| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Google Suche und Windows Auto-update defekt, popups, trojanerWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
23.09.2008, 21:31
| #1 |
 |  Google Suche und Windows Auto-update defekt, popups, trojaner Hallo zusammen, ich habe folgende Probleme, und hoffe, dass ihr mir weiterhelfen könnt: Seit ein paar Tagen funktioniert die Google Suche nicht mehr, Google selbst kann ich normal aufrufen. Außerdem kommen immer wieder mal Popups, die ich vorher nie hatte (ich nutze Mozilla Firefox). Außerdem ist das Windows Auto-update deaktivert, beim Versuch es zu aktivieren kriege ich den Fehler: "Der Dienst "Automatische Updates" auf "Lokaler Computer" konnte nicht gestartet werden. Fehler 1058: Der angegebene Dienst kann nicht gestartet werden. Er ist deaktiviert oder nicht mit aktivierten Geräten verbunden." Ich habe mir in den letzten Tagen einige Trojaner eingefangen(u.a. TR/Vundo.LA ), die Avira AntiVir entdeckt und gelöscht hat. Habe noch Ad-Aware durchlaufen lassen, aber die oben beschriebenen Probleme bleiben bestehen. Vielleicht könnt ihr mir anhand der highjackthis logfile helfen. Vielen Dank im Voraus für Eure Hilfe! Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:28:40, on 23.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\Explorer.EXE C:\Programme\Power Manager\PM.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Microsoft IntelliType Pro\itype.exe C:\Programme\Microsoft IntelliPoint\ipoint.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\Rundll32.exe C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe C:\Programme\ObjectDock\ObjectDock.exe C:\Programme\Microsoft IntelliType Pro\dpupdchk.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Programme\iTunes\iTunes.exe C:\Programme\Foxie Suite\Firewall.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Mozilla Firefox\firefox.exe C:\Dokumente und Einstellungen\N***s\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com//0seenus/saos01 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: (no name) - {5d4831e0-5a7c-4a46-afd5-a79ab8ce36c2} - (no file) O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Programme\Foxie Suite\foxiecoreu.dll O4 - HKLM\..\Run: [PowerManager] C:\Programme\Power Manager\PM.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [b8db8f8d] rundll32.exe "C:\WINDOWS\system32\dtnjcknq.dll",b O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [BMbbe8bc11] Rundll32.exe "C:\WINDOWS\system32\rmkrvkog.dll",s O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart O4 - HKCU\..\Run: [Foxie Firewall] C:\Programme\Foxie Suite\Firewall.exe O4 - HKLM\..\Policies\Explorer\Run: [isamonitor.exe] C:\Programme\Video ActiveX Object\isamonitor.exe O4 - HKLM\..\Policies\Explorer\Run: [pmsngr.exe] C:\Programme\Video ActiveX Object\pmsngr.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\ObjectDock\ObjectDock.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222185975655 O17 - HKLM\System\CCS\Services\Tcpip\..\{92C38147-D8F4-492B-B488-6557BA790FFC}: NameServer = 89.246.64.8 62.220.18.8 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: deazux.dll O22 - SharedTaskScheduler: boob - {01b55afa-f451-474b-9e91-c35b24d02641} - (no file) O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- Geändert von Nik1385 (23.09.2008 um 21:50 Uhr) |
|
24.09.2008, 18:28
| #2 |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Google Suche und Windows Auto-update defekt, popups, trojaner Hallo und
__________________ Acker diese Punkte für weitere Analysen ab: 1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\WINDOWS\system32\dtnjcknq.dll
C:\WINDOWS\system32\rmkrvkog.dll
C:\Programme\Video ActiveX Object\isamonitor.exe
C:\Programme\Video ActiveX Object\pmsngr.exe
3.) Führe dieses MBR-Tool aus und poste die Ausgabe 4.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten 5.) Führe Silentrunners nach dieser Anleitung aus und poste das Logfile (mit Codetags umschlossen), falls es zu groß sein sollte kannst Du es (gezippt) bei file-upload.net hochladen und hier verlinken. 6.) ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code]
Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist. 8.) Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!
__________________ |
|
25.09.2008, 09:58
| #3 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner Vielen Dank zunächst für die Hilfe!
__________________zu Punkt 1: Drei der Dateien existieren nicht, auch nicht, wenn ich alle Dateien anzeigen lasse. nicht existent: C:\WINDOWS\system32\dtnjcknq.dll C:\Programme\Video ActiveX Object\isamonitor.exe (hier existiert nichtmal der Ordner Video Active X) C:\Programme\Video ActiveX Object\pmsngr.exe Von der einzigen verbliebenen Datei (C:\WINDOWS\system32\rmkrvkog.dll) hier der Virustotal Eintrag: Code:
ATTFilter Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.9.25.0 2008.09.25 -
AntiVir 7.8.1.34 2008.09.25 TR/Inject.icc
Authentium 5.1.0.4 2008.09.24 -
Avast 4.8.1195.0 2008.09.24 -
AVG 8.0.0.161 2008.09.24 Generic11.AFKC
BitDefender 7.2 2008.09.25 Trojan.Vundo.FNU
CAT-QuickHeal 9.50 2008.09.25 -
ClamAV 0.93.1 2008.09.25 -
DrWeb 4.44.0.09170 2008.09.25 Trojan.Virtumod.450
eSafe 7.0.17.0 2008.09.24 Suspicious File
eTrust-Vet 31.6.6105 2008.09.24 Win32/VundoCryptorT!generic
Ewido 4.0 2008.09.24 -
F-Prot 4.4.4.56 2008.09.25 -
F-Secure 8.0.14332.0 2008.09.25 Trojan.Win32.Inject.icc
Fortinet 3.113.0.0 2008.09.25 W32/Inject.ICC!tr
GData 19 2008.09.25 Trojan.Vundo.FNU
Ikarus T3.1.1.34.0 2008.09.25 Trojan.Win32.Vundo.AY
K7AntiVirus 7.10.470 2008.09.24 -
Kaspersky 7.0.0.125 2008.09.25 Trojan.Win32.Inject.icc
McAfee 5391 2008.09.24 Vundo.gen.k
Microsoft 1.3903 2008.09.25 Trojan:Win32/Vundo.gen!G
NOD32 3469 2008.09.24 -
Norman 5.80.02 2008.09.24 -
Panda 9.0.0.4 2008.09.24 -
PCTools 4.4.2.0 2008.09.24 -
Prevx1 V2 2008.09.25 Fraudulent Security Program
Rising 20.63.32.00 2008.09.25 Packer.Win32.Agent.v
Sophos 4.33.0 2008.09.25 Troj/Virtum-Gen
Sunbelt 3.1.1668.1 2008.09.24 Trojan.Win32.Inject.icc
Symantec 10 2008.09.25 -
TheHacker 6.3.0.9.093 2008.09.25 -
TrendMicro 8.700.0.1004 2008.09.25 TROJ_INJECT.XC
VBA32 3.12.8.6 2008.09.25 -
ViRobot 2008.9.25.1391 2008.09.25 -
VirusBuster 4.5.11.0 2008.09.24 -
Webwasher-Gateway 6.6.2 2008.09.25 Trojan.Inject.icc
weitere Informationen
File size: 97280 bytes
MD5...: 5d959e9284e7a0f8d931c74b70cbfb6f
SHA1..: 76aa0ae1c757ac803bda5d560ab3778237b8f0fb
SHA256: 30ac3b104859d7347e73c406f72dd2380b3a4ab08b022d50e7a9f841e4a8d48a
SHA512: 8a792068915a79fca820b04d10067a64517f83231cb8bd3410b01397143d63ca
8e2caf0e37c5f31a54a9d185d3178cb2110270f84f09addd7bf36aa1a6095606
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x10001000
timedatestamp.....: 0x0 (Thu Jan 01 00:00:00 1970)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd000 0xc600 7.98 bac3d84c744d18a599012304bc56a65f
.data 0xe000 0x1000 0x400 4.64 71a7303083e4a377f1a3ea0d0e886f9c
.rdata 0xf000 0x21000 0xae00 7.95 20e4ee11948c7c86743faffe7e90ce13
( 3 imports )
> USER32.dll: OemToCharBuffA, MessageBoxA, MessageBeep, LoadCursorFromFileA, LoadCursorA, EndPaint, EndDialog, EmptyClipboard, DrawTextA, DestroyCursor, CreateIconFromResourceEx, CreateDesktopA, CopyRect, CharToOemBuffA, CharNextA, ActivateKeyboardLayout
> KERNEL32.dll: lstrcmpiA, ReadFile, MapViewOfFile, InitializeCriticalSection, GetVersionExA, GetSystemTimeAsFileTime, GetStartupInfoA, GetModuleHandleA, ExitProcess, EnumResourceTypesA, EnumResourceLanguagesA, CloseHandle
> ADVAPI32.dll: RegQueryValueA, RegOpenKeyExA, RegCloseKey
( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=6C0D2CAD006228D47C990194606E0700F6F105CB
|
|
25.09.2008, 10:27
| #4 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner MBR Tool: Code:
ATTFilter Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Code:
ATTFilter 09/25/08 11:04:12 [Info]: BlackLight Engine 1.0.70 initialized
09/25/08 11:04:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
09/25/08 11:04:12 [Note]: 7019 4
09/25/08 11:04:12 [Note]: 7005 0
09/25/08 11:04:16 [Note]: 7006 0
09/25/08 11:04:16 [Note]: 7011 268
09/25/08 11:04:16 [Note]: 7035 0
09/25/08 11:04:16 [Note]: 7026 0
09/25/08 11:04:16 [Note]: 7026 0
09/25/08 11:04:18 [Note]: FSRAW library version 1.7.1024
09/25/08 11:09:04 [Note]: 2000 1012
09/25/08 11:09:04 [Note]: 2000 1012
09/25/08 11:09:52 [Note]: 7007 0
|
|
25.09.2008, 10:34
| #5 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner SilentRunners Logfile: Code:
ATTFilter "Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Foxie Firewall" = "C:\Programme\Foxie Suite\Firewall.exe" ["Team Foxie"]
"TuneUp MemOptimizer" = ""C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"isamonitor.exe" = "C:\Programme\Video ActiveX Object\isamonitor.exe" [file not found]
"pmsngr.exe" = "C:\Programme\Video ActiveX Object\pmsngr.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\ipoint.exe"" [MS]
"itype" = ""C:\Programme\Microsoft IntelliType Pro\itype.exe"" [MS]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"Apoint" = "C:\Programme\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"PowerManager" = "C:\Programme\Power Manager\PM.exe" [empty string]
"b8db8f8d" = "rundll32.exe "C:\WINDOWS\system32\fknwluay.dll",b" [MS]
"BMbbe8bc11" = "Rundll32.exe "C:\WINDOWS\system32\irsypqon.dll",s" [MS]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{432CAE3B-690F-4C3B-BD97-070EBDA210D5}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FoxieToolbar Class"
\InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxietoolbaru.dll" ["Team Foxie"]
{453fddb0-412c-489f-b3b4-81b40fdfcb40}\(Default) = "{04bcfdf0-4b18-4b3b-f984-c2140bddf354}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\xuldtt.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{C65185B1-D52B-44A9-861F-8201B50D1F37}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FoxieSecurityModule Class"
\InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxiecoreu.dll" ["Team Foxie"]
{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\qoMdATjh.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{1825D0FA-5B0C-4e20-A929-3EFD15B6DF71}" = "IntelliType Pro Touchpad Control Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Touchpad Control Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcpltp.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Schnurlose Eigenschaften"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Scrollrad-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Aktivitäten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Tasten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{3BEABCC1-BF31-42df-88D9-A2955D6B8528}" = "IntelliPoint Sensitivity Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliPoint Sensitivity Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplsens.dll"" [MS]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
-> {HKLM...CLSID} = "IE Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\qoMdATjh"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> yayvTmmk\DLLName = "yayvTmmk.dll" [file not found]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoTrayItemsDisplay" = (REG_BINARY) hex:00 00 00 00
{Hide the notification area}
"NoDrives" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}
"NoSharedDocuments" = (REG_BINARY) hex:00 00 00 00
{Remove Shared Documents from My Computer}
"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"NoSaveSettings" = (REG_DWORD) dword:0x00000001
{Don't save settings at exit}
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
"No_LaunchMediaBar" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"DisableCAD" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Niklas\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Programme\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]
PixumEasyprint\
"Provider" = "Pixum Easyprint 1.2"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Pixum AG\Pixum EasyPrint\easyprint.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
Startup items in "Niklas" & "All Users" startup folders:
--------------------------------------------------------
C:\Dokumente und Einstellungen\Niklas\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Stardock ObjectDock" -> shortcut to: "C:\Programme\ObjectDock\ObjectDock.exe" ["Stardock"]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]
"{09C02180-3B46-4CD8-83FF-34DAF442BDEF}" = "MultiTab Tool"
-> {HKLM...CLSID} = "Foxie"
\InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxiecoreu.dll" ["Team Foxie"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{306BBB66-D9E4-4481-833E-C1D5FCA06774}\
"ButtonText" = "Desktop Search"
"MenuText" = "Desktop Search"
"Script" = "C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm" [null data]
{546E08AA-809F-4F1A-BE1A-6B122EBFCD5A}\
"ButtonText" = "Privacy Cleaner"
"MenuText" = "Privacy Cleaner"
"Exec" = "C:\Programme\Foxie Suite\Cleaner.exe" ["Team Foxie"]
{61039B22-563D-4922-B844-B076C318A66A}\
"ButtonText" = "Swift Sweeper"
"MenuText" = "Swift Sweeper"
"Exec" = "C:\Programme\Foxie Suite\Sweeper.exe" ["Team Foxie"]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]
{E4143585-2688-4EBC-B264-27C774F600D5}\
"ButtonText" = "The Infinity Button"
"MenuText" = "The Infinity Button"
"Script" = "C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm" [null data]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]
<<H>> "foxie" = "res://foxiecoreu.dll/options.html" [file not found]
<<H>> "desktopsearch" = "C:\Programme\Foxie Suite\Resources\HTML\Query.htm" [null data]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Logitech Process Monitor, LVPrcSrv, "c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe" ["Logitech Inc."]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
eDocPortMonitor\Driver = "C:\PROGRA~1\GEMEIN~1\MAYCOM~1\EDOCPR~1\eDocPort.dll" ["May Software"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" [file not found]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2008-09-25 11:30:04)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 119 seconds.
---------- (total run time: 172 seconds)
|
|
25.09.2008, 10:36
| #6 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner SilentRunners Logfile: Code:
ATTFilter "Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Foxie Firewall" = "C:\Programme\Foxie Suite\Firewall.exe" ["Team Foxie"]
"TuneUp MemOptimizer" = ""C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart" ["TuneUp Software GmbH"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"isamonitor.exe" = "C:\Programme\Video ActiveX Object\isamonitor.exe" [file not found]
"pmsngr.exe" = "C:\Programme\Video ActiveX Object\pmsngr.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\ipoint.exe"" [MS]
"itype" = ""C:\Programme\Microsoft IntelliType Pro\itype.exe"" [MS]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"Apoint" = "C:\Programme\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"PowerManager" = "C:\Programme\Power Manager\PM.exe" [empty string]
"b8db8f8d" = "rundll32.exe "C:\WINDOWS\system32\fknwluay.dll",b" [MS]
"BMbbe8bc11" = "Rundll32.exe "C:\WINDOWS\system32\irsypqon.dll",s" [MS]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{432CAE3B-690F-4C3B-BD97-070EBDA210D5}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FoxieToolbar Class"
\InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxietoolbaru.dll" ["Team Foxie"]
{453fddb0-412c-489f-b3b4-81b40fdfcb40}\(Default) = "{04bcfdf0-4b18-4b3b-f984-c2140bddf354}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\xuldtt.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{C65185B1-D52B-44A9-861F-8201B50D1F37}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FoxieSecurityModule Class"
\InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxiecoreu.dll" ["Team Foxie"]
{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\qoMdATjh.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{1825D0FA-5B0C-4e20-A929-3EFD15B6DF71}" = "IntelliType Pro Touchpad Control Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Touchpad Control Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcpltp.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Schnurlose Eigenschaften"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Scrollrad-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Aktivitäten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Tasten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{3BEABCC1-BF31-42df-88D9-A2955D6B8528}" = "IntelliPoint Sensitivity Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliPoint Sensitivity Property Page"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplsens.dll"" [MS]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
-> {HKLM...CLSID} = "IE Microsoft AutoComplete"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"C:\WINDOWS\system32\qoMdATjh"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
<<!>> yayvTmmk\DLLName = "yayvTmmk.dll" [file not found]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\StarOffice 8\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoTrayItemsDisplay" = (REG_BINARY) hex:00 00 00 00
{Hide the notification area}
"NoDrives" = (REG_BINARY) hex:00 00 00 00
{unrecognized setting}
"NoSharedDocuments" = (REG_BINARY) hex:00 00 00 00
{Remove Shared Documents from My Computer}
"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"NoSaveSettings" = (REG_DWORD) dword:0x00000001
{Don't save settings at exit}
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\
"No_LaunchMediaBar" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"DisableCAD" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Niklas\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Programme\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]
PixumEasyprint\
"Provider" = "Pixum Easyprint 1.2"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Pixum AG\Pixum EasyPrint\easyprint.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
Startup items in "Niklas" & "All Users" startup folders:
--------------------------------------------------------
C:\Dokumente und Einstellungen\Niklas\Startmenü\Programme\Autostart
"Adobe Gamma" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Stardock ObjectDock" -> shortcut to: "C:\Programme\ObjectDock\ObjectDock.exe" ["Stardock"]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Inc."]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]
"{09C02180-3B46-4CD8-83FF-34DAF442BDEF}" = "MultiTab Tool"
-> {HKLM...CLSID} = "Foxie"
\InProcServer32\(Default) = "C:\Programme\Foxie Suite\foxiecoreu.dll" ["Team Foxie"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{306BBB66-D9E4-4481-833E-C1D5FCA06774}\
"ButtonText" = "Desktop Search"
"MenuText" = "Desktop Search"
"Script" = "C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm" [null data]
{546E08AA-809F-4F1A-BE1A-6B122EBFCD5A}\
"ButtonText" = "Privacy Cleaner"
"MenuText" = "Privacy Cleaner"
"Exec" = "C:\Programme\Foxie Suite\Cleaner.exe" ["Team Foxie"]
{61039B22-563D-4922-B844-B076C318A66A}\
"ButtonText" = "Swift Sweeper"
"MenuText" = "Swift Sweeper"
"Exec" = "C:\Programme\Foxie Suite\Sweeper.exe" ["Team Foxie"]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]
{E4143585-2688-4EBC-B264-27C774F600D5}\
"ButtonText" = "The Infinity Button"
"MenuText" = "The Infinity Button"
"Script" = "C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm" [null data]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQ Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["ICQ Inc."]
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]
<<H>> "foxie" = "res://foxiecoreu.dll/options.html" [file not found]
<<H>> "desktopsearch" = "C:\Programme\Foxie Suite\Resources\HTML\Query.htm" [null data]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Bonjour-Dienst, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Inc."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Programme\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
iPod-Dienst, iPod Service, "C:\Programme\iPod\bin\iPodService.exe" ["Apple Inc."]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Logitech Process Monitor, LVPrcSrv, "c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe" ["Logitech Inc."]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
eDocPortMonitor\Driver = "C:\PROGRA~1\GEMEIN~1\MAYCOM~1\EDOCPR~1\eDocPort.dll" ["May Software"]
Lexmark Network Port\Driver = "LEXLMPM.DLL" [file not found]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2008-09-25 11:30:04)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
---------- (total run time: 172 seconds)
|
|
25.09.2008, 11:15
| #7 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner Hier Logfile von ComboFix: Code:
ATTFilter ComboFix 08-09-24.09 - N****s 2008-09-25 12:03:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.1607 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\N***s\Desktop\ComboFix.exe
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMbbe8bc11.txt
C:\WINDOWS\pskt.ini
.
((((((((((((((((((((((( Dateien erstellt von 2008-08-25 bis 2008-09-25 ))))))))))))))))))))))))))))))
.
2008-09-25 11:58 . 2008-09-25 11:58 <DIR> d-------- C:\Programme\CCleaner
2008-09-25 11:55 . 2008-09-25 11:55 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-09-25 11:54 . 2008-09-25 11:54 0 --a------ C:\WINDOWS\BMbbe8bc11.xml
2008-09-25 11:06 . 2008-09-25 11:06 <DIR> d-------- C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\Malwarebytes
2008-09-25 11:05 . 2008-09-25 11:08 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-09-25 11:05 . 2008-09-25 11:05 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-09-25 11:05 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-25 11:05 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-24 12:27 . 2008-09-24 12:27 112,128 --a------ C:\WINDOWS\system32\xuldtt.dll
2008-09-24 12:27 . 2008-09-24 12:27 112,128 --a------ C:\WINDOWS\system32\okitviim.dll
2008-09-24 12:24 . 2008-09-25 12:06 1,836,345 ---hs---- C:\WINDOWS\system32\yaulwnkf.ini
2008-09-24 12:24 . 2008-09-24 12:24 89,600 --a------ C:\WINDOWS\system32\fknwluay.dll
2008-09-24 12:21 . 2008-09-24 12:21 97,280 --a------ C:\WINDOWS\system32\irsypqon.dll
2008-09-23 18:29 . 2008-09-23 18:38 <DIR> d-------- C:\WINDOWS\OEMDRV
2008-09-23 17:12 . 2005-02-08 04:37 167,936 --a------ C:\WINDOWS\system32\igfxres.dll
2008-09-23 17:12 . 2008-09-23 17:12 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-23 16:53 . 2006-02-28 14:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-09-23 16:52 . 2006-02-28 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-09-23 16:51 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-09-23 16:49 . 2008-09-23 16:49 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-09-23 16:49 . 2008-09-23 16:49 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-09-23 16:49 . 2008-09-23 16:49 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-09-23 16:49 . 2008-09-23 16:49 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-09-23 16:49 . 2008-09-23 16:49 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-09-23 16:42 . 2006-02-28 14:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-09-23 16:42 . 2006-02-28 14:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-09-23 16:42 . 2006-02-28 14:00 13,824 --a------ C:\WINDOWS\system32\irclass.dll
2008-09-23 16:42 . 2006-02-28 14:00 13,824 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-09-23 12:23 . 2008-09-24 10:57 1,083,355 ---hs---- C:\WINDOWS\system32\qnkcjntd.ini
2008-09-23 12:20 . 2008-09-23 15:52 <DIR> d-------- C:\Dokumente und Einstellungen\Al***s\Anwendungsdaten\Lavasoft
2008-09-23 12:20 . 2008-09-23 12:20 112,128 --a------ C:\WINDOWS\system32\shjwdfje.dll
2008-09-23 12:20 . 2008-09-23 12:20 112,128 --a------ C:\WINDOWS\system32\deazux.dll
2008-09-23 12:20 . 2008-09-23 12:20 97,280 --a------ C:\WINDOWS\system32\rmkrvkog.dll
2008-09-22 23:03 . 2007-08-21 10:12 21,760 --a------ C:\WINDOWS\system32\drivers\point32.sys
2008-09-22 23:02 . 2008-09-22 23:03 <DIR> d-------- C:\Programme\Microsoft IntelliPoint
2008-09-22 23:02 . 2008-09-22 23:02 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-22 23:02 . 2008-09-22 23:02 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-09-22 23:01 . 2007-08-31 21:13 1,421,736 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-09-22 23:01 . 2004-08-04 00:57 21,504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2008-09-22 23:01 . 2007-08-31 21:15 18,856 --a------ C:\WINDOWS\system32\drivers\nuidfltr.sys
2008-09-22 23:00 . 2008-09-22 23:00 <DIR> d-------- C:\Programme\MSXML 6.0
2008-09-22 23:00 . 2008-09-22 23:01 <DIR> d-------- C:\Programme\Microsoft IntelliType Pro
2008-09-22 22:44 . 2008-09-23 12:08 1,024,403 --ahs---- C:\WINDOWS\system32\mpxxaiiv.ini
2008-09-22 22:41 . 2008-09-22 22:41 112,128 --a------ C:\WINDOWS\system32\thxfhokn.dll
2008-09-22 22:41 . 2008-09-22 22:41 112,128 --a------ C:\WINDOWS\system32\frwvqx.dll
2008-09-22 22:38 . 2008-09-22 22:38 97,280 --a------ C:\WINDOWS\system32\ksbewsio.dll
2008-09-21 11:42 . 2008-09-22 22:38 1,024,223 --ahs---- C:\WINDOWS\system32\otkmtoad.ini
2008-09-21 11:42 . 2008-09-21 11:42 112,128 --a------ C:\WINDOWS\system32\vmugathq.dll
2008-09-21 11:42 . 2008-09-21 11:42 112,128 --a------ C:\WINDOWS\system32\udtkmg.dll
2008-09-21 11:39 . 2008-09-21 11:39 97,280 --a------ C:\WINDOWS\system32\htwxdndw.dll
2008-09-19 17:52 . 2008-09-19 17:52 112,128 --a------ C:\WINDOWS\system32\ttoznz.dll
2008-09-19 17:51 . 2008-09-19 17:52 112,128 --a------ C:\WINDOWS\system32\fypavvsq.dll
2008-09-19 17:50 . 2008-09-21 11:39 1,024,163 --ahs---- C:\WINDOWS\system32\udqrfxwb.ini
2008-09-19 17:46 . 2008-09-19 17:46 97,280 --a------ C:\WINDOWS\system32\kxyhtoah.dll
2008-09-18 23:23 . 2008-09-18 23:23 112,128 --a------ C:\WINDOWS\system32\iohydi.dll
2008-09-18 23:23 . 2008-09-18 23:23 112,128 --a------ C:\WINDOWS\system32\frokdlkh.dll
2008-09-18 23:06 . 2008-09-19 17:43 1,024,103 --ahs---- C:\WINDOWS\system32\knwlrian.ini
2008-09-18 23:05 . 2008-09-25 12:03 522,637 --ahs---- C:\WINDOWS\system32\hjTAdMoq.ini2
2008-09-18 23:05 . 2008-09-25 12:03 522,637 --ahs---- C:\WINDOWS\system32\hjTAdMoq.ini
2008-09-18 23:05 . 2008-09-18 23:05 257,024 --a------ C:\WINDOWS\system32\qoMdATjh.dll
2008-09-18 21:54 . 2008-09-23 17:39 <DIR> d-------- C:\Programme\River PastVideo Cleaner Pro
2008-09-18 21:54 . 2008-09-23 17:39 <DIR> d-------- C:\Programme\Gemeinsame Dateien\River Past
2008-09-18 21:54 . 2008-09-18 21:54 <DIR> d-------- C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\River Past G5
2008-09-18 21:54 . 2008-09-23 17:39 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\River Past G5
2008-09-14 16:21 . 2008-09-14 16:21 <DIR> d-------- C:\Programme\iPod
2008-09-14 16:21 . 2008-09-14 16:22 <DIR> d-------- C:\Dokumente und Einstellungen\A***rs\Anwendungsdaten\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-14 16:19 . 2008-09-14 16:19 <DIR> d-------- C:\Programme\Bonjour
2008-09-14 15:53 . 2008-07-23 18:50 9,464 --a------ C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-09-14 15:53 . 2008-07-23 18:50 9,336 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-09-14 15:52 . 2008-07-23 18:50 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-09-06 15:09 . 2008-09-06 15:09 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-09-06 15:09 . 2008-09-06 15:09 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-08-30 14:28 . 2008-09-23 16:00 138,067 --a------ C:\WINDOWS\setupapi.old
2008-08-29 23:55 . 2008-08-29 23:57 <DIR> d-------- C:\Programme\MP3Gain
2008-08-29 23:02 . 2008-08-29 23:02 <DIR> d-------- C:\Dokumente und Einstellungen\N***s\Anwendungsdaten\FoxieSpywareSwiftSweeper
2008-08-29 23:01 . 2008-08-29 23:01 <DIR> d-------- C:\Programme\Foxie Suite
2008-08-29 19:55 . 2008-08-29 19:55 <DIR> d-------- C:\Programme\Realtek AC97
2008-08-29 19:54 . 2008-08-29 19:54 <DIR> d-------- C:\Programme\CHIP System-Check-Tool
2008-08-29 19:54 . 2006-09-29 22:21 77,824 --a------ C:\WINDOWS\system32\DriveInfo.dll
2008-08-29 19:54 . 2006-02-03 17:46 32,768 --a------ C:\WINDOWS\system32\chipxum.dll
2008-08-29 19:15 . 2008-09-25 11:54 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-08-29 15:00 . 2006-07-11 13:20 33,879 --a------ C:\WINDOWS\system32\drivers\Capt905c.sys
2008-08-29 15:00 . 2005-04-13 15:21 24,605 --a------ C:\WINDOWS\system32\drivers\Camd905c.sys
2008-08-29 14:56 . 2008-08-29 14:56 <DIR> d-------- C:\Programme\YouTube to Mp3 Converter
2008-08-29 14:56 . 2008-09-23 17:44 <DIR> d-------- C:\Programme\Gemeinsame Dateien\DVDVideoSoft
2008-08-29 10:18 . 2008-08-29 10:18 87,336 --a------ C:\WINDOWS\system32\dns-sd.exe
2008-08-29 09:53 . 2008-08-29 09:53 61,440 --a------ C:\WINDOWS\system32\dnssd.dll
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-25 10:00 --------- d-----w C:\Dokumente und Einstellungen\Al***s\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-09-25 08:47 --------- d-----w C:\Programme\Mozilla Thunderbird
2008-09-23 18:04 --------- d-----w C:\Programme\Opera
2008-09-23 10:20 --------- d-----w C:\Programme\Lavasoft
2008-09-23 10:20 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-09-23 10:17 --------- d-----w C:\Programme\ICQToolbar
2008-09-18 21:06 --------- d-----w C:\Programme\no23Recorder
2008-09-14 14:21 --------- d-----w C:\Programme\iTunes
2008-09-14 14:19 --------- d-----w C:\Programme\QuickTime
2008-09-14 14:18 --------- d-----w C:\Programme\Gemeinsame Dateien\Apple
2008-09-14 13:53 --------- d-----w C:\Programme\DivX
2008-08-29 12:59 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-08-07 16:29 --------- d-----w C:\Programme\Zone Labs
2008-08-06 19:53 --------- d-----w C:\Programme\Apple Software Update
2008-08-06 13:45 4,122,112 ----a-r C:\WINDOWS\system32\drivers\alcxwdm.sys
2008-08-04 17:13 --------- d-----w C:\Programme\ICQLite
2008-08-04 17:12 --------- d-----w C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\McLoad
2008-07-29 20:56 --------- d-----w C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\WinBatch
2008-07-28 20:19 --------- d-----w C:\Dokumente und Einstellungen\N**s\Anwendungsdaten\Apple Computer
2008-07-28 06:14 --------- d-----w C:\Dokumente und Einstellungen\A***s\Anwendungsdaten\MailFrontier
2008-04-16 17:26 32 ----a-w C:\Dokumente und Einstellungen\A***s\Anwendungsdaten\ezsid.dat
2006-09-23 16:25 2,068,792 ----a-w C:\Programme\AVP.6.299_09.23_18.20_9dc.SRV.log
2006-09-23 16:24 50,394 ----a-w C:\Programme\AVP.6.299_09.23_18.20_d18.ALL.log
2006-09-23 16:16 3,786,123 ----a-w C:\Programme\AVP.6.299_09.23_18.08_5fc.SRV.log
2006-09-23 16:16 21,707 ----a-w C:\Programme\AVP.6.299_09.23_18.08_32c.ALL.log
2004-08-04 12:00 60,416 --sha-w C:\WINDOWS\FlyakiteOSX\Backup\msimn.exe
2006-05-10 00:14 62,976 --sha-w C:\WINDOWS\FlyakiteOSX\Backup\wmplayer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-09-25_11.54.18.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-30 17:19:46 203,096 ----a-w C:\WINDOWS\LastGood.Tmp\system32\wuweb.dll
- 2007-07-30 17:19:46 203,096 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-07-18 20:09:44 205,000 -c--a-w C:\WINDOWS\system32\dllcache\wuweb.dll
- 2007-07-30 17:19:46 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2008-07-18 20:09:44 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3426F6AF-A4D6-4CFB-AB0A-4E125389897A}]
2008-09-18 23:05 257024 --a------ C:\WINDOWS\system32\qoMdATjh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}]
2008-09-24 12:27 112128 --a------ C:\WINDOWS\system32\xuldtt.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Foxie Firewall"="C:\Programme\Foxie Suite\Firewall.exe" [2005-09-12 340227]
"TuneUp MemOptimizer"="C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" [2008-04-15 154880]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="C:\Programme\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"itype"="C:\Programme\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2008-09-06 413696]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-28 266497]
"Apoint"="C:\Programme\Apoint2K\Apoint.exe" [2003-12-05 159744]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-08 126976]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-08 155648]
"PowerManager"="C:\Programme\Power Manager\PM.exe" [2005-03-30 159744]
"b8db8f8d"="C:\WINDOWS\system32\fknwluay.dll" [2008-09-24 89600]
"BMbbe8bc11"="C:\WINDOWS\system32\irsypqon.dll" [2008-09-24 97280]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 C:\WINDOWS\soundman.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 15360]
C:\Dokumente und Einstellungen\N***s\Startmen\Programme\Autostart\
Adobe Gamma.lnk - C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe [2006-09-25 110592]
Stardock ObjectDock.lnk - C:\Programme\ObjectDock\ObjectDock.exe [2005-07-15 1802309]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=xuldtt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" -atboottime
"SoundMan"=SOUNDMAN.EXE
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"SunJavaUpdateSched"=C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe"
"AGRSMMSG"=AGRSMMSG.exe
"MP10_EnsureFileVer"=C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
"ICQ Lite"="C:\Programme\ICQLite\ICQLite.exe" -minimize
"LogitechVideo[inspector]"=C:\Programme\Logitech\Video\InstallHelper.exe /inspect
"LogitechCameraService(E)"=C:\WINDOWS\system32\ElkCtrl.exe /automation
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"LogitechCameraAssistant"=C:\Programme\Logitech\Video\CameraAssistant.exe
"System Files Updater"=C:\WINDOWS\FlyakiteOSX\Tools\System Files Updater.exe /S
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\ICQLite\\ICQLite.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
"C:\\Programme\\Bonjour\\mDNSResponder.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
R2 ACEDRV06;ACEDRV06;C:\WINDOWS\system32\drivers\ACEDRV06.sys [2007-01-17 99840]
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 5504]
R3 firewall;firewall;C:\Programme\Foxie Suite\firewall.sys [2005-08-07 3003]
R3 LVPrcMon;Logitech LVPrcMon Driver;C:\WINDOWS\system32\drivers\LVPrcMon.sys [2005-12-09 16768]
S2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2006-02-28 14336]
S3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-09-10 38528]
S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-04 354560]
*Newly Created Service* - FIREWALL
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\N***s\Anwendungsdaten\Mozilla\Firefox\Profiles\cx17xq0l.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.yodl.de/href.php?hrefname=FF-splug_google&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.tagesschau.de/
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - C:\Programme\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\npmozax.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 12:06:04
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Gemeinsame Dateien\Logitech\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\iPod\bin\iPodService.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-09-25 12:09:58 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-09-25 10:09:52
Vor Suchlauf: 13 Verzeichnis(se), 20.797.071.360 Bytes frei
Nach Suchlauf: 17 Verzeichnis(se), 20,785,299,456 Bytes frei
257 --- E O F --- 2008-09-11 14:09:08
|
|
25.09.2008, 11:22
| #8 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner Hier der Link für das Listing8 script : File-Upload.net - listing.txt neues Hijackthis-Logfile: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:19:53, on 25.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Microsoft IntelliPoint\ipoint.exe C:\Programme\Microsoft IntelliType Pro\itype.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxtray.exe C:\Programme\Power Manager\PM.exe C:\WINDOWS\system32\rundll32.exe C:\Programme\Microsoft IntelliPoint\dpupdchk.exe C:\WINDOWS\system32\Rundll32.exe C:\Programme\Foxie Suite\Firewall.exe C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe C:\Programme\ObjectDock\ObjectDock.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Dokumente und Einstellungen\N***s\Desktop\qlketzd.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: (no name) - {2D8E87C8-DC78-4451-B07C-8AE9B836A0EC} - C:\WINDOWS\system32\qoMdATjh.dll O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Programme\Foxie Suite\foxietoolbaru.dll O2 - BHO: {04bcfdf0-4b18-4b3b-f984-c2140bddf354} - {453fddb0-412c-489f-b3b4-81b40fdfcb40} - C:\WINDOWS\system32\xuldtt.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Programme\Foxie Suite\foxiecoreu.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Programme\Foxie Suite\foxiecoreu.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [PowerManager] C:\Programme\Power Manager\PM.exe O4 - HKLM\..\Run: [b8db8f8d] rundll32.exe "C:\WINDOWS\system32\fknwluay.dll",b O4 - HKLM\..\Run: [BMbbe8bc11] Rundll32.exe "C:\WINDOWS\system32\irsypqon.dll",s O4 - HKCU\..\Run: [Foxie Firewall] C:\Programme\Foxie Suite\Firewall.exe O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\ObjectDock\ObjectDock.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222185975655 O17 - HKLM\System\CCS\Services\Tcpip\..\{92C38147-D8F4-492B-B488-6557BA790FFC}: NameServer = 89.246.64.8 62.220.18.8 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: xuldtt.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 8630 bytes |
|
25.09.2008, 11:33
| #9 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner So, das wars. Hat von der Durchführung alles gut geklappt, bis auf Malwarebytes Antimalware. Hab es gerade nocheinmal versucht, aber das Programm und mein Rechner hängen sich dabei auf. Das letzte was ich gesehen habe, war nach ca 5 Sekunden Suchlauf 15 infizierte Objekte. Hoffe Du/Ihr könnt mir weiterhelfen! Vielen Dank nochmal im Voraus! |
|
25.09.2008, 17:50
| #10 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner Die Probleme haben sich leider allesamt nicht lösen lassen. Ich hab die Liste oben jetzt abgearbeitet und hoffe, dass jemand noch eine Idee hat. Der Ruhezustand funktioniert auch nicht mehr, der Rechner fährt sich automatisch binnen 30 Sekunden wieder hoch... |
|
25.09.2008, 18:29
| #11 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  Google Suche und Windows Auto-update defekt, popups, trojaner Da sind noch extrem viele schädliche Dateien, geh bitte so vor mit dem Avenger, mach danach bitte ein neues Filelisting und Hijackthis. Versuch auch danach den Check mit Malwarebytes. (ACHTUNG: Das Script für den Avenger ist lang, stell sicher, dass Du es KOMPLETT kopierst!!) Lade dir das Tool Avenger und speichere es auf dem Desktop:[/b]
Code:
ATTFilter files to delete:
C:\WINDOWS\system32\dtnjcknq.dll
C:\WINDOWS\system32\rmkrvkog.dll
C:\WINDOWS\system32\fknwluay.dll
C:\WINDOWS\system32\irsypqon.dll
C:\WINDOWS\system32\xuldtt.dll
C:\WINDOWS\system32\qoMdATjh.dll
C:\WINDOWS\system32\okitviim.dll
C:\WINDOWS\system32\yaulwnkf.ini
C:\WINDOWS\system32\fknwluay.dll
C:\WINDOWS\system32\irsypqon.dll
C:\WINDOWS\system32\qnkcjntd.ini
C:\WINDOWS\system32\shjwdfje.dll
C:\WINDOWS\system32\deazux.dll
C:\WINDOWS\system32\rmkrvkog.dll
C:\WINDOWS\system32\mpxxaiiv.ini
C:\WINDOWS\system32\thxfhokn.dll
C:\WINDOWS\system32\frwvqx.dll
C:\WINDOWS\system32\ksbewsio.dll
C:\WINDOWS\system32\otkmtoad.ini
C:\WINDOWS\system32\vmugathq.dll
C:\WINDOWS\system32\udtkmg.dll
C:\WINDOWS\system32\htwxdndw.dll
C:\WINDOWS\system32\ttoznz.dll
C:\WINDOWS\system32\fypavvsq.dll
C:\WINDOWS\system32\udqrfxwb.ini
C:\WINDOWS\system32\kxyhtoah.dll
C:\WINDOWS\system32\iohydi.dll
C:\WINDOWS\system32\frokdlkh.dll
C:\WINDOWS\system32\knwlrian.ini
C:\WINDOWS\system32\hjTAdMoq.ini2
C:\WINDOWS\system32\hjTAdMoq.ini
C:\WINDOWS\system32\qoMdATjh.dll
registry values to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|isamonitor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|pmsngr.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b8db8f8d
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMbbe8bc11
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify|yayvTmmk
registry kes to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvTmmk
folders to delete:
C:\Programme\Video ActiveX Object
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
25.09.2008, 19:28
| #12 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner Danke zunächst! Also hier das Avenger-Log: da fehlte ein 'y' bei Keys, hab das geändert und dann gings auch. Code:
ATTFilter //////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Platform: Windows XP (build 2600, Service Pack 2)
Thu Sep 25 20:12:33 2008
20:12:27: Error: Invalid syntax in command:
"registry kes to delete:"
Skipping line. (Registry value deletion mode)
20:12:31: Error: Invalid syntax in command:
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}"
Skipping line. (Registry value deletion mode)
20:12:33: Error: Execution aborted by user!
//////////////////////////////////////////
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: file "C:\WINDOWS\system32\dtnjcknq.dll" not found!
Deletion of file "C:\WINDOWS\system32\dtnjcknq.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\rmkrvkog.dll" not found!
Deletion of file "C:\WINDOWS\system32\rmkrvkog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\fknwluay.dll" not found!
Deletion of file "C:\WINDOWS\system32\fknwluay.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\irsypqon.dll" deleted successfully.
File "C:\WINDOWS\system32\xuldtt.dll" deleted successfully.
File "C:\WINDOWS\system32\qoMdATjh.dll" deleted successfully.
File "C:\WINDOWS\system32\okitviim.dll" deleted successfully.
File "C:\WINDOWS\system32\yaulwnkf.ini" deleted successfully.
Error: file "C:\WINDOWS\system32\fknwluay.dll" not found!
Deletion of file "C:\WINDOWS\system32\fknwluay.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: file "C:\WINDOWS\system32\irsypqon.dll" not found!
Deletion of file "C:\WINDOWS\system32\irsypqon.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\qnkcjntd.ini" deleted successfully.
File "C:\WINDOWS\system32\shjwdfje.dll" deleted successfully.
File "C:\WINDOWS\system32\deazux.dll" deleted successfully.
Error: file "C:\WINDOWS\system32\rmkrvkog.dll" not found!
Deletion of file "C:\WINDOWS\system32\rmkrvkog.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
File "C:\WINDOWS\system32\mpxxaiiv.ini" deleted successfully.
File "C:\WINDOWS\system32\thxfhokn.dll" deleted successfully.
File "C:\WINDOWS\system32\frwvqx.dll" deleted successfully.
File "C:\WINDOWS\system32\ksbewsio.dll" deleted successfully.
File "C:\WINDOWS\system32\otkmtoad.ini" deleted successfully.
File "C:\WINDOWS\system32\vmugathq.dll" deleted successfully.
File "C:\WINDOWS\system32\udtkmg.dll" deleted successfully.
File "C:\WINDOWS\system32\htwxdndw.dll" deleted successfully.
File "C:\WINDOWS\system32\ttoznz.dll" deleted successfully.
File "C:\WINDOWS\system32\fypavvsq.dll" deleted successfully.
File "C:\WINDOWS\system32\udqrfxwb.ini" deleted successfully.
File "C:\WINDOWS\system32\kxyhtoah.dll" deleted successfully.
File "C:\WINDOWS\system32\iohydi.dll" deleted successfully.
File "C:\WINDOWS\system32\frokdlkh.dll" deleted successfully.
File "C:\WINDOWS\system32\knwlrian.ini" deleted successfully.
File "C:\WINDOWS\system32\hjTAdMoq.ini2" deleted successfully.
File "C:\WINDOWS\system32\hjTAdMoq.ini" deleted successfully.
Error: file "C:\WINDOWS\system32\qoMdATjh.dll" not found!
Deletion of file "C:\WINDOWS\system32\qoMdATjh.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: folder "C:\Programme\Video ActiveX Object" not found!
Deletion of folder "C:\Programme\Video ActiveX Object" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not delete registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|isamonitor.exe"
Deletion of registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|isamonitor.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: could not delete registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|pmsngr.exe"
Deletion of registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|pmsngr.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|b8db8f8d" deleted successfully.
Registry value "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BMbbe8bc11" deleted successfully.
Error: could not delete registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify|yayvTmmk"
Deletion of registry value "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify|yayvTmmk" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}" deleted successfully.
Error: registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Error: registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvTmmk" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvTmmk" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
|
|
25.09.2008, 19:30
| #13 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner Hier das Filelisting : File-Upload.net - listing.txt und HijackThis logfile: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:20:39, on 25.09.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programme\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\SOUNDMAN.EXE C:\Programme\Microsoft IntelliPoint\ipoint.exe C:\Programme\Microsoft IntelliType Pro\itype.exe C:\Programme\iTunes\iTunesHelper.exe C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxtray.exe C:\Programme\Power Manager\PM.exe C:\Programme\Microsoft IntelliPoint\dpupdchk.exe C:\Programme\Foxie Suite\Firewall.exe C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe C:\Programme\ObjectDock\ObjectDock.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Programme\Bonjour\mDNSResponder.exe C:\Programme\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\Programme\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Programme\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Dokumente und Einstellungen\N***s\Desktop\qlketzd.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O2 - BHO: FoxieToolbar Class - {432CAE3B-690F-4C3B-BD97-070EBDA210D5} - C:\Programme\Foxie Suite\foxietoolbaru.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {93DFC539-51A5-415C-930F-C62F571B008C} - C:\WINDOWS\system32\qoMdATjh.dll (file missing) O2 - BHO: FoxieSecurityModule Class - {C65185B1-D52B-44A9-861F-8201B50D1F37} - C:\Programme\Foxie Suite\foxiecoreu.dll O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll O3 - Toolbar: Foxie - {09C02180-3B46-4CD8-83FF-34DAF442BDEF} - C:\Programme\Foxie Suite\foxiecoreu.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IntelliPoint] "C:\Programme\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Programme\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [PowerManager] C:\Programme\Power Manager\PM.exe O4 - HKCU\..\Run: [Foxie Firewall] C:\Programme\Foxie Suite\Firewall.exe O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Programme\TuneUp Utilities 2008\MemOptimizer.exe" autostart O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Stardock ObjectDock.lnk = C:\Programme\ObjectDock\ObjectDock.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm O9 - Extra 'Tools' menuitem: Desktop Search - {306BBB66-D9E4-4481-833E-C1D5FCA06774} - C:\Programme\Foxie Suite\Resources\HTML\Desktop.htm O9 - Extra button: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe O9 - Extra 'Tools' menuitem: Privacy Cleaner - {546E08AA-809F-4F1A-BE1A-6B122EBFCD5A} - C:\Programme\Foxie Suite\Cleaner.exe O9 - Extra button: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe O9 - Extra 'Tools' menuitem: Swift Sweeper - {61039B22-563D-4922-B844-B076C318A66A} - C:\Programme\Foxie Suite\Sweeper.exe O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm O9 - Extra 'Tools' menuitem: The Infinity Button - {E4143585-2688-4EBC-B264-27C774F600D5} - C:\Programme\Foxie Suite\Resources\HTML\Infinity.htm O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1222185975655 O17 - HKLM\System\CCS\Services\Tcpip\..\{92C38147-D8F4-492B-B488-6557BA790FFC}: NameServer = 89.246.64.8 62.220.18.8 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: xuldtt.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Programme\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 8376 bytes |
|
25.09.2008, 19:57
| #14 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Google Suche und Windows Auto-update defekt, popups, trojanerCode:
ATTFilter O2 - BHO: (no name) - {93DFC539-51A5-415C-930F-C62F571B008C} - C:\WINDOWS\system32\qoMdATjh.dll (file missing)
O20 - AppInit_DLLs: xuldtt.dll
Danach den Avenger nochmal wie gewohnt ausführen (kein Neustart nach dem Fixen mit Hijackthis) aber dieses script diesmal benutzen: Code:
ATTFilter registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{453fddb0-412c-489f-b3b4-81b40fdfcb40}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA4CC8C-A389-4DCE-8C5D-F18C7FCC4D07}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayvTmmk
files to delete:
C:\WINDOWS\system32\ouchljni.ini
C:\WINDOWS\system32\injlhcuo.dll
C:\WINDOWS\system32\ecarerid.dll
C:\WINDOWS\system32\b3f84bf3-.txt
C:\WINDOWS\BMbbe8bc11.txt
C:\WINDOWS\BMbbe8bc11.xml
C:\WINDOWS\MEMORY.DMP
C:\WINDOWS\SET12B.tmp
C:\WINDOWS\SETE9.tmp
C:\WINDOWS\SETEC.tmp
C:\WINDOWS\SETF8.tmp
folders to delete:
C:\DOKUME~1\Niklas\LOKALE~1\temp\Adobe
C:\DOKUME~1\Niklas\LOKALE~1\temp\is-DGDAM.tmp
C:\DOKUME~1\Niklas\LOKALE~1\temp\is-CCDIA.tmp
__________________ Logfiles bitte immer in CODE-Tags posten |
|
25.09.2008, 20:08
| #15 |
| | Google Suche und Windows Auto-update defekt, popups, trojaner mach ich gleich, malwarebytes läuft gerade durch... ;-) |
|
| Themen zu Google Suche und Windows Auto-update defekt, popups, trojaner |
| ad-aware, antivir, aufrufe, avira, bonjour, computer, ctfmon.exe, desktop, excel, fehler, firefox, google, highjackthis, hijack, hijackthis, hkus\s-1-5-18, immer wieder, internet, internet explorer, logfile, mozilla, rundll, software, system, trojane, trojaner, trojaner eingefangen, tuneup.defrag, updates, urlsearchhook, windows, windows xp |
Linear-Darstellung
