I-net verbindung = erneutes herunterladen von viren

DigitalDeath · 28.11.2008, 14:14

Silent :
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"updateMgr" = ""C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1" ["Adobe Systems Incorporated"]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Verknüpfung mit der High Definition Audio-Eigenschaftenseite" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]
"SetRefresh" = "C:\Programme\Compaq\SetRefresh\SetRefresh.exe" ["Hewlett-Packard Company"]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"MFServices" = ""C:\Programme\Companion Suite IH\MFServices.exe" -n" [empty string]
"MFPrintServer" = ""C:\Programme\Companion Suite IH\MFPrintServer.exe"" [empty string]
"SSBkgdUpdate" = ""C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"IndexSearch" = "C:\Programme\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]
"OneTouch Monitor" = "(empty string)" [file not found]
"MFLaunchOT" = "C:\Programme\Companion OneTouch\MFLaunchOT.exe "Crystal Printer"" ["OEM"]
"WireLessMouse " = "C:\Programme\Multimedia Combo Set\MouseDrv.exe" [empty string]
"WireLessKeyboard " = "C:\Programme\Multimedia Combo Set\PS2USBKbdDrv.exe" [empty string]
"SfWinStartInfo" = "C:\Programme\Sfirm32\sfWinStartupInfo.exe" ["BIVG Hannover"]
"UVS10 Preload" = "C:\Programme\Ulead Systems\Ulead Movie Wizard 3.2 SE VCD\uvPL.exe" ["Ulead Systems, Inc."]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"HP Software Update" = "C:\Programme\Hp\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]
"(Default)" = "(empty string)" [file not found]
"HPUsageTracking" = ""C:\Programme\Hewlett-Packard\HP UT\bin\hppusg.exe" "C:\Programme\Hewlett-Packard\HP UT\"" [null data]
"PrnStatusMX" = "C:\Programme\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe" ["Marvell Semiconductor, Inc."]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" [file not found]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{DBD8E168-244D-448C-9922-25508950D1DC}" = "Ulead UDF Driver"
-> {HKLM...CLSID} = "USIShellExt Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\USIShex.dll" ["Ulead Systems, Inc."]
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
-> {HKLM...CLSID} = "IZArc DragDrop Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "C:\Programme\IZArc\IZArcCM.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\AQUAGA~1.SCR" (Aqua Garden.scr) ["formosoft"]

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

FunMultiMediaHandler\
"Provider" = "MultiMedia Manager"
"ProgID" = "FUNBOX.Autoplay"
HKLM\SOFTWARE\Classes\FUNBOX.Autoplay\CLSID\(Default) = "{DF866F1F-10DF-4694-94A9-7F526FC8800A}"
-> {HKLM...CLSID} = "FUNBOX Autoplay Sample 2"
\LocalServer32\(Default) = "C:\Program Files\Samsung\Samsung PC Studio 3\Share_autoplay.exe" [file not found]

IviDVDEventHandler\
"Provider" = "InterVideo WinDVD"
"InvokeProgID" = "Ivi.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = "C:\Programme\InterVideo\WinDVD\WinDVD.exe %1" ["InterVideo Inc."]

IviVideoCDHandler\
"Provider" = "InterVideo WinDVD"
"InvokeProgID" = "Ivi.MediaFile"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\Ivi.MediaFile\shell\play\command\(Default) = "C:\Programme\InterVideo\WinDVD\WinDVD.exe %1" ["InterVideo Inc."]

MSWMEncVCArrival\
"Provider" = "Windows Media Encoder 9-Reihe"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Windows Media-Komponenten\Encoder\WMEnc.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

UVSFolder\
"Provider" = "Ulead Movie Wizard 3.2 SE VCD"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Ulead Systems\Ulead Movie Wizard 3.2 SE VCD\vstudio.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

Startup items in "Gmeiner" & "All Users" startup folders:
---------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"VR-NetWorld Auftragsprüfung" -> shortcut to: "C:\Programme\VR-NetWorld\vrtoolcheckorder.exe /autostart" ["VR-NetWorld Software"]

Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Internet Explorer Address Prefixes:
-----------------------------------

Prefix for specific service (i.e., "www")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
<<H>> "factwork" = "factwork://"

Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar mit Pop-Up-Blocker"
\InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 9943 domain names to IP addresses,
5 of the IP addresses are *not* localhost!

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal - Free Antivirus Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
CSIScanner, CSIScanner, ""C:\Programme\PrevxCSI\prevxcsi.exe" /service" ["Prevx"]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Ulead Burning Helper, UleadBurningHelper, "C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
VNC Server Version 4, WinVNC4, ""C:\Programme\RealVNC\VNC4\WinVNC4.exe" -service" ["RealVNC Ltd."]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
CP1215LM\Driver = "CP1215LM.DLL" ["Marvell Semiconductor, Inc."]
csfpm\Driver = "csfpm.dll" ["SAGEM SA"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

---------- (launch time: 2008-11-28 14:20:50)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 24 seconds, including 3 seconds for message boxes)

DigitalDeath · 28.11.2008, 14:19

löschen ?

habe im abgesicherten modus Malwarebytes' Anti-Malware scannen lassen, hat nichts gefunden
und C:\System Volume Information\_restore existiert nicht
-----
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.11.28.2 2008.11.28 -
AntiVir 7.9.0.36 2008.11.28 -
Authentium 5.1.0.4 2008.11.28 -
Avast 4.8.1281.0 2008.11.27 -
AVG 8.0.0.199 2008.11.27 -
BitDefender 7.2 2008.11.28 -
CAT-QuickHeal 10.00 2008.11.28 -
ClamAV 0.94.1 2008.11.28 -
DrWeb 4.44.0.09170 2008.11.28 -
eSafe 7.0.17.0 2008.11.27 -
eTrust-Vet 31.6.6234 2008.11.28 -
Ewido 4.0 2008.11.28 -
F-Prot 4.4.4.56 2008.11.27 -
F-Secure 8.0.14332.0 2008.11.28 -
Fortinet 3.117.0.0 2008.11.28 -
GData 19 2008.11.28 -
Ikarus T3.1.1.45.0 2008.11.28 -
K7AntiVirus 7.10.536 2008.11.27 -
Kaspersky 7.0.0.125 2008.11.28 -
McAfee 5447 2008.11.27 -
McAfee+Artemis 5447 2008.11.27 -
Microsoft 1.4104 2008.11.28 -
NOD32 3648 2008.11.28 -
Norman 5.80.02 2008.11.28 -
Panda 9.0.0.4 2008.11.28 -
PCTools 4.4.2.0 2008.11.27 -
Prevx1 V2 2008.11.28 -
Rising 21.05.42.00 2008.11.28 -
SecureWeb-Gateway 6.7.6 2008.11.28 -
Sophos 4.36.0 2008.11.28 -
Sunbelt 3.1.1832.2 2008.11.27 -
Symantec 10 2008.11.28 -
TheHacker 6.3.1.1.166 2008.11.28 -
TrendMicro 8.700.0.1004 2008.11.28 -
VBA32 3.12.8.9 2008.11.28 -
ViRobot 2008.11.28.1491 2008.11.28 -
VirusBuster 4.5.11.0 2008.11.27 -
weitere Informationen
File size: 360488 bytes
MD5...: 1ef3740105735ed41e744d4c57c9fa7f
SHA1..: 65f0e5ffff80ad4e4a6f61f1145a6432b2c5c9c1
SHA256: 52a24b7f7ac0ba3192f15498af4b3196ffe2c8f22f1872efae518eabf8ab26ed
SHA512: ee7f8e7c0fa40394f2866f6278ee528b2f509befa4369e9c89405f4aecbf138a
78a064084105ef00eaa20add3f0d1a0dde24a8e4cedda4adbbc6ed4a17e7f1ab

ssdeep: 6144:SQJKf0M1nJzIziOQD2qved+thMYl0cnKuIuRwdzlRSwO1+z:RJKt6ziOQKq
vectCYlEMelR01+z

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (59.5%)
Windows Screen Saver (20.6%)
Win32 Executable Generic (13.4%)
Generic Win/DOS Executable (3.1%)
DOS Executable Generic (3.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4138ee
timedatestamp.....: 0x4642e84c (Thu May 10 09:39:24 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x30999 0x31000 6.55 a9840b47c784780a830f5c7343ecd575
.rdata 0x32000 0xdbcc 0xe000 4.86 b1c99d9472fb8c328192f639364937bb
.data 0x40000 0x8994 0x3000 4.61 6fcf2b26e14522be1a5f062ffcbcf2e3
.rsrc 0x49000 0x14320 0x15000 5.25 cd646f234a36b082313f440065e4ee9a

( 14 imports )
> VERSION.dll: VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
> KERNEL32.dll: GetFileType, TerminateProcess, HeapReAlloc, HeapSize, VirtualProtect, VirtualAlloc, GetSystemInfo, VirtualQuery, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, SetHandleCount, GetStartupInfoA, HeapDestroy, HeapCreate, VirtualFree, CreateThread, GetSystemTimeAsFileTime, IsBadWritePtr, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, SetStdHandle, GetOEMCP, GetCPInfo, GetTimeZoneInformation, GetStringTypeA, GetStringTypeW, IsBadReadPtr, IsBadCodePtr, CompareStringA, CompareStringW, SetEnvironmentVariableA, ExitThread, HeapAlloc, HeapFree, RtlUnwind, ExitProcess, GetStartupInfoW, GetFileTime, GetFileAttributesW, GetFullPathNameW, FindFirstFileW, FindClose, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, ReadFile, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, GlobalHandle, GlobalReAlloc, LocalAlloc, RaiseException, GlobalFlags, InterlockedIncrement, lstrcmpiW, WritePrivateProfileStringW, GlobalFindAtomW, lstrlenA, GetModuleHandleA, LoadLibraryA, lstrcatW, GetVersionExA, InterlockedDecrement, GlobalAddAtomW, FreeResource, SetLastError, GlobalFree, MulDiv, lstrcpynW, LocalFree, lstrlenW, GetCurrentThreadId, MultiByteToWideChar, lstrcmpW, GlobalDeleteAtom, WideCharToMultiByte, ConvertDefaultLocale, GetVersion, EnumResourceLanguagesW, lstrcpyW, GetLocaleInfoW, DeviceIoControl, CreateFileA, GetVersionExW, GetThreadLocale, GetLocaleInfoA, GetACP, InterlockedExchange, FormatMessageW, EnterCriticalSection, LeaveCriticalSection, OutputDebugStringW, AllocConsole, CreateFileW, WriteFile, DeleteCriticalSection, InitializeCriticalSection, GetLogicalDrives, SetErrorMode, GetVolumeInformationW, GetDriveTypeW, FileTimeToLocalFileTime, FileTimeToSystemTime, GlobalAlloc, GlobalLock, GlobalUnlock, SetThreadPriority, ResumeThread, GetCommandLineW, GetTempPathW, CreateDirectoryW, GetPrivateProfileStringW, GetCurrentProcessId, RemoveDirectoryW, GetShortPathNameW, GetTempFileNameW, CopyFileW, WaitForSingleObject, DeleteFileW, GetTimeFormatW, GetDateFormatW, GetDiskFreeSpaceExW, GetUserDefaultLangID, GetTickCount, FindResourceW, LoadResource, LockResource, SizeofResource, GetModuleHandleW, GetModuleFileNameW, GetCurrentThread, GetCurrentProcess, CreateMutexW, GetLastError, CloseHandle, LoadLibraryW, GetProcAddress, FreeLibrary, QueryPerformanceCounter
> USER32.dll: MessageBeep, GetNextDlgGroupItem, InvalidateRgn, InvalidateRect, CopyAcceleratorTableW, SetRect, IsRectEmpty, CharNextW, CharUpperW, GetSysColorBrush, ReleaseCapture, LoadCursorW, SetCapture, WindowFromPoint, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, wsprintfW, WinHelpW, GetCapture, CreateWindowExW, GetClassInfoExW, GetClassLongW, GetClassNameW, SetPropW, GetPropW, RemovePropW, SendDlgItemMessageA, IsChild, GetForegroundWindow, GetTopWindow, GetMessageTime, GetMessagePos, TrackPopupMenu, SetForegroundWindow, UpdateWindow, GetMenu, AdjustWindowRectEx, ScreenToClient, EqualRect, GetClassInfoW, RegisterClassW, UnregisterClassW, DefWindowProcW, CallWindowProcW, IntersectRect, SystemParametersInfoA, PtInRect, GetSysColor, DestroyMenu, UnhookWindowsHookEx, GetWindowTextLengthW, GetWindowTextW, SetFocus, ShowWindow, MoveWindow, SetWindowLongW, GetDlgCtrlID, SetWindowTextW, IsDialogMessageW, SendDlgItemMessageW, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, SetMenuItemBitmaps, GetFocus, ModifyMenuW, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapW, SetWindowsHookExW, CallNextHookEx, GetMessageW, TranslateMessage, DispatchMessageW, GetKeyState, PeekMessageW, ValidateRect, GetLastActivePopup, SetCursor, ReleaseDC, GetDC, CopyRect, GetDesktopWindow, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamW, DestroyWindow, GetWindowLongW, GetDlgItem, IsWindowEnabled, GetParent, PostThreadMessageW, RegisterClipboardFormatW, GetNextDlgTabItem, EndDialog, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, PostQuitMessage, wsprintfA, LoadStringW, OffsetRect, RegisterWindowMessageW, EmptyClipboard, CloseClipboard, SetClipboardData, GetCursorPos, IsWindow, GetSystemMetrics, LoadIconW, EnableWindow, OpenClipboard, KillTimer, SetTimer, RedrawWindow, IsWindowVisible, GetClientRect, GetWindowRect, BringWindowToTop, IsIconic, SendMessageW, SetMenuDefaultItem, AppendMenuW, CreatePopupMenu, DrawIcon, ExitWindowsEx, PostMessageW, MessageBoxW, GetWindowPlacement, MapWindowPoints
> GDI32.dll: GetRgnBox, GetViewportExtEx, DeleteObject, GetTextColor, GetBkColor, GetMapMode, GetStockObject, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, Escape, TextOutW, RectVisible, SelectObject, GetObjectW, GetWindowExtEx, SetMapMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, ExtTextOutW, CreateBitmap, CreateRectRgnIndirect, GetDeviceCaps, PtVisible
> comdlg32.dll: GetFileTitleW
> WINSPOOL.DRV: OpenPrinterW, DocumentPropertiesW, ClosePrinter
> ADVAPI32.dll: RegOpenKeyW, EqualSid, AllocateAndInitializeSid, GetTokenInformation, OpenProcessToken, OpenThreadToken, DeleteService, CloseServiceHandle, OpenServiceW, OpenSCManagerW, RegCloseKey, RegSetValueExW, RegCreateKeyExW, RegQueryValueW, RegEnumKeyW, RegDeleteKeyW, FreeSid, RegQueryValueExW, LookupPrivilegeValueW, AdjustTokenPrivileges, CreateProcessWithLogonW, CreateServiceW, RegEnumValueW, RegEnumKeyExW, RegOpenKeyExW
> SHELL32.dll: ShellExecuteW, ShellExecuteExW
> COMCTL32.dll: -, ImageList_Destroy
> SHLWAPI.dll: PathFindFileNameW, PathStripToRootW, PathFindExtensionW, PathIsUNCW
> oledlg.dll: OleUIBusyW
> ole32.dll: CLSIDFromString, CLSIDFromProgID, OleIsCurrentClipboard, CoTaskMemFree, CoRevokeClassObject, CoGetClassObject, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal, OleUninitialize, CoFreeUnusedLibraries, OleInitialize, CoRegisterMessageFilter, OleFlushClipboard, CoTaskMemAlloc
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -
> OLEACC.dll: CreateStdAccessibleObject, LresultFromObject

( 0 exports )

CWSandbox info: <a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=1ef3740105735ed41e744d4c57c9fa7f' target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=1ef3740105735ed41e744d4c57c9fa7f</a>

Chris4You · 28.11.2008, 14:22

Hi,

da das Teil in einem Temp-Verzeichnis lokalisiert ist, würde ich es löschen...
C:\DOKUME~1\Gmeiner\LOKALE~1\Temp\yifmonsl.exe
Und zwar das gesamte Verzeichnis...

Reguläre Programme installieren sich nicht in ein solches Verzeichnis, das jederzeit gelöscht werden kann...

Auch in Silentrunner ist kein Aufruf zu finden, das Teil ist dann entweder von Dir gestartet worden oder versteckt sich vor HJ/Silentrunner...

chris

DigitalDeath · 28.11.2008, 14:25

in ordnung,
mit anvenger löschen ?
den ordner temp löschen, oder nur die dateien die sich darin befinden ?

ich hänge ein bild an mit beschreibung der datei - was sagst du zu dieser ?

Chris4You · 28.11.2008, 14:34

Hi,

zum test mal folgendes machen:
Im Taskmanager nach der exe "yifmonsl.exe" suchen und beenden, danach über den Explorer den Inhalt des Verzeichnisse löschen (alle Dateien makieren und dann dann löschen). So sind sie noch im Papierkorb (den können wir dann später leeren)...
Findest Du die exe nicht im Taskmanager, dann läuft sie verdeckt. Dann sollte beim Löschen ein Fehler kommen, das die Datei gesperrt ist...
Dann legst Du mit Avenger los (
Files to delete:
C:\DOKUME~1\Gmeiner\LOKALE~1\Temp\yifmonsl.exe
Folders to delete:
C:\DOKUME~1\Gmeiner\LOKALE~1\Temp
)

chris

DigitalDeath · 28.11.2008, 14:37

also, mit rechtsklick löschen kann ich dies
- unter prozessen wird sie nicht aufgeführt - und in der dateibeschreibung steht etwas von anti vir root kit beta - root kit habe ich heute installiert und das ergebniss hier gepostet, allerdings habe ich dies nicht in den temp ordner kopiert - nun da es offenbar doch löschbar ist - temp oder / die dateien da drinn , löschen ( der gesamte temp ordner ist momentan im papierkorb ) - oder ist es nichts ?

hilog nochmal ( warum ist der prozess auf einmal nicht mehr aufgeführt in hilog ? ) :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:52:13, on 28.11.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\PrevxCSI\prevxcsi.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
C:\Programme\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Companion Suite IH\MFServices.exe
C:\Programme\Companion Suite IH\MFPrintServer.exe
C:\Programme\Companion OneTouch\MFLaunchOT.exe
C:\Programme\Multimedia Combo Set\MouseDrv.exe
C:\Programme\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
C:\Programme\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Programme\PrevxCSI\prevxcsi.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Verknüpfung mit der High Definition Audio-Eigenschaftenseite] HDAShCut.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Programme\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MFServices] "C:\Programme\Companion Suite IH\MFServices.exe" -n
O4 - HKLM\..\Run: [MFPrintServer] "C:\Programme\Companion Suite IH\MFPrintServer.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Programme\Gemeinsame Dateien\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [IndexSearch] C:\Programme\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [MFLaunchOT] C:\Programme\Companion OneTouch\MFLaunchOT.exe "Crystal Printer"
O4 - HKLM\..\Run: [WireLessMouse ] C:\Programme\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Programme\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [SfWinStartInfo] C:\Programme\Sfirm32\sfWinStartupInfo.exe
O4 - HKLM\..\Run: [UVS10 Preload] C:\Programme\Ulead Systems\Ulead Movie Wizard 3.2 SE VCD\uvPL.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Programme\Hewlett-Packard\HP UT\bin\hppusg.exe" "C:\Programme\Hewlett-Packard\HP UT\"
O4 - HKLM\..\Run: [PrnStatusMX] C:\Programme\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: VR-NetWorld Auftragsprüfung.lnk = ?
O8 - Extra context menu item: &Google-Suche - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://C:\Programme\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12DE2225-1EA7-4795-B3A9-7810DBCEA18F}: NameServer = 192.168.0.1
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CSIScanner - Prevx - C:\Programme\PrevxCSI\prevxcsi.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programme\Gemeinsame Dateien\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: winvnc - Olivetti & Oracle Research Lab - c:\vnc\winvnc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Programme\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: Aqua Garden - 6423CD5F-D089-4BF1-88B6-6A359339DAFF

--
End of file - 8284 bytes

Chris4You · 28.11.2008, 14:50

Hi,
lösche nur den Inhalt (aufräumen ist immer gut ;o)...
Nein, wenn das stimmt, dann ist es eine temporäre Datei vom Antivir-Rootkit, d.h. es ist "eigentlich nichts".
Vermute Du hast das Log direkt nach dem Lauf von Avira-Antirootkit gemacht?

So muss jetzt leider weg,
so long,
chris

I-net verbindung = erneutes herunterladen von viren

Plagegeister aller Art und deren Bekämpfung: I-net verbindung = erneutes herunterladen von viren