BSAutoRun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - GMER
*Newly Created Service* - MBR
*Newly Created Service* - PROCEXP90
*Newly Created Service* - RKREVEAL150

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F90F0706-E0C0-EF53-B7E4-CD62C00106D0}]
C:\WINDOWS\system32\winupdt.exe
.
Inhalt des "geplante Tasks" Ordners

2008-08-01 C:\WINDOWS\Tasks\1-Klick-Wartung.job
- D:\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-26 20:08]

2008-05-12 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2007-07-25 13:15]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKCU-Run-StartCCC - C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
HKLM-Run-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
HKU-Default-Run-TuneUp MemOptimizer - C:\Programme\TuneUp Utilities 2004\MemOptimizer.exe
MSConfigStartUp-DAEMON Tools - C:\Programme\DAEMON Tools\daemon.exe
MSConfigStartUp-ICQ Lite - C:\Programme\ICQLite\ICQLite.exe
MSConfigStartUp-iTunesHelper - C:\Programme\iTunes\iTunesHelper.exe


.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\a\Anwendungsdaten\Mozilla\Firefox\Profiles\0by4rerz.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/ig?hl=de
FF -: plugin - C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Programme\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Programme\Yahoo!\Shared\npYState.dll
FF -: plugin - D:\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - D:\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - D:\DivX\DivX Web Player\npdivx32.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-02 16:34:00
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-08-02 16:34:45
ComboFix-quarantined-files.txt  2008-08-02 14:34:30

Pre-Run: 5,237,829,632 Bytes frei
Post-Run: 5,225,406,464 Bytes frei

234	--- E O F ---	2008-07-18 17:20:31

cosinus · 02.08.2008, 18:10

Code:

ATTFilter

C:\WINDOWS\system32\SVKP.sys
D:\RO\npkycryp.sys
C:\WINDOWS\system32\drivers\scramby_out.sys
C:\WINDOWS\system32\drivers\ScreamingBAudio.sys

Bitte mal zur Sicherheit bei virustotal.com auswerten lassen und alle Ergebnisse inkl. Dateigrößen und Prüfsummen posten!

Zitat:

C:\Programme\Java\jre1.5.0_06

Bitte dringends (!!) deinstallieren und die aktuelle Version einspielen!

habla2k · 02.08.2008, 19:23

ok also hier die dateien:

SVKP.sys:

Code:

ATTFilter

AhnLab-V3	2008.7.29.1	2008.08.02	-
AntiVir	7.8.1.15	2008.08.01	-
Authentium	5.1.0.4	2008.08.01	-
Avast	4.8.1195.0	2008.08.02	-
AVG	8.0.0.156	2008.08.01	-
BitDefender	7.2	2008.08.02	-
CAT-QuickHeal	9.50	2008.08.02	TrojanSpy.Joiner.av
ClamAV	0.93.1	2008.08.02	-
DrWeb	4.44.0.09170	2008.08.02	-
eSafe	7.0.17.0	2008.07.29	-
eTrust-Vet	31.6.6002	2008.08.02	-
Ewido	4.0	2008.08.02	-
F-Prot	4.4.4.56	2008.08.01	-
F-Secure	7.60.13501.0	2008.08.02	-
Fortinet	3.14.0.0	2008.08.02	-
GData	2.0.7306.1023	2008.08.02	-
Ikarus	T3.1.1.34.0	2008.08.02	-
K7AntiVirus	7.10.402	2008.08.02	Backdoor.Win32.Hupigon.cvky
Kaspersky	7.0.0.125	2008.08.02	-
McAfee	5352	2008.08.01	-
Microsoft	1.3807	2008.08.02	-
NOD32v2	3318	2008.08.01	-
Norman	5.80.02	2008.08.01	-
Panda	9.0.0.4	2008.08.02	-
PCTools	4.4.2.0	2008.08.02	-
Prevx1	V2	2008.08.02	-
Rising	20.55.42.00	2008.08.02	-
Sophos	4.31.0	2008.08.02	-
Sunbelt	3.1.1537.1	2008.08.01	-
Symantec	10	2008.08.02	-
TheHacker	6.2.96.391	2008.07.31	-
TrendMicro	8.700.0.1004	2008.08.01	-
VBA32	3.12.8.2	2008.08.02	-
ViRobot	2008.8.1.1321	2008.08.01	Trojan.Win32.Joiner.2368
VirusBuster	4.5.11.0	2008.08.02	-
Webwasher-Gateway	6.6.2	2008.08.02	-
weitere Informationen
File size: 2368 bytes
MD5...: f05028b163b92c302a74409d683ac9b0
SHA1..: 74a943b9f3bf63f8de5c3175f96366b24a661067
SHA256: c43a744c18d12b8214e75f67c557974564f24ec318807bbe796b26619fce7154
SHA512: 6b03105a7ea5ae7ddd88ec83a4fbd12e495bbc21ab90484cfadf178583771ee9
a059823500b3d2c485600d0bc3b2455144ef5ffc651b44566c7f1b737a5d2cb5
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1043c
timedatestamp.....: 0x3e6cafde (Mon Mar 10 15:31:42 2003)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2a0 0x110 0x120 5.12 7dad7d6ca221d6725388d90f719d0c20
.data 0x3c0 0x28 0x40 1.74 e741cf2e01e1bea59fcfd4a89d4358ad
INIT 0x400 0x18a 0x1a0 5.03 7b36305b5ff4cad3eeaca307bbb0fd60
.rsrc 0x5a0 0x350 0x360 3.18 46fab0e7c9b34889fdfead1c6e17eae8
.reloc 0x900 0x34 0x40 3.39 a963ac053cb6e23a9fbf797befe868bb

( 1 imports )
> ntoskrnl.exe: IoCreateDevice, IoCreateSymbolicLink, IoDeleteDevice, IoDeleteSymbolicLink, RtlInitUnicodeString, IoCompleteRequest

( 0 exports )
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=f05028b163b92c302a74409d683ac9b0

npkycryp.sys:
gibts nicht oder nichtmehr

scramby_out.sys:
nichts gefunden

File size: 23840 bytes
MD5...: ccb29acf557f7172367647b30fd21dbe
SHA1..: 854494bfdef1e64fd9182a0cf71e561d91f147b8
SHA256: af06d24a6908f9933597f436b743bbccce63618e2c715a4df4c054039f1c0341
SHA512: cfde7bf5cff79b04a4973c2b947058f3bc283e8510737ec75ca41b26e0ca67e1
a3c75da81399da9f00b5abbe791a45a84057928c97baa9a34e7afdc0d9c093f1
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x137c7
timedatestamp.....: 0x46b87f8f (Tue Aug 07 14:19:59 2007)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0xd98 0xe00 5.79 8b5a25e9311cf8ed17e99c89812b5367
.rdata 0x1280 0x627 0x680 5.59 a1369f461d679fdacf7001a2bdeeea39
.data 0x1900 0x670 0x680 2.64 cf11092ac8b0651f9af4ed4d17b8d53e
PAGE 0x1f80 0x17d6 0x1800 6.24 8ae4b2ef80a88a88b674626578980c3c
INIT 0x3780 0x3ea 0x400 5.37 7d646d5a3301861fbee0a90c94660690
.rsrc 0x3b80 0x440 0x480 3.16 11831da9775e0c0756548e339c96f4d9
.reloc 0x4000 0x2dc 0x300 5.79 35bd7704bcb40b3f98225fe69d5002a7

( 2 imports )
> ntoskrnl.exe: ExFreePool, IofCompleteRequest, ExAllocatePoolWithTag, KeQueryInterruptTime, KeInitializeMutex, _purecall, KeCancelTimer, _alldiv, _allmul, KeSetTimerEx, KeInitializeTimerEx, KeInitializeDpc, KeReleaseMutex, KeWaitForSingleObject, IoDeleteSymbolicLink, IoCreateSymbolicLink, IoCreateDevice, RtlInitUnicodeString, IoDeleteDevice, KeTickCount, RtlAssert, InterlockedIncrement, InterlockedDecrement
> portcls.sys: PcRegisterPhysicalConnection, PcRegisterAdapterPowerManagement, PcDispatchIrp, PcAddAdapterDevice, PcInitializeAdapterDriver, PcNewServiceGroup, PcNewMiniport, PcRegisterSubdevice, PcNewPort

( 0 exports )

ScreamingBAudio.sys:
gibts nicht oder nichtmehr

das mit der JRE wird erledigt

cosinus · 02.08.2008, 19:29

Löschen wir die beiden Objekte mit dem Avenger. Sind die wirklich nicht vorhanden wird der Avenger das protokollieren:

Anleitung Avenger (by swandog46)

Lade dir das Tool Avenger und speichere es auf dem Desktop:

Doppelklick auf das Avenger-Symbol

Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"

Code:

ATTFilter

files to delete:
C:\WINDOWS\system32\SVKP.sys
D:\RO\npkycryp.sys

folders to delete:
D:\RO

Schliesse nun alle Programme und Browser-Fenster

Um den Avenger zu starten klicke auf -> Execute
Dann bestätigen mit "Yes" das der Rechner neu startet

Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt

Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Upload nahezu nicht vorhanden, Surfen eine Plage

Plagegeister aller Art und deren Bekämpfung: Upload nahezu nicht vorhanden, Surfen eine Plage