| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: TR/Agent.59904.BWindows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
13.11.2008, 14:23
| #1 |
 |  TR/Agent.59904.B Avira Antivir poppte vor kurzem mit der Message auf das auf meinem Rechner der Trojaner TR/Agent.59904.B gefunden wurde in: E:\System Volume Information\_restore{762EA928-0218-4D2F-8EEA-4E8C65985C4F}\RP490\A0121985.exe Ich habe den Trojaner dann löschen lassen mit Antivir. Nach kurzer Zeit kam die Meldung wieder. Daraufhin habe ich unter E:\System Volume Information nach der vermeintlichen .exe gsucht, konnte aber schon den Ordner _restore{762EA928-0218-4D2F-8EEA-4E8C65985C4F} nicht finden. Ein weiterer Scan des Verzeichnisses mit Antivir war negativ. Nun würd ich gern wissen ob mein System noch befallen ist und woher dieser Trojaner kommt. Ich vermute durch einen Keygenerator, bei der Ausführung damals erschien jedoch keine Meldung. Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:16:01, on 13.11.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\programme\citrix\ica client\ssonsvr.exe C:\windows\Explorer.EXE C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\PicPick\picpick.exe C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe C:\Programme\Skype\Phone\Skype.exe C:\windows\system32\ctfmon.exe C:\Programme\Hotswap!\HotSwap!.EXE C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Programme\Microsoft LifeCam\MSCamS32.exe C:\windows\system32\oodag.exe C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\windows\system32\svchost.exe E:\Virtueller Dektop\Programme\Thunderbird\Thunderbird\thunderbird.exe C:\Programme\Mozilla Firefox\firefox.exe c:\programme\antivir personaledition classic\avcenter.exe C:\Programme\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h++p://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h++p://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h++p://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h++p://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h##p://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer bereitgestellt von NetCologne O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [LtcyCfgApply] "C:\Dokumente und Einstellungen\***\Desktop\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a O4 - HKLM\..\Run: [TalkAndWrite] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [PicPick Start] C:\Programme\PicPick\picpick.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [AtiTrayTools] "C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe" O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe O4 - HKCU\..\Run: [HotSwap! Applet] C:\Programme\Hotswap!\HotSwap!.EXE O4 - HKCU\..\Run: [updateMgr] "C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1 O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - h++p://www.bitdefender.de/scan_de/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h++p://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188892958390 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h++ps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE Client\cvpnd.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\****\LOKALE~1\Temp\hpdj.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\windows\system32\oodag.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 8955 bytes |
|
13.11.2008, 21:01
| #2 | |
| /// Winkelfunktion /// TB-Süch-Tiger™   | TR/Agent.59904.B Hallo und
__________________ Zitat:
 Die Wahrscheinlichkeit, dass da Schädlinge drin sind ist hoch, auch wenn der Virenscanner nicht meckert. Acker diese Punkte für weitere Analysen ab: 1.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen: Code:
ATTFilter C:\Programme\PicPick\picpick.exe
3.) Führe dieses MBR-Tool aus und poste die Ausgabe 4.) Blacklight und Malwarebytes Antimalware ausführen und Logfiles posten. Vor dem Ausführen von Malwarebytes den Wächter Deines Virenscanners abschalten!! 5.) Führe Silentrunners nach dieser Anleitung aus und poste das Logfile (mit Codetags umschlossen), falls es zu groß sein sollte kannst Du es (gezippt) bei file-upload.net hochladen und hier verlinken. 6.) ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix
Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten. Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so: HTML-Code: [code] Hier das Logfile rein! [/code]
Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist. 8.) Poste ein neues Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe - editiere die Links und privaten Infos!!
__________________ |
|
14.11.2008, 14:50
| #3 |
| | TR/Agent.59904.B Also hier die einzelnen Log Files:
__________________1) pickpix.exe Code:
ATTFilter File size: 803328 bytes
MD5...: 6afef1576e9d06ee0c6938608e1c0910
SHA1..: af18d42cefb7cec62fab014aa1551a1671c80dc3
SHA256: a950f7687c7fe11665aefa64e64747a3c2ac967534eedc390b8ff564019f3104
SHA512: f22d1389b631dafe9ed60252e024b24a927e7ff6569fc8ef690c19c76b5a13b1
6e3b4c0fdc8bb358677cc5755faf5dc20f42a16635dd2d95ee0e64432160041b
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (42.6%)
Win32 EXE Yoda's Crypter (37.0%)
Win32 Executable Generic (11.8%)
Win16/32 Executable Delphi generic (2.8%)
Generic Win/DOS Executable (2.7%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x678bc0
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x1d6000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x1d7000 0xa2000 0xa1e00 7.94 81a557651aa336f50b2c86a7c9a9eeaf
.rsrc 0x279000 0x22000 0x22000 4.63 392bc9da43e549907061a334f41c310e
( 12 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> advapi32.dll: RegFlushKey
> comctl32.dll: ImageList_Add
> comdlg32.dll: PrintDlgA
> gdi32.dll: SaveDC
> ole32.dll: OleDraw
> oleaut32.dll: VariantCopy
> shell32.dll: SHGetMalloc
> user32.dll: GetDC
> version.dll: VerQueryValueA
> winmm.dll: timeGetTime
> winspool.drv: AddFormA
Code:
ATTFilter Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Code:
ATTFilter Malwarebytes' Anti-Malware 1.30
Datenbank Version: 1395
Windows 5.1.2600 Service Pack 2
13.11.2008 23:25:25
mbam-log-2008-11-13 (23-25-20).txt
Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|)
Durchsuchte Objekte: 239241
Laufzeit: 1 hour(s), 1 minute(s), 43 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 1
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 0
Infizierte Dateien: 1
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> No action taken.
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
D:\Lockon\EnglishCockpitSetup.exe (Trojan.Agent) -> No action taken.
Code:
ATTFilter 11/13/08 22:08:36 [Info]: BlackLight Engine 2.2.1092 initialized
11/13/08 22:08:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/13/08 22:08:36 [Note]: 7019 4
11/13/08 22:08:36 [Note]: 7005 0
11/13/08 22:08:46 [Note]: 7006 0
11/13/08 22:08:46 [Note]: 7011 1504
11/13/08 22:08:46 [Note]: 7035 0
11/13/08 22:08:46 [Note]: 7026 0
11/13/08 22:08:46 [Note]: 7026 0
11/13/08 22:08:48 [Note]: FSRAW library version 1.7.1024
11/13/08 22:20:33 [Note]: 7007 0
|
|
14.11.2008, 14:52
| #4 |
| | TR/Agent.59904.B 5) Code:
ATTFilter "Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AtiTrayTools" = ""C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe"" ["Ray Adams"]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"ctfmon.exe" = "C:\windows\system32\ctfmon.exe" [MS]
"HotSwap! Applet" = "C:\Programme\Hotswap!\HotSwap!.EXE" ["KaaKoon"]
"updateMgr" = ""C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"LtcyCfgApply" = ""C:\Dokumente und Einstellungen\*****\Desktop\LtcyCfg2-[guru3d]\LtcyCfg.exe" /a" [file not found]
"TalkAndWrite" = "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run" [file not found]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"PicPick Start" = "C:\Programme\PicPick\picpick.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Programme\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll" ["Google Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "Schnurlose Eigenschaften"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
-> {HKLM...CLSID} = "Scrollrad-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
-> {HKLM...CLSID} = "Aktivitäten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
-> {HKLM...CLSID} = "Tasten-Eigenschaftenseite"
\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office12\msohevi.dll" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}" = "EditPlus Context Menu Handler"
-> {HKLM...CLSID} = "EditPlus Context Menu Handler"
\InProcServer32\(Default) = "C:\Programme\EditPlus 2\eppshell.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\windows\system32\erasext.dll" ["-"]
"{E8D43C7E-EFA1-41A2-9AD9-0CFECD1678B7}" = "SafeErase"
-> {HKLM...CLSID} = "SafeEraseObj Class"
\InProcServer32\(Default) = "C:\Programme\OO Software\SafeErase\oosesh.dll" ["O&O Software GmbH"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\windows\system32\WPDShServiceObj.dll" [MS]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<<!>> "Authentication Packages" = "msv1_0"|"relog_ap"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"oodbs" ["O&O Software GmbH"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
EditPlus\(Default) = "{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}"
-> {HKLM...CLSID} = "EditPlus Context Menu Handler"
\InProcServer32\(Default) = "C:\Programme\EditPlus 2\eppshell.dll" [null data]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\windows\system32\erasext.dll" ["-"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}"
-> {HKLM...CLSID} = "Notepad++"
\InProcServer32\(Default) = "C:\Programme\Notepad++\nppcm.dll" ["Burgaud.com"]
SafeErase\(Default) = "{E8D43C7E-EFA1-41A2-9AD9-0CFECD1678B7}"
-> {HKLM...CLSID} = "SafeEraseObj Class"
\InProcServer32\(Default) = "C:\Programme\OO Software\SafeErase\oosesh.dll" ["O&O Software GmbH"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {HKLM...CLSID} = "MCLiteShellExt Class"
\InProcServer32\(Default) = "C:\Programme\ICQLite\ICQLiteShell.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\windows\system32\erasext.dll" ["-"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
SafeErase\(Default) = "{E8D43C7E-EFA1-41A2-9AD9-0CFECD1678B7}"
-> {HKLM...CLSID} = "SafeEraseObj Class"
\InProcServer32\(Default) = "C:\Programme\OO Software\SafeErase\oosesh.dll" ["O&O Software GmbH"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\windows\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
AlcoholAutoPlayV2.BurnDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""C:\Programme\Alcohol Soft\Alcohol 120\alcohol.exe" %1" ["Alcohol Soft Development Team"]
AlcoholAutoPlayV2.ReadDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""C:\Programme\Alcohol Soft\Alcohol 120\alcohol.exe" %1" ["Alcohol Soft Development Team"]
cam2pc.Browse\
"Provider" = "cam2pc"
"InvokeProgID" = "nabocorp.AutoPlay"
"InvokeVerb" = "cam2pc.Browse"
HKLM\SOFTWARE\Classes\nabocorp.AutoPlay\shell\cam2pc.Browse\command\(Default) = ""C:\Programme\cam2pc\cam2pc.exe" /browse %L" ["nabocorp."]
CTPlayAudioOnArrival\
"Provider" = "@C:\Programme\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]
CTPlayMusicFilesOnArrival\
"Provider" = "@C:\Programme\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.MusicFilesPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Programme\Creative\MediaSource\CTCMS.exe" /Organizer" ["Creative Technology Ltd"]
iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
IviDVDEventHandler\
"Provider" = "InterVideo WinDVD 7"
"InvokeProgID" = "Ivi.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = "C:\Programme\InterVideo\DVD7\WinDVD.exe %1" ["InterVideo Inc."]
MediaMonkeyBurnHandler\
"Provider" = "MediaMonkey"
"InvokeProgID" = "SongsDB.SDBDropTarget"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\SongsDB.SDBDropTarget\shell\open\DropTarget\CLSID = "{AB97EDE4-091B-405F-83E6-9A31AD18EDAF}"
-> {HKLM...CLSID} = "SDBDropTarget"
\LocalServer32\(Default) = "C:\Programme\MediaMonkey\MediaMonkey.exe" ["Ventis Media Inc."]
MediaMonkeyPlayCDHandler\
"Provider" = "MediaMonkey"
"InvokeProgID" = "SongsDB.SDBDropTarget"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\SongsDB.SDBDropTarget\shell\open\DropTarget\CLSID = "{AB97EDE4-091B-405F-83E6-9A31AD18EDAF}"
-> {HKLM...CLSID} = "SDBDropTarget"
\LocalServer32\(Default) = "C:\Programme\MediaMonkey\MediaMonkey.exe" ["Ventis Media Inc."]
MediaMonkeyPlayHandler\
"Provider" = "MediaMonkey"
"InvokeProgID" = "SongsDB.SDBDropTarget"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\SongsDB.SDBDropTarget\shell\open\DropTarget\CLSID = "{AB97EDE4-091B-405F-83E6-9A31AD18EDAF}"
-> {HKLM...CLSID} = "SDBDropTarget"
\LocalServer32\(Default) = "C:\Programme\MediaMonkey\MediaMonkey.exe" ["Ventis Media Inc."]
MediaMonkeyRipCDHandler\
"Provider" = "MediaMonkey"
"InvokeProgID" = "SongsDB.SDBDropTargetRip"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\SongsDB.SDBDropTargetRip\shell\open\DropTarget\CLSID = "{7903D765-DA8C-4CB9-ADF2-F88D82E6BFFE}"
-> {HKLM...CLSID} = "SDBDropTargetRip"
\LocalServer32\(Default) = "C:\Programme\MediaMonkey\MediaMonkey.exe" ["Ventis Media Inc."]
MediaMonkeyStartHandler\
"Provider" = "MediaMonkey"
"CLSID" = "{0BA2D9E2-D4C8-45B2-8F5B-B3ADE5E461E6}"
-> {HKLM...CLSID} = "SDBHWEvents"
\LocalServer32\(Default) = "C:\Programme\MediaMonkey\MediaMonkey.exe" ["Ventis Media Inc."]
MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\windows\system32\WPDShextAutoplay.exe" [MS]
MxVideoDeLuxeVideoCameraArrival\
"Provider" = "MAGIX Video deluxe 2007 e-version"
"ProgID" = "Magix.videodeLuxe"
HKLM\SOFTWARE\Classes\Magix.videodeLuxe\CLSID\(Default) = "{1810360D-0FC7-474B-ABC1-84E96BF51D2F}"
-> {HKLM...CLSID} = "videodeLuxe AutoplayClass"
\LocalServer32\(Default) = "C:\Programme\MAGIX\Video_deluxe_2007_e-version\Videodeluxe.exe" ["MAGIX AG"]
NapsterMTPHandler\
"Provider" = "@C:\Programme\Napster\napster.exe,-101"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Napster\napster.exe /devicesync"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
NapsterPlayCDHandler\
"Provider" = "@C:\Programme\Napster\napster.exe,-101"
"InvokeProgID" = "Napster.AutoplayHandler"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\Napster.AutoplayHandler\shell\open\command\(Default) = ""C:\Programme\Napster\napster.exe" /playcd "%L"" ["Napster"]
VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda://%1" ["the VideoLAN Team"]
VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd://%1" ["the VideoLAN Team"]
WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "An OneNote senden"
"MenuText" = "An OneNote s&enden"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS]
{36ECAF82-3300-8F84-092E-AFF36D6C7040}\
"ButtonText" = "Run WinHTTrack"
"MenuText" = "Launch WinHTTrack"
"CLSIDExtension" = "{86529161-034E-4F8A-88D2-3C625E612E04}"
-> {HKLM...CLSID} = "WinHTTrackLauncher Class"
\InProcServer32\(Default) = "C:\Programme\WinHTTrack\WinHTTrackIEBar.dll" [null data]
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Programme\ICQLite\ICQLite.exe" ["ICQ Ltd."]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
Google Updater Service, gusvc, ""C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
MSCamSvc, MSCamSvc, ""C:\Programme\Microsoft LifeCam\MSCamS32.exe"" [MS]
O&O Defrag, O&O Defrag, "C:\windows\system32\oodag.exe" ["O&O Software GmbH"]
StarWind AE Service, StarWindServiceAE, "C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
hpzsnt08\Driver = "hpzsnt08.dll" ["HP"]
PDFCreator\Driver = "pdfcmnnt.dll" ["internet-support foehr.com"]
PrintPort\Driver = "emfxp.dll" [null data]
Redirected Port\Driver = "redmonnt.dll" [null data]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]
---------- (launch time: 2008-11-14 09:42:56)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 218 seconds.
---------- (total run time: 274 seconds)
|
|
14.11.2008, 14:54
| #5 |
| | TR/Agent.59904.B 6) Code:
ATTFilter ComboFix 08-11-12.01 - **** 2008-11-14 10:29:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.547 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\****\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\tmp27.tmp
c:\windows\system32\tmp44.tmp
.
((((((((((((((((((((((( Dateien erstellt von 2008-10-14 bis 2008-11-14 ))))))))))))))))))))))))))))))
.
2008-11-14 10:21 . 2008-11-14 10:21 <DIR> d-------- c:\programme\CCleaner
2008-11-13 12:13 . 2008-11-13 12:13 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-11-13 12:13 . 2008-11-13 12:13 <DIR> d-------- c:\dokumente und einstellungen\****\Anwendungsdaten\Malwarebytes
2008-11-13 12:13 . 2008-11-13 12:13 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-11-13 12:13 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-13 12:13 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-11 11:34 . 2008-11-11 11:34 <DIR> d-------- c:\programme\PicPick
2008-11-11 09:57 . 2008-11-11 09:58 <DIR> d-------- c:\dokumente und einstellungen\****\Anwendungsdaten\vlc
2008-11-08 20:10 . 2008-11-08 20:10 618 --a------ c:\windows\eReg.dat
2008-11-08 19:30 . 2008-11-08 19:30 <DIR> d-------- c:\programme\Hamachi
2008-11-08 19:30 . 2008-11-11 17:49 <DIR> d-------- c:\dokumente und einstellungen\****\Anwendungsdaten\Hamachi
2008-11-08 19:30 . 2008-11-08 19:30 25,280 --a------ c:\windows\system32\drivers\hamachi.sys
2008-10-24 11:13 . 2008-10-24 11:13 <DIR> d-------- c:\programme\WinHTTrack
2008-10-22 20:59 . 2008-10-22 20:59 <DIR> d-------- C:\Seasons Soundtrack
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-14 09:34 --------- d-----w c:\dokumente und einstellungen\****\Anwendungsdaten\Skype
2008-11-14 09:25 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-11-13 19:51 --------- d-----w c:\programme\Napster
2008-11-13 09:28 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Google Updater
2008-11-12 15:34 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft Help
2008-11-11 11:42 --------- d-----w c:\programme\Hotswap!
2008-11-11 11:03 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2008-11-08 19:10 --------- d--h--w c:\programme\InstallShield Installation Information
2008-11-01 15:58 --------- d-----w c:\programme\foobar2000
2008-10-26 10:05 --------- d-----w c:\programme\IrfanView
2008-10-25 15:09 --------- d-----w c:\dokumente und einstellungen\****\Anwendungsdaten\dvdcss
2008-10-21 11:05 --------- d-----w c:\programme\TrayBackup
2008-10-14 18:22 --------- d-----w c:\dokumente und einstellungen\****\Anwendungsdaten\FileZilla
2008-10-12 17:55 --------- d-----w c:\dokumente und einstellungen\****\Anwendungsdaten\tunebite
2008-10-02 16:51 --------- d-----w c:\programme\Spybot - Search & Destroy
2008-10-01 20:47 --------- d-----w c:\dokumente und einstellungen\****\Anwendungsdaten\foobar2000
2008-10-01 12:07 --------- d-----w c:\dokumente und einstellungen\****\Anwendungsdaten\XnView
2008-09-30 13:56 --------- d-----w c:\programme\Gemeinsame Dateien\Adobe AIR
2008-09-30 13:56 --------- d-----w c:\programme\Gemeinsame Dateien\Adobe
2008-09-27 16:20 --------- d-----w c:\programme\Real Alternative
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiTrayTools"="c:\programme\Ray Adams\ATI Tray Tools\atitray.exe" [2006-12-06 516608]
"Skype"="c:\programme\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"HotSwap! Applet"="c:\programme\Hotswap!\HotSwap!.EXE" [2008-02-09 98304]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-20 266497]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"PicPick Start"="c:\programme\PicPick\picpick.exe" [2008-10-22 803328]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Acrobat - Schnellstart.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Acrobat - Schnellstart.lnk
backup=c:\windows\pss\Adobe Acrobat - Schnellstart.lnkCommon Startup
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader Synchronizer.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^****^Startmenü^Programme^Autostart^Stardock ObjectDock.lnk]
path=c:\dokumente und einstellungen\****\Startmenü\Programme\Autostart\Stardock ObjectDock.lnk
backup=c:\windows\pss\Stardock ObjectDock.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-03-20 17:46 217544 c:\programme\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ditto]
--a------ 2008-01-16 18:45 684032 c:\programme\Ditto\Ditto.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreePDF Assistant]
--a------ 2007-06-26 20:27 312320 c:\programme\FreePDF_XP\fpassist.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-07-10 08:18 270648 c:\programme\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeCam]
--a------ 2007-05-17 22:45 279912 c:\programme\Microsoft LifeCam\LifeExp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-01-12 19:36 323216 c:\programme\Napster\napster.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 01:08 2512392 c:\windows\system32\oodtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Profiler]
--a------ 2005-10-18 13:34 163840 c:\programme\Saitek\Software\ProfilerU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SaiMfd]
--a------ 2005-11-03 10:09 126976 c:\programme\Saitek\Software\SaiMfd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
--a------ 2006-08-09 19:18 58880 c:\programme\Logitech\Profiler\LWEMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
--------- 2005-07-11 11:34 122880 c:\programme\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VX3000]
--a------ 2007-04-10 22:46 709992 c:\windows\vVX3000.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-17 11:32 17920 c:\windows\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-17 11:32 18944 c:\windows\system32\CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\ICQLite\\ICQLite.exe"=
"d:\\ArmA\\arma.exe"=
"c:\\Programme\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\uTorrent\\utorrent.exe"=
"c:\\Programme\\Winamp\\winamp.exe"=
"c:\\Programme\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"d:\\EECH\\cohokum\\cohokum.exe"=
"c:\\Programme\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Programme\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
R1 atitray;atitray;c:\programme\Ray Adams\ATI Tray Tools\atitray.sys [2006-11-30 14336]
R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [2003-07-11 14912]
R2 MSCamSvc;MSCamSvc;c:\programme\Microsoft LifeCam\MSCamS32.exe [2007-05-17 271720]
R3 ha20x2k;Creative 20X HAL Driver;c:\windows\system32\drivers\ha20x2k.sys [2006-08-17 1110528]
R3 odysseyIM4;Odyssey Network Agent Miniport;c:\windows\system32\DRIVERS\odysseyIM4.sys [2004-09-24 173056]
S3 AR5523;Gigaset USB Adapter 108;c:\windows\system32\DRIVERS\ar5523.sys [2006-02-25 343904]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;c:\windows\system32\CBTNDIS5.SYS [2003-07-16 17142]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\programme\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 1527900]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\DRIVERS\k600bus.sys [2006-03-13 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\DRIVERS\k600mdfl.sys [2006-03-13 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\DRIVERS\k600mdm.sys [2006-03-13 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\k600mgmt.sys [2006-03-13 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\k600obex.sys [2006-03-13 77072]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 SaiH0255;SaiH0255;c:\windows\system32\DRIVERS\SaiH0255.sys [2005-11-03 176640]
S3 STDRIVER;USB Bulk Out Driver for STM;c:\windows\system32\Drivers\STDRIVER.sys [ ]
S3 STTub203;Thrustmaster HOTAS USB Bulk Out;c:\windows\system32\Drivers\STTub203.sys [2002-10-03 40312]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1098b89b-0935-11dd-81a6-0013d46b5401}]
\Shell\AutoRun\command - j:\truecrypt\TrueCrypt.exe /q background /lX /e /m rm /v "Desktop"
\Shell\dismount\command - j:\truecrypt\TrueCrypt.exe /q /d
\Shell\start\command - j:\truecrypt\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1098b89e-0935-11dd-81a6-0013d46b5401}]
\Shell\AutoRun\command - j:\truecrypt\TrueCrypt.exe /q background /lX /e /m rm /v "Desktop"
\Shell\dismount\command - j:\truecrypt\TrueCrypt.exe /q /d
\Shell\start\command - j:\truecrypt\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1098b8a2-0935-11dd-81a6-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{189a5ca8-2dc3-11dd-821c-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f2e0df4-18f0-11dd-81dd-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b0277ee-1870-11dd-81dc-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bba0ab4-641e-11db-9542-0013d46b5401}]
\Shell\AutoRun\command - J:\setupSNK.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c44968a-21dd-11dd-81f2-806d6172696f}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e782f29-4283-11dd-827f-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c65d267-6075-11dd-8300-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9058f0f-5176-11dd-82ca-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b932a7d7-0b11-11dd-81ad-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b932a7d8-0b11-11dd-81ad-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dcd58333-1d9f-11dd-81eb-0013d46b5401}]
\Shell\AutoRun\command - j:\true\TrueCrypt.exe /q background /lX /e /m rm /v "MD Vorlesung.pdf"
\Shell\dismount\command - j:\true\TrueCrypt.exe /q /d
\Shell\start\command - j:\true\TrueCrypt.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{de90a517-9c36-11db-95f6-0013d46b5401}]
\Shell\AutoRun\command - k:\truecrypt\TrueCrypt.exe /q background /lX /e /m rm /v "Desktop"
\Shell\dismount\command - k:\truecrypt\TrueCrypt.exe /q /d
\Shell\start\command - k:\truecrypt\TrueCrypt.exe
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
MSConfigStartUp-Cobian Backup 8 - c:\programme\Cobian Backup 8\Cobian.exe
MSConfigStartUp-Picasa Media Detector - c:\programme\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-QuickTime Task - c:\programme\QuickTime\QTTask.exe
MSConfigStartUp-updateMgr - c:\programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - c:\dokumente und einstellungen\****\Anwendungsdaten\Mozilla\Firefox\Profiles\s2p7omn4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/
FF -: plugin - c:\programme\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\programme\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\programme\Java\jre1.5.0_09\bin\NPJava11.dll
FF -: plugin - c:\programme\Java\jre1.5.0_09\bin\NPJava12.dll
FF -: plugin - c:\programme\Java\jre1.5.0_09\bin\NPJava13.dll
FF -: plugin - c:\programme\Java\jre1.5.0_09\bin\NPJava14.dll
FF -: plugin - c:\programme\Java\jre1.5.0_09\bin\NPJava32.dll
FF -: plugin - c:\programme\Java\jre1.5.0_09\bin\NPJPI150_09.dll
FF -: plugin - c:\programme\Java\jre1.5.0_09\bin\NPOJI610.dll
FF -: plugin - c:\programme\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\programme\Mozilla Firefox\plugins\npitunes.dll
FF -: plugin - c:\programme\Mozilla Firefox\plugins\npstrlnk.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, h**p://www.gmer.net
Rootkit scan 2008-11-14 10:32:18
Windows 5.1.2600 Service Pack 2 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\Citrix\ICA Client\ssonsvr.exe
c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
c:\programme\AntiVir PersonalEdition Classic\sched.exe
c:\programme\AntiVir PersonalEdition Classic\avguard.exe
c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\programme\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\oodag.exe
c:\programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-11-14 10:36:11 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-11-14 09:36:08
Vor Suchlauf: 4.247.293.952 Bytes frei
Nach Suchlauf: 4,191,531,008 Bytes frei
277
|
|
14.11.2008, 14:57
| #6 | |
| | TR/Agent.59904.B 7) Filelisting: http://www.file-upload.net/download-...sting.txt.html 8) Die Zigarette danach: Hijacklog: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:58:13, on 14.11.2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\programme\citrix\ica client\ssonsvr.exe C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe C:\Programme\AntiVir PersonalEdition Classic\sched.exe C:\Programme\AntiVir PersonalEdition Classic\avguard.exe C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe C:\Programme\PicPick\picpick.exe C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe C:\Programme\Skype\Phone\Skype.exe C:\windows\system32\ctfmon.exe C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Programme\Hotswap!\HotSwap!.EXE C:\Programme\Microsoft LifeCam\MSCamS32.exe C:\windows\system32\oodag.exe C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\windows\system32\svchost.exe C:\windows\system32\wscntfy.exe C:\windows\explorer.exe C:\Programme\Mozilla Firefox\firefox.exe E:\Download\qlketzd.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [PicPick Start] C:\Programme\PicPick\picpick.exe O4 - HKCU\..\Run: [AtiTrayTools] "C:\Programme\Ray Adams\ATI Tray Tools\atitray.exe" O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe O4 - HKCU\..\Run: [HotSwap! Applet] C:\Programme\Hotswap!\HotSwap!.EXE O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programme\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.de/scan_de/scan8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188892958390 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Programme\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpdj - Unknown owner - C:\DOKUME~1\*****\LOKALE~1\Temp\hpdj.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\windows\system32\oodag.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 7952 bytes Da bin ich ja mal gespannt was sich so auf meinem Pc tummelt. Besten Dank schonmal für die Unterstützung! Zitat:
Geändert von Nordic (14.11.2008 um 15:08 Uhr) |
|
14.11.2008, 18:23
| #7 |
| /// Winkelfunktion /// TB-Süch-Tiger™ |  TR/Agent.59904.B Also, die Datei die Du auswerten solltest (hast Du ja auch gemacht) wurden da Schädlinge drin gefunden? Du hast nicht die Ergebnisse der einzelnen Virenscanner gepostet! Ich vermute aber, dass es sich um einen Fehlalarm handeln würde, sofern da was drin gefunden wurde, denn ich denke dass es dieses Programm ist PicPick ? Wikipedia Ansonsten sehen die Logfiles alle recht unauffällig aus. Die SWH hast Du deaktiviert? Ist seitdem noch ne Meldung wieder vom AntiVir gekommen? Das Ergebnis von MBAM: Code:
ATTFilter Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
Infizierte Dateien:
D:\Lockon\EnglishCockpitSetup.exe (Trojan.Agent) -> No action taken.
 BTW: Warum hast Du immer solche Zeilenumbrüche im Hijackthis-Logfile?
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
15.11.2008, 10:48
| #8 | ||||
| | TR/Agent.59904.BZitat:
Zitat:
Zitat:
Zitat:
Also scheint mein System sauber zu sein. Freut mich, wobei ich es besser gefunden hätte wirklich zu wissen was aus TR/Agent.59904.B geworden ist. Naja, ich werde mich dann gegebenenfalls noch mal melden- thx für deine Hilfe! |
|
| Themen zu TR/Agent.59904.B |
| adobe, antivir, avg, avira, bho, defender, desktop, einstellungen, firefox, google, hijack, hijackthis, hkus\s-1-5-18, internet, internet explorer, logfile, magix, malwarebytes' anti-malware, mozilla, object, scan, senden, server, software, system, trojaner, windows, windows xp |
Linear-Darstellung
