Zurück   Trojaner-Board > Malware entfernen > Plagegeister aller Art und deren Bekämpfung

Plagegeister aller Art und deren Bekämpfung: Worm_downad.ad ?

Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen.

Antwort
Alt 20.04.2010, 11:28   #1
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Hallo,

ich habe in unserem Netz einen sehr hartnäckigen Wurm der alle Server und Clients befallen hat!

Ich nutze den Virenscanner TrendMicro OfficeScan! Dieser schlägt ständig Alarm mit den Einträgen:

WORM_DOWNAD.AD C.\Windows\System32\udtyjy.tjb
Mal_DownadJ from C:\Windows\Tasks\At1.job
zusätzlich kommen Fehlermeldungen bezüglich des svchosts.exe!

Habe vieles versucht! Die Systeme Updatemäßig auf den neusten Stand gebracht! Tools wie HijackThis, Malwarebytes, f-downadup versucht das Ding zu entfernen, es kommt aber leider immer wieder!

Was könnte ich noch tun?

Gruß

Alt 20.04.2010, 17:45   #2
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Hallo und

Zitat:
ich habe in unserem Netz einen sehr hartnäckigen Wurm der alle Server und Clients befallen hat!
Firmennetz? Wie viele Clients und Server?
Ist die Meldung wirklich auf jedem Client? Wenn ja, überall gleich?
Ich nehme mal an, dass keine Backups in Form von Systemimages vorliegen...

Zitat:
Die Systeme Updatemäßig auf den neusten Stand gebracht!
Das auch schon vor dem Befall? Hinterher bringt des nicht viel...
__________________

__________________

Alt 20.04.2010, 22:16   #3
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Ja es ist einFirmennetz es gibt 6 Server und ca 15 Clients! Auf allen kommt die gleiche Meldung! Natürlich wurden die Updates nachträglich installiert. worden: -(


Ist hier noch was zu retten? Es gibt keine Images!

Gruss
Snewi
__________________

Alt 21.04.2010, 08:43   #4
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Oje, schwierige Sache. Sind die 15 Clients alle von der hardware gesehen völlig unterschiedlich oder quasi identisch? Wenn identisch, könntest Du einen Rechner neu aufsetzen und komplett neu einrichten - wenn alles fertig ist ein Image erstellen und das auf die anderen Rechner einspielen, so dass alle Rechner von der Konfig her wieder gleich und auch nicht mehr befallen sind (bevor Du die geklonten Maschinen ins Netz bringt, solltest Du NewSID ausführen!).

Ob Du den Server so aufsetzen kannst, weiß ich nicht. Wenn der nicht verfügbar ist, kann im Grunde keiner arbeiten und das ist nicht im Sinne des Erfinders.

Erstell mal von einem Client OTL Logs und poste sie, evtl. ist der Bereinigungsaufwand auch garnicht so hoch (sofern Du bereingen willst und das auch veranworten kannst..)


Systemscan mit OTL

Lade Dir bitte OTL von Oldtimer herunter und speichere es auf Deinem Desktop
  • Doppelklick auf die OTL.exe
  • Vista User: Rechtsklick auf die OTL.exe und "als Administrator ausführen" wählen
  • Oben findest Du ein Kästchen mit Output. Wähle bitte Minimal Output
  • Unter Extra Registry, wähle bitte Use SafeList
  • Klicke nun auf Run Scan links oben
  • Wenn der Scan beendet wurde werden 2 Logfiles erstellt
  • Poste die Logfiles hier in den Thread.
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 21.04.2010, 09:57   #5
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Das mit dem Neuaufsetzen wäre die allerletzte Lösung ich hoffe ja immer noch das ich es vorher so hinbekomme! Genau sieht es mit den Servern aus!

Also hier mal die LogFiles:

1.OTL:
OTL logfile created on: 21.04.2010 10:47:21 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = Y:\User\xxx\Viren
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

502,00 Mb Total Physical Memory | 262,00 Mb Available Physical Memory | 52,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 74,41 Gb Total Space | 69,49 Gb Free Space | 93,40% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 68,24 Gb Total Space | 48,19 Gb Free Space | 70,62% Space Free | Partition Type: NTFS
Drive Z: | 124,45 Gb Total Space | 91,03 Gb Free Space | 73,15% Space Free | Partition Type: NTFS

Computer Name: xxx
Current User Name: xxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - Y:\User\xxx\Viren\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\Temp\YHA674.EXE (Trend Micro Inc.)
PRC - C:\Programme\Trend Micro\OfficeScan Client\TmListen.exe (Trend Micro Inc.)
PRC - C:\Programme\Trend Micro\OfficeScan Client\NTRtScan.exe (Trend Micro Inc.)
PRC - C:\Programme\Trend Micro\OfficeScan Client\PccNTMon.exe (Trend Micro Inc.)
PRC - C:\Programme\Trend Micro\OfficeScan Client\CNTAoSMgr.exe (Trend Micro Inc.)
PRC - C:\Programme\PFANNEN\Pfannen_Update_r.exe (Georgsmarienhuette GmbH)
PRC - C:\Programme\TrueImage\TrueImageMonitor.exe (Acronis)
PRC - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe (Acronis)
PRC - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe (Acronis)
PRC - C:\Programme\Symantec\pcAnywhere\awhost32.exe (Symantec Corporation)
PRC - C:\Programme\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe ()
PRC - C:\NWC\NWC_SERVICE.EXE ()


========== Modules (SafeList) ==========

MOD - Y:\User\xxx\Viren\OTL.exe (OldTimer Tools)
MOD - C:\Programme\Symantec\pcAnywhere\awhk32.dll (Symantec Corporation)
MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\netui1.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\netui0.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\ntlanman.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\davclnt.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\drprov.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\netrap.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msvcr70.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (tmlisten) -- C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe (Trend Micro Inc.)
SRV - (ntrtscan) -- C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe (Trend Micro Inc.)
SRV - (TmProxy) -- C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe (Trend Micro Inc.)
SRV - (AcrSch2Svc) -- C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe (Acronis)
SRV - (awhost32) -- C:\Programme\Symantec\pcAnywhere\awhost32.exe (Symantec Corporation)
SRV - (ose) -- C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (NWC_Service) -- C:\NWC\NWC_SERVICE.EXE ()


========== Driver Services (SafeList) ==========

DRV - (TmFilter) -- C:\Programme\Trend Micro\OfficeScan Client\TmXpflt.sys (Trend Micro Inc.)
DRV - (TmPreFilter) -- C:\Programme\Trend Micro\OfficeScan Client\TmPreflt.sys (Trend Micro Inc.)
DRV - (VSApiNt) -- C:\Programme\Trend Micro\OfficeScan Client\vsapiNT.sys (Trend Micro Inc.)
DRV - (tmcomm) -- C:\WINDOWS\system32\drivers\tmcomm.sys (Trend Micro Inc.)
DRV - (tmtdi) -- C:\WINDOWS\system32\drivers\tmtdi.sys (Trend Micro Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (timounter) -- C:\WINDOWS\system32\DRIVERS\timntr.sys (Acronis)
DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis)
DRV - (snapman) -- C:\WINDOWS\system32\DRIVERS\snapman.sys (Acronis)
DRV - (SymEvent) -- C:\Programme\Symantec\SYMEVENT.SYS (Symantec Corporation)
DRV - (senfilt) -- C:\WINDOWS\system32\drivers\senfilt.sys (Creative Technology Ltd.)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (sisagp) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (awecho) -- C:\WINDOWS\system32\drivers\awechomd.sys (Symantec Corporation)
DRV - (awlegacy) -- C:\WINDOWS\System32\Drivers\awlegacy.sys (Symantec Corporation)
DRV - (AW_HOST) -- C:\WINDOWS\system32\drivers\AW_HOST5.sys (Symantec Corporation)
DRV - (Gernuwa) -- C:\WINDOWS\system32\drivers\GERNUWA.sys (Symantec Corporation)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.euro.dell.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.euro.dell.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.euro.dell.com
IE - HKCU\..\URLSearchHook: {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2009.02.24 15:58:21 | 000,009,278 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Pfannenupdate] c:\Programme\PFANNEN\Pfannen_Update.exe (Georgsmarienhuette GmbH)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Programme\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe ()
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Programme\TrueImage\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [UserFaultCheck] File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWinKeys = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableLockWorkstation = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableChangePassword = 1
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - C:\Programme\Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O9 - Extra Button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = xxx
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programme\Gemeinsame Dateien\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\System32\PCANotify.dll (Symantec Corporation)
O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Dell.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Dell.bmp
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004.08.13 14:54:56 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010.04.21 10:07:50 | 000,142,992 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2010.04.21 10:07:38 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\log
[2010.04.21 10:07:04 | 000,000,000 | ---D | C] -- C:\Programme\Trend Micro
[2004.08.13 15:00:24 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2004.08.13 15:00:22 | 000,000,000 | ---D | M] -- C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Anwendungsdaten\Microsoft
[2004.08.13 14:47:04 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\Microsoft
[2004.08.13 14:47:04 | 000,000,000 | --SD | M] -- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010.04.21 10:43:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010.04.21 10:43:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010.04.21 10:42:45 | 001,835,008 | -H-- | M] () -- C:\Dokumente und Einstellungen\velikonja\NTUSER.DAT
[2010.04.21 10:42:45 | 000,000,190 | -HS- | M] () -- C:\Dokumente und Einstellungen\velikonja\ntuser.ini
[2010.04.21 10:25:43 | 000,010,752 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe
[2010.04.19 13:46:32 | 000,002,513 | ---- | M] () -- C:\Dokumente und Einstellungen\velikonja\Desktop\Vai.ProcessExplorer GMH.lnk
[2010.04.19 08:33:08 | 000,000,622 | ---- | M] () -- C:\Dokumente und Einstellungen\velikonja\Desktop\spülstand_temp.xls.lnk
[2010.04.19 07:14:16 | 000,059,392 | ---- | M] () -- C:\Dokumente und Einstellungen\velikonja\Eigene Dateien\spülstand_temp.xls
[2010.04.12 10:53:32 | 000,902,476 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010.04.12 10:53:32 | 000,392,512 | ---- | M] () -- C:\WINDOWS\System32\perfh007.dat
[2010.04.12 10:53:32 | 000,381,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010.04.12 10:53:32 | 000,064,452 | ---- | M] () -- C:\WINDOWS\System32\perfc007.dat
[2010.04.12 10:53:32 | 000,053,436 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010.04.21 10:25:43 | 000,010,752 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe
[2010.04.19 08:33:08 | 000,000,622 | ---- | C] () -- C:\Dokumente und Einstellungen\velikonja\Desktop\spülstand_temp.xls.lnk
[2008.06.23 12:27:08 | 000,165,376 | ---- | C] () -- C:\WINDOWS\System32\STC_DLL.DLL
[2007.12.27 17:28:27 | 001,627,648 | ---- | C] () -- C:\Dokumente und Einstellungen\velikonja\LF_Dat1207.xls
[2006.11.20 15:45:49 | 000,001,380 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006.08.09 10:58:23 | 000,002,412 | RHS- | C] () -- C:\Dokumente und Einstellungen\All Users\ntuser.pol
[2006.08.09 10:54:54 | 000,000,470 | RHS- | C] () -- C:\Dokumente und Einstellungen\velikonja\ntuser.pol
[2006.08.09 10:54:51 | 000,000,142 | ---- | C] () -- C:\Dokumente und Einstellungen\velikonja\Lokale Einstellungen\Anwendungsdaten\fusioncache.dat
[2006.08.09 10:54:50 | 001,835,008 | -H-- | C] () -- C:\Dokumente und Einstellungen\velikonja\NTUSER.DAT
[2006.08.09 10:54:50 | 000,184,320 | -H-- | C] () -- C:\Dokumente und Einstellungen\velikonja\ntuser.dat.LOG
[2006.08.09 10:54:50 | 000,000,190 | -HS- | C] () -- C:\Dokumente und Einstellungen\velikonja\ntuser.ini
[2006.08.02 11:35:44 | 000,000,183 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2006.07.17 14:42:58 | 000,262,144 | ---- | C] () -- C:\Dokumente und Einstellungen\All Users\NTUSER.DAT
[2006.07.17 14:42:58 | 000,001,024 | -H-- | C] () -- C:\Dokumente und Einstellungen\All Users\NTUSER.DAT.LOG
[2005.11.29 06:23:27 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005.11.29 06:05:32 | 000,000,412 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004.08.13 15:04:30 | 000,000,849 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004.08.13 14:51:43 | 000,003,776 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2004.08.13 14:40:41 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004.08.13 14:40:26 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
< End of report >



2.EXTRAS:
OTL Extras logfile created on: 21.04.2010 10:47:21 - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = Y:\User\xxx\Viren
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy

502,00 Mb Total Physical Memory | 262,00 Mb Available Physical Memory | 52,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 83,00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programme
Drive C: | 74,41 Gb Total Space | 69,49 Gb Free Space | 93,40% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Y: | 68,24 Gb Total Space | 48,19 Gb Free Space | 70,62% Space Free | Partition Type: NTFS
Drive Z: | 124,45 Gb Total Space | 91,03 Gb Free Space | 73,15% Space Free | Partition Type: NTFS

Computer Name: xxx
Current User Name: xxx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Programme\Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Programme\Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1480:TCP" = 1480:TCP:*:Enabled:umablo
"28747:TCP" = 28747:TCP:*:Enabled:Trend Micro OfficeScan Listener

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Programme\Symantec\pcAnywhere\awhost32.exe" = C:\Programme\Symantec\pcAnywhere\awhost32.exe:*:EnabledcAnywhere Host -- (Symantec Corporation)
"C:\Programme\VAI\Vai ProcessExplorer GMH\Vai.ProcessExplorerForm.exe" = C:\Programme\VAI\Vai ProcessExplorer GMH\Vai.ProcessExplorerForm.exe:*:Enabled:Vai.ProcessExplorerForm -- (Voest Alpine Industieanlagenbau GmbH, Linz, Austria)
"C:\Dokumente und Einstellungen\velikonja\Lokale Einstellungen\Temp\OraInstall2006-11-20_03-19-49PM\jre\1.4.2\bin\javaw.exe" = C:\Dokumente und Einstellungen\velikonja\Lokale Einstellungen\Temp\OraInstall2006-11-20_03-19-49PM\jre\1.4.2\bin\javaw.exe:*:Enabled:javaw -- File not found
"C:\oracle\product\10.2.0\client_1\jdk\jre\bin\java.exe" = C:\oracle\product\10.2.0\client_1\jdk\jre\bin\java.exe:*:Enabled:java -- ()
"C:\NWC\NWC_SERVICE.EXE" = C:\NWC\NWC_SERVICE.EXE:*:Enabled:NWC_SERVICE -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programme\VAI\Vai ProcessExplorer GMH\Vai.ProcessExplorerForm.exe" = C:\Programme\VAI\Vai ProcessExplorer GMH\Vai.ProcessExplorerForm.exe:*:Enabled:Vai.ProcessExplorerForm -- (Voest Alpine Industieanlagenbau GmbH, Linz, Austria)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{058B32E2-6310-4359-B2D4-1988390C3B83}" = Broadcom Advanced Control Suite
"{11518183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
"{350C97B3-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}" = Oracle Data Provider for .NET Help
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90110407-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{A19D7EBD-54B0-4C14-BDCE-B4ECAFE77037}" = Vai ProcessExplorer GMH
"{BFBB0B55-D7FE-4F72-9091-C8D9D56A31D1}" = Vai ProcessExplorer GMH
"{CA83357B-931E-44DC-AD43-9996FEEB8116}" = Acronis*True*Image
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{DBF9845F-0D40-4636-8F7D-63D3E22231D4}" = Vai ProcessExplorer GMH
"{E32C38B0-3B52-428D-A6FE-10EE1E1C63FB}" = Vai ProcessExplorer GMH
"{E78BFA60-5393-4C38-82AB-E8019E464EB4}" = Microsoft .NET Framework 1.1 German Language Pack
"{ECEA7878-2100-4525-915D-B09174E36971}" = Trend Micro OfficeScan Client
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 2.5 (Symantec Corporation)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"ST6UNST #1" = Pfannenverfolgung
"ST6UNST #2" = Pfannen_Update

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 13.04.2010 01:03:42 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 13.04.2010 04:11:56 | Computer Name = xxx | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 13.04.2010 04:11:56 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 14.04.2010 09:44:55 | Computer Name = xxx | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 14.04.2010 09:44:55 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 14.04.2010 10:31:24 | Computer Name = xxx | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 14.04.2010 10:31:24 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 15.04.2010 01:02:38 | Computer Name = xxx | Source = PerfNet | ID = 2005
Description = Die Leistungsinformationen vom Serverdienst konnten nicht gelesen
werden. Es werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene
Fehlercode befindet sich in DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information
ist DWORD 2.

Error - 15.04.2010 01:02:38 | Computer Name = xxx | Source = PerfNet | ID = 2006
Description = Die Server Queue-Leistungsinformationen konnten nicht gelesen werden.
Es
werden keine Server-Leistungsinformationen zurückgegeben. Der zurückgegebene Fehlercode
ist DWORD 0, der IOSB.Status ist DWORD 1 und die IOSB.Information ist DWORD 2.

Error - 15.04.2010 01:10:50 | Computer Name = xxx | Source = Application Error | ID = 1004
Description = Fehlgeschlagene Anwendung svchost.exe, Version 0.0.0.0, fehlgeschlagenes
Modul unknown, Version 0.0.0.0, Fehleradresse 0x00000000.

[ System Events ]
Error - 02.04.2008 12:41:06 | Computer Name = xxx | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/pf-entw1.stw.gmh.de. This indicates that the ticket used against that server
is not yet valid (in relationship to that server time). Contact your system administrator
to make sure the client and server times are in sync, and that the KDC in realm
STW.GMH.DE is in sync with the KDC in the client realm.

Error - 03.04.2008 01:08:19 | Computer Name = xxx | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/pf-entw1.stw.gmh.de. This indicates that the ticket used against that server
is not yet valid (in relationship to that server time). Contact your system administrator
to make sure the client and server times are in sync, and that the KDC in realm
STW.GMH.DE is in sync with the KDC in the client realm.

Error - 03.04.2008 19:13:09 | Computer Name = xxx | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/pf-entw1.stw.gmh.de. This indicates that the ticket used against that server
is not yet valid (in relationship to that server time). Contact your system administrator
to make sure the client and server times are in sync, and that the KDC in realm
STW.GMH.DE is in sync with the KDC in the client realm.

Error - 04.04.2008 01:00:45 | Computer Name = xxx | Source = Kerberos | ID = 5
Description = The kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
host/pf-entw1.stw.gmh.de. This indicates that the ticket used against that server
is not yet valid (in relationship to that server time). Contact your system administrator
to make sure the client and server times are in sync, and that the KDC in realm
STW.GMH.DE is in sync with the KDC in the client realm.

Error - 24.11.2009 04:05:36 | Computer Name = xxx | Source = NetBT | ID = 4321
Description = Der Name "STW :1d" konnte nicht auf der Schnittstelle mit
IP-Adresse 192.168.10.52 registriert werden. Der Computer mit IP-Adresse 192.168.10.57
hat nicht zugelassen, dass dieser Computer diesen Namen verwendet.

Error - 24.11.2009 04:08:39 | Computer Name = xxx | Source = NetBT | ID = 4321
Description = Der Name "STW :1d" konnte nicht auf der Schnittstelle mit
IP-Adresse 192.168.10.52 registriert werden. Der Computer mit IP-Adresse 192.168.10.57
hat nicht zugelassen, dass dieser Computer diesen Namen verwendet.

Error - 24.11.2009 04:10:57 | Computer Name = xxx | Source = NetBT | ID = 4321
Description = Der Name "STW :1d" konnte nicht auf der Schnittstelle mit
IP-Adresse 192.168.10.52 registriert werden. Der Computer mit IP-Adresse 192.168.10.57
hat nicht zugelassen, dass dieser Computer diesen Namen verwendet.

Error - 15.04.2010 01:12:17 | Computer Name = xxx | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Security Driver" wurde mit folgendem Fehler beendet: %%1114

Error - 16.04.2010 12:14:12 | Computer Name = xxx | Source = Service Control Manager | ID = 7023
Description = Der Dienst "Security Driver" wurde mit folgendem Fehler beendet: %%1114

Error - 21.04.2010 04:26:42 | Computer Name = xxx | Source = Service Control Manager | ID = 7032
Description = Der Versuch des Dienststeuerungs-Managers, nach dem unerwarteten Beenden
des Dienstes "Windows-Verwaltungsinstrumentation" Korrekturmaßnahmen (Starten Sie
den Dienst neu.) durchzuführen, ist fehlgeschlagen. Fehler: %%1056


< End of report >


Geändert von Snewi (21.04.2010 um 10:02 Uhr)

Alt 21.04.2010, 10:31   #6
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Zitat:
C:\NWC\NWC_SERVICE.EXE
Sagt Dir NWC-Service was? Die besagte Datei C:\Windows\System32\udtyjy.tjb taucht im Log nicht auf. Mach bitte mal ein Log mit GMER von der gleichen Arbeitsstation und poste das Log.
__________________
--> Worm_downad.ad ?

Alt 21.04.2010, 11:46   #7
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



NWC_Service ist bekannt!!

Log:

GMER 1.0.15.15281 - hxxp://www.gmer.net
Rootkit scan 2010-04-21 12:42:25
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOKUME~1\VELIKO~1\LOKALE~1\Temp\uwtdipod.sys


---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7ED9F80]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device \FileSystem\Fastfat \Fat A95E0C8A

AttachedDevice \FileSystem\Fastfat \Fat TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----

Alt 21.04.2010, 13:37   #8
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Taucht auch da nicht auf
Die Meldungen dieser Datei sind aber schon ständig da oder?
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 21.04.2010, 14:08   #9
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



ja sind ständig da wie gesagt auf allen Servern und Rechnern obwohl die Datei auch mal eine andere sein kann!
Ist denn vielleicht auch hier die Quelle des Wurms eine andere?

Gruß

Alt 21.04.2010, 14:32   #10
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Sieht stark nach einem Rootkit aus. Mach bitte nochmal ein Log mit OSAM und poste es. Mit einem Tool muss man es ja sehen
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 21.04.2010, 14:36   #11
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Bekommst morgen früh! Bis morgen

Alt 22.04.2010, 07:58   #12
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Hier mal das Log-File von einem anderen Client mit gleicher Viren Meldung:

Nur hier heisst die Datei C:\Windows\System32\dlzlnti.ar
und C:\Windows\Tasks\At1.job

Log-File Osam:

Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 08:21:54 on 22.04.2010

OS: Windows XP Professional Service Pack 2 (Build 2600)
Default Browser: Unable to get information

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"BACSCPL.cpl" - ? - C:\WINDOWS\system32\BACSCPL.cpl
"jpicpl32.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\jpicpl32.cpl
"pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl (File found, but it contains no detailed information)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"AC3 Filter" - ? - D:\Programme\TTPack\AC3\ac3filter.cpl
"QuickTime" - "Apple Computer, Inc." - D:\Programme\TTPack\QTLite\QuickTime.cpl
"SYMLIVE" - "Symantec Corporation" - C:\Programme\Symantec\LiveUpdate\S32LUCP1.CPL

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ACEDRV07" (ACEDRV07) - "Protect Software GmbH" - C:\WINDOWS\system32\drivers\ACEDRV07.sys
"Acronis Snapshots Manager" (snapman) - "Acronis" - C:\WINDOWS\System32\DRIVERS\snapman.sys
"Acronis TrueImage Backup Archive Explorer" (timounter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\timntr.sys
"Acronis TrueImage FS Filter" (tifsfilter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
"AVM Bluetooth Audio Driver" (AVMBTSND) - "AVM GmbH" - C:\WINDOWS\System32\drivers\avmbtsnd.sys
"AVM Bluetooth CAPI-Controller" (CAPI_CIP) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\capi_cip.sys
"AVM Bluetooth Druckeranschluss" (AVMBTPARALLEL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtpar.sys
"AVM Bluetooth Kommunikationsanschluss" (AVMBTSERIAL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtser.sys
"AVM Bluetooth Netzwerkadapter" (NETBFPAN) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\netbfpan.sys
"AVM ISDN CoNDIS WAN CAPI Treiber" (AVMCOWAN) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmcowan.sys
"awecho" (awecho) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\awechomd.sys
"awlegacy" (awlegacy) - "Symantec Corporation" - C:\WINDOWS\System32\Drivers\awlegacy.sys
"AW_HOST" (AW_HOST) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\aw_host5.sys
"BlueFRITZ! USB 2.5(WinXP/2000)" (bfhubase) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\bfhubase.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Gernuwa" (Gernuwa) - "Symantec Corporation" - C:\WINDOWS\system32\drivers\Gernuwa.sys
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found)
"Nokia USB Generic" (Nokia USB Generic) - ? - C:\WINDOWS\System32\drivers\nmwcdc.sys (File not found)
"Nokia USB Modem" (Nokia USB Modem) - ? - C:\WINDOWS\System32\drivers\nmwcdcm.sys (File not found)
"Nokia USB Phone Parent" (Nokia USB Phone Parent) - ? - C:\WINDOWS\System32\drivers\nmwcd.sys (File not found)
"Nokia USB Port" (Nokia USB Port) - ? - C:\WINDOWS\System32\drivers\nmwcdcj.sys (File not found)
"Nsynas32" (Nsynas32) - "Syncrosoft Hard- und Software GmbH" - C:\WINDOWS\system32\drivers\Nsynas32.sys
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"Secdrv" (Secdrv) - ? - C:\WINDOWS\System32\DRIVERS\secdrv.sys (File signed by Microsoft | File found, but it contains no detailed information)
"SymEvent" (SymEvent) - "Symantec Corporation" - C:\Programme\Symantec\SYMEVENT.SYS
"SynasUSB" (SynasUSB) - "SIA Syncrosoft" - C:\WINDOWS\System32\drivers\SynasUSB.sys
"tmcomm" (tmcomm) - "Trend Micro Inc." - C:\WINDOWS\system32\drivers\tmcomm.sys
"Trend Micro Filter" (TmFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys
"Trend Micro PreFilter" (TmPreFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmPreFlt.sys
"Trend Micro VSAPI NT" (VSApiNt) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\VSApiNt.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll
{CD00020A-8B95-11D1-82DB-00C04FB1625D} "Microsoft PKM KnowledgePluggable Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\pkmcdo.dll
{9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} "Quest RevNet Protocol" - ? - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - D:\Programme\7-Zip\7-zip.dll
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - D:\Programme\Adobe Acrobat\Acrobat Elements\ContextMenu.dll
{D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found)
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found)
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\msohev.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL
{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - D:\Nero\Nero 9\Nero CoverDesigner\CoverEdExtension.dll
{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL
{E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
InCDShellExt extension "{CAE3251E-9B15-4810-B268-852AD9792A59}" - ? - (File not found | COM-object registry key not found)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{4FDF3696-5078-4952-868C-CEEB9683B8C4} "DownloadFile Control" - ? - C:\WINDOWS\DOWNLO~1\Download.ocx / hxxp://192.168.10.31/cab/DownloadFile.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} "Java Plug-in 1.5.0" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / https://st-entw1:2607/jre-1_5_0_06-windows-i586-p.exe
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{7D30109B-DD2B-4339-BE80-1CD48723C2BC} "LiveX(v6.0.1.0)" - ? - C:\WINDOWS\DOWNLO~1\LiveX.ocx / hxxp://192.168.10.31/cab/Live.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{182EC0BE-5110-49C8-A062-BEB1D02A220B} "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
"Knowledge Base" - ? - hxxp://support.microsoft.com/ (HTTP value)
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{AE7CD045-E861-484f-8273-0445EE161910} "AcroIEToolbarHelper Class" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{56CF4856-ECB4-4e46-A897-A378821F97B9} "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "SSVHelper Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

[LSA Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )-----
"Authentication packages" - "Acronis" - C:\WINDOWS\system32\relog_ap.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Acrobat - Schnellstart.lnk" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\acrobat_sl.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\schoenea.STW\Startmenü\Programme\Autostart\desktop.ini
"Microsoft Office Outlook 2003.lnk" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE (Shortcut exists | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"SpybotSD TeaTimer" - "Safer Networking Limited" - D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Acrobat Assistant 7.0" - "Adobe Systems Inc." - "D:\Programme\Adobe Acrobat\Distillr\Acrotray.exe"
"Acronis Scheduler2 Service" - "Acronis" - "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
"bgsmsnd.exe" - "Broadgun Software" - C:\WINDOWS\system32\bgsmsnd.exe
"OfficeScanNT Monitor" - "Trend Micro Inc." - "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
"OSSelectorReinstall" - ? - C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe (File found, but it contains no detailed information)
"Pfannenupdate" - "Georgsmarienhuette GmbH" - c:\Programme\PFANNEN\Pfannen_Update.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
"TrueImageMonitor.exe" - "Acronis" - D:\Programme\Acronis\True Image 9.0\TrueImageMonitor.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Adobe PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\system32\AdobePDF.dll
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"pcAnywhere Remote Printing" - "Symantec Corporation" - C:\WINDOWS\system32\awmon.dll
"PDF Port Monitor" - ? - C:\WINDOWS\system32\bgspmnt.dll (File found, but it contains no detailed information)

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Acronis Scheduler2 Service" (AcrSch2Svc) - "Acronis" - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
"Adobe LM Service" (Adobe LM Service) - "Adobe Systems" - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Machine Debug Manager" (MDM) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
"Nero BackItUp Scheduler 4.0" (Nero BackItUp Scheduler 4.0) - "Nero AG" - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
"NMSAccessU" (NMSAccessU) - ? - D:\Programme\CDBurnerXP\NMSAccessU.exe (File found, but it contains no detailed information)
"NWC Service" (NWC_Service) - ? - C:\NWC\NWC_SERVICE.EXE (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"OfficeScan NT Listener" (tmlisten) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
"OfficeScan NT Proxy Service" (TmProxy) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe
"OfficeScanNT RealTime Scan" (ntrtscan) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
"pcAnywhere Host-Modul" (awhost32) - "Symantec Corporation" - D:\Programme\Symantec\PCAnywhere\awhost32.exe
"Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\WINDOWS\system32\hpzipm12.dll
"Server Support" (hwvzw) - ? - C:\Programme\Movie Maker\dlzlnti.dll (File not found)
"Shell Server" (eifqcaunr) - ? - C:\WINDOWS\system32\dlzlnti.dll (File not found)
"SolidWorks Licensing Service" (SolidWorks Licensing Service) - "SolidWorks" - C:\Programme\Gemeinsame Dateien\SolidWorks Shared\Service\SolidWorksLicensing.exe
"SQL Server (SQLEXPRESS)" (MSSQL$SQLEXPRESS) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"PCANotify" - "Symantec Corporation" - C:\WINDOWS\system32\PCANotify.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Alt 22.04.2010, 08:34   #13
cosinus
/// Winkelfunktion
/// TB-Süch-Tiger™
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Im OSAM-Log seh ich das unter Abschnitt [services]

Code:
ATTFilter
"Server Support" (hwvzw) - ? - C:\Programme\Movie Maker\dlzlnti.dll (File not found)
"Shell Server" (eifqcaunr) - ? - C:\WINDOWS\system32\dlzlnti.dll (File not found)
         
Geh mal nach der OSAM Anleitung vor, um diese Einträge zu fixen.
Versuch erstmal nur die Einträge zu deaktivieren, damit man die Dateien mit ständig wechselnden Namen nochmal bei Virustotal auswerten könnte.

Analog kannst Du auch mit den anderen Rechnern vorgehen bzgl fixen der Einträge mit OSAM.
__________________
Logfiles bitte immer in CODE-Tags posten

Alt 22.04.2010, 09:32   #14
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Hallo,

also bin jetzt mal nach Anleitung vorgegangen und es kommt immoment keine Meldung mehr auf dem Client! Das geliche habe ich auf einem Server gemacht (Entwicklungsserver) und es kommt immer noch der Eintrag:

C:\Windows\System32\udtyjy.rjb
und C:\Windows\Tasks\At1.job

Hier mal das Log:
Report of OSAM: Autorun Manager v5.0.11926.0
hxxp://www.online-solutions.ru/en/
Saved at 10:28:51 on 22.04.2010

OS: Windows Server 2003, Standard Edition Service Pack 2 (Build 3790)
Default Browser: Microsoft Corporation Internet Explorer 6.00.3790.3959

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"SGStoerMail.job" - "Georgsmarienhütte GmbH" - C:\Programme\GMH\SGStoerMail\SGStoerMail.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"nvcpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvcpl.cpl
"nvtuicpl.cpl" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvtuicpl.cpl
"S7epaepx.cpl" - "SIEMENS AG" - C:\WINDOWS\system32\S7epaepx.cpl
"S7EPATDX.CPL" - "SIEMENS AG" - C:\WINDOWS\system32\S7EPATDX.CPL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"SYMLIVE" - "Symantec Corporation" - C:\Programme\Symantec\LiveUpdate\S32LUCP1.CPL

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ASPI32" (ASPI32) - "Adaptec" - C:\WINDOWS\system32\drivers\ASPI32.sys
"awecho" (awecho) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\awechomd.sys
"awlegacy" (awlegacy) - "Symantec Corporation" - C:\WINDOWS\System32\Drivers\awlegacy.sys
"AW_HOST" (AW_HOST) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\aw_host5.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Dpmtrcdd" (Dpmtrcdd) - "Siemens AG" - C:\WINDOWS\System32\DRIVERS\dpmtrcdd.sys
"Gernuwa" (Gernuwa) - "Symantec Corporation" - C:\WINDOWS\system32\drivers\Gernuwa.sys
"hltov" (hltov) - ? - C:\WINDOWS\system32\01.tmp (File not found)
"i2omgmt" (i2omgmt) - ? - C:\WINDOWS\system32\drivers\i2omgmt.sys (File not found)
"IP/IP-Tunneltreiber" (IpInIp) - ? - C:\WINDOWS\System32\DRIVERS\ipinip.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"PROFINET IO RT-Protocol" (s7snsrtx) - ? - C:\WINDOWS\System32\DRIVERS\s7snsrtx.sys
"s7otranx" (s7otranx) - "SIEMENS AG" - C:\WINDOWS\System32\Drivers\s7otranx.sys
"scpdrv" (scpdrv) - ? - C:\Programme\Gemeinsame Dateien\Siemens\SWS\PlugIns\SCP\scpdrv.sys (File found, but it contains no detailed information)
"SIMATIC Industrial Ethernet (ISO)" (SNTIE) - "Siemens AG" - C:\WINDOWS\System32\DRIVERS\sntie.sys
"SymEvent" (SymEvent) - "Symantec Corporation" - C:\Programme\Symantec\SYMEVENT.SYS
"System Management Driver" (dcdbas) - ? - C:\WINDOWS\System32\DRIVERS\dcdbas32.sys (File not found)
"tmcomm" (tmcomm) - "Trend Micro Inc." - C:\WINDOWS\system32\drivers\tmcomm.sys
"Trend Micro Filter" (TmFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys
"Trend Micro PreFilter" (TmPreFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmPreFlt.sys
"Trend Micro VSAPI NT" (VSApiNt) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\VSApiNt.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} "Quest RevNet Protocol" - ? - D:\QUESTS~1\SQLNAV~1\RNetPin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{1CDB2949-8F65-4355-8456-263E7C208A5D} "Desktop Explorer" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} "Desktop Explorer Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{D545EBD1-BD92-11CF-8772-00A0C9039735} "Developer Studio Components" - "Microsoft Corporation" - D:\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
{88895560-9AA2-1069-930E-00AA0030EBC8} "Erweiterung für HyperTerminal-Icons" - ? - hticons.dll (File not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - C:\Programme\Microsoft Office\OFFICE11\msohev.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} "nView Desktop Context Menu" - "NVIDIA Corporation" - C:\WINDOWS\system32\nvshell.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL
{6B19FEC2-A45B-11CF-9045-00A0C9039735} "Registered ActiveX Controls" - "Microsoft Corporation" - D:\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{59B0F512-BD54-46f7-A872-039788A3A5AD} "Simatic Shell" - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\Bin\CCShellExtention.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Webordner" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "AcroIEHlprObj Class" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[Known DLLs]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs )-----
"wow64" - ? - C:\WINDOWS\system32\wow64.dll (File not found)
"wow64cpu" - ? - C:\WINDOWS\system32\wow64cpu.dll (File not found)
"wow64win" - ? - C:\WINDOWS\system32\wow64win.dll (File not found)

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Reader Speed Launch.lnk" - "Adobe Systems Incorporated" - C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
"Komponenten Konfigurator.lnk" - "Siemens AG" - C:\Programme\Gemeinsame Dateien\Siemens\S7wnsmsx\s7wnsmgx.exe (Shortcut exists | File exists)
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\Administrator.STW\Startmenü\Programme\Autostart\desktop.ini
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"FreePDF Assistant" - "shbox.de" - C:\Programme\FreePDF_XP\fpassist.exe
"Kill_Old_SimaticNet_Setup" - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\_koss
"nwiz" - "NVIDIA Corporation" - nwiz.exe /install
"OfficeScanNT Monitor" - "Trend Micro Inc." - "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
"simpcmon" - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\_simpcmon.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"HP Standard TCP/IP Port" - "Hewlett Packard" - C:\WINDOWS\system32\HpTcpMon.dll
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"pcAnywhere Remote Printing" - "Symantec Corporation" - C:\WINDOWS\system32\awmon.dll
"Redirected Port" - ? - C:\WINDOWS\system32\redmonnt.dll (File found, but it contains no detailed information)

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Automation License Manager Service" (almservice) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\sws\almsrv\almsrvx.exe
"CCAgent" (CCAgent) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCAgent.exe
"CCEClient" (CCEClient) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCEClient.exe
"CCEServer" (CCEServer) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\ACE\bin\CCEServer.exe
"Crystal Query Server" (Crystal Query Server) - ? - C:\Programme\Seagate Software\Query Server\querysrv.exe
"Meinberg Time Adjustment" (MbgAdjTm) - "Meinberg Funkuhren GmbH & Co. KG, Bad Pyrmont, Germany" - C:\WINDOWS\system32\mbgadjtm.exe
"MySQL" (MySQL) - ? - C:\Programme\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe (File found, but it contains no detailed information)
"Network Time Protocol Daemon" (NTP) - ? - C:\Programme\NTP\bin\ntpd.exe (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"OfficeScan NT Listener" (tmlisten) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
"OfficeScan NT Proxy Service" (TmProxy) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe
"OfficeScanNT RealTime Scan" (ntrtscan) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
"OpcEnum" (OpcEnum) - "OPC Foundation" - c:\windows\system32\OpcEnum.exe
"OracleDBConsolepfentw" (OracleDBConsolepfentw) - "Oracle Corporation" - D:\oracle\product\10.2.0\db_1\bin\nmesrvc.exe
"OracleMTSRecoveryService" (OracleMTSRecoveryService) - "Oracle Corporation" - D:\OraHome_9\bin\omtsreco.exe
"OracleOraDb10g_home1iSQL*Plus" (OracleOraDb10g_home1iSQL*Plus) - "Oracle" - D:\oracle\product\10.2.0\db_1\bin\isqlplussvc.exe
"OracleOraDb10g_home1TNSListener" (OracleOraDb10g_home1TNSListener) - ? - D:\oracle\product\10.2.0\db_1\BIN\TNSLSNR.exe (File found, but it contains no detailed information)
"OracleServicePFENTW" (OracleServicePFENTW) - "Oracle Corporation" - d:\oracle\product\10.2.0\db_1\bin\ORACLE.EXE
"pcAnywhere Host-Modul" (awhost32) - "Symantec Corporation" - C:\Programme\Symantec\pcAnywhere\awhost32.exe
"S7 Global Services" (s7asysvx) - "SIEMENS AG" - C:\Programme\SIEMENS\SIMATIC.NCM\S7bin\s7asysvx.exe
"SIMATIC IEPG Help Service" (s7oiehsx) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\S7IEPG\s7oiehsx.exe
"SIMATIC NET Configuration Server" (SIMATIC NET Configuration Server) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\scorecfg.exe
"SIMATIC NET Configuration Service" (SIMATIC NET Configuration Service) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bincfg\SServCFG.exe
"SIMATIC NET Core Server DP" (SIMATIC NET Core Server DP) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bindp\scoredp.exe
"SIMATIC NET Core Server DP2" (SIMATIC NET Core Server DP2) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\bindp2\scoredp2.exe
"SIMATIC NET Core Server FDL" (SIMATIC NET Core Server FDL) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binfdl\scorefdl.exe
"SIMATIC NET Core Server FMS" (SIMATIC NET Core Server FMS) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binfms\scorefms.exe
"SIMATIC NET Core Server PD" (SIMATIC NET Core Server PD) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binpd\scorepd.exe
"SIMATIC NET Core Server PROFINET CbA" (SIMATIC NET Core Server PROFINET CbA) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binPN\scorepn.exe
"SIMATIC NET Core Server PROFINET IO" (SIMATIC NET Core Server PROFINET IO) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binpnio\scorepnio.exe
"SIMATIC NET Core Server S7" (SIMATIC NET Core Server S7) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binS7\SCoreS7.exe
"SIMATIC NET Core Server SNMP" (SIMATIC NET Core Server SNMP) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binSNMP\scoresnmp.exe
"SIMATIC NET Core Server SR" (SIMATIC NET Core Server SR) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\opc2\binsr\scoresr.exe
"SIMATIC NET P&P Manager" (SIMATIC NET P&P Manager) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\simnetpnpman.exe
"SIMATIC NET Route Manager" (SIMATIC NET RouteManager) - "SIEMENS AG" - C:\Programme\Gemeinsame Dateien\Siemens\s7wnrmsx\s7wnrmsx.exe
"SIMATIC NET Station-Manager" (StatMgr) - "Siemens AG" - C:\Programme\Gemeinsame Dateien\Siemens\s7wnsmsx\s7wnsmsx.exe
"SIMATIC NET Synchronization Service" (sim9sync) - "Siemens AG" - C:\Programme\SIEMENS\SIMATIC.NET\SimNetCom\sim9sync.exe
"SQL Server (MSSQLSERVER)" (MSSQLSERVER) - "Microsoft Corporation" - C:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - C:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe
"Visual Studio Analyzer RPC bridge" (Visual Studio Analyzer RPC bridge) - "Microsoft Corporation" - D:\Microsoft Visual Studio\Common\Tools\VS-Ent98\Vanalyzr\varpc.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
"MVB" - ? - mvfs32.dll (File not found)
(Disabled) "MVB" - ? - mvfs32.dll (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"AtiExtEvent" - ? - Ati2evxx.dll (File not found)
"PCANotify" - "Symantec Corporation" - C:\WINDOWS\system32\PCANotify.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit hxxp://forum.online-solutions.ru

Alt 22.04.2010, 09:50   #15
Snewi
 
Worm_downad.ad ? - Standard

Worm_downad.ad ?



Alles zurück der Client gibt wieder die Virenmeldung aus :-( So ein Mist hier nochmal das aktuelle Log:

Report of OSAM: Autorun Manager v5.0.11926.0
Online Solutions. Complex Protection for Information Systems
Saved at 10:41:17 on 22.04.2010

OS: Windows XP Professional Service Pack 2 (Build 2600)
Default Browser: Unable to get information

Scanner Settings
[x] Rootkits detection (hidden registry)
[x] Rootkits detection (hidden files)
[x] Retrieve files information
[x] Check Microsoft signatures

Filters
[ ] Trusted entries
[ ] Empty entries
[x] Hidden registry entries (rootkit activity)
[x] Exclusively opened files
[x] Not found files
[x] Files without detailed information
[x] Existing files
[ ] Non-startable services
[ ] Non-startable drivers
[x] Active entries
[x] Disabled entries


[Common]
-----( %SystemRoot%\Tasks )-----
"WGASetup.job" - "Microsoft Corporation" - C:\WINDOWS\system32\KB905474\wgasetup.exe

[Control Panel Objects]
-----( %SystemRoot%\system32 )-----
"BACSCPL.cpl" - ? - C:\WINDOWS\system32\BACSCPL.cpl
"jpicpl32.cpl" - "Sun Microsystems, Inc." - C:\WINDOWS\system32\jpicpl32.cpl
"pmxusb.cpl" - ? - C:\WINDOWS\system32\pmxusb.cpl (File found, but it contains no detailed information)
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls )-----
"AC3 Filter" - ? - D:\Programme\TTPack\AC3\ac3filter.cpl
"QuickTime" - "Apple Computer, Inc." - D:\Programme\TTPack\QTLite\QuickTime.cpl
"SYMLIVE" - "Symantec Corporation" - C:\Programme\Symantec\LiveUpdate\S32LUCP1.CPL

[Drivers]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
"ACEDRV07" (ACEDRV07) - "Protect Software GmbH" - C:\WINDOWS\system32\drivers\ACEDRV07.sys
"Acronis Snapshots Manager" (snapman) - "Acronis" - C:\WINDOWS\System32\DRIVERS\snapman.sys
"Acronis TrueImage Backup Archive Explorer" (timounter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\timntr.sys
"Acronis TrueImage FS Filter" (tifsfilter) - "Acronis" - C:\WINDOWS\System32\DRIVERS\tifsfilt.sys
"AVM Bluetooth Audio Driver" (AVMBTSND) - "AVM GmbH" - C:\WINDOWS\System32\drivers\avmbtsnd.sys
"AVM Bluetooth CAPI-Controller" (CAPI_CIP) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\capi_cip.sys
"AVM Bluetooth Druckeranschluss" (AVMBTPARALLEL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtpar.sys
"AVM Bluetooth Kommunikationsanschluss" (AVMBTSERIAL) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmbtser.sys
"AVM Bluetooth Netzwerkadapter" (NETBFPAN) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\netbfpan.sys
"AVM ISDN CoNDIS WAN CAPI Treiber" (AVMCOWAN) - "AVM GmbH" - C:\WINDOWS\System32\DRIVERS\avmcowan.sys
"awecho" (awecho) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\awechomd.sys
"awlegacy" (awlegacy) - "Symantec Corporation" - C:\WINDOWS\System32\Drivers\awlegacy.sys
"AW_HOST" (AW_HOST) - "Symantec Corporation" - C:\WINDOWS\System32\drivers\aw_host5.sys
"BlueFRITZ! USB 2.5(WinXP/2000)" (bfhubase) - "AVM Berlin" - C:\WINDOWS\System32\DRIVERS\bfhubase.sys
"Changer" (Changer) - ? - C:\WINDOWS\system32\drivers\Changer.sys (File not found)
"Gernuwa" (Gernuwa) - "Symantec Corporation" - C:\WINDOWS\system32\drivers\Gernuwa.sys
"lbrtfdc" (lbrtfdc) - ? - C:\WINDOWS\system32\drivers\lbrtfdc.sys (File not found)
"Nokia USB Generic" (Nokia USB Generic) - ? - C:\WINDOWS\System32\drivers\nmwcdc.sys (File not found)
"Nokia USB Modem" (Nokia USB Modem) - ? - C:\WINDOWS\System32\drivers\nmwcdcm.sys (File not found)
"Nokia USB Phone Parent" (Nokia USB Phone Parent) - ? - C:\WINDOWS\System32\drivers\nmwcd.sys (File not found)
"Nokia USB Port" (Nokia USB Port) - ? - C:\WINDOWS\System32\drivers\nmwcdcj.sys (File not found)
"Nsynas32" (Nsynas32) - "Syncrosoft Hard- und Software GmbH" - C:\WINDOWS\system32\drivers\Nsynas32.sys
"PCIDump" (PCIDump) - ? - C:\WINDOWS\system32\drivers\PCIDump.sys (File not found)
"PDCOMP" (PDCOMP) - ? - C:\WINDOWS\system32\drivers\PDCOMP.sys (File not found)
"PDFRAME" (PDFRAME) - ? - C:\WINDOWS\system32\drivers\PDFRAME.sys (File not found)
"PDRELI" (PDRELI) - ? - C:\WINDOWS\system32\drivers\PDRELI.sys (File not found)
"PDRFRAME" (PDRFRAME) - ? - C:\WINDOWS\system32\drivers\PDRFRAME.sys (File not found)
"Secdrv" (Secdrv) - ? - C:\WINDOWS\System32\DRIVERS\secdrv.sys (File signed by Microsoft | File found, but it contains no detailed information)
"SymEvent" (SymEvent) - "Symantec Corporation" - C:\Programme\Symantec\SYMEVENT.SYS
"SynasUSB" (SynasUSB) - "SIA Syncrosoft" - C:\WINDOWS\System32\drivers\SynasUSB.sys
"tmcomm" (tmcomm) - "Trend Micro Inc." - C:\WINDOWS\system32\drivers\tmcomm.sys
"Trend Micro Filter" (TmFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmXPFlt.sys
"Trend Micro PreFilter" (TmPreFilter) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmPreFlt.sys
"Trend Micro VSAPI NT" (VSApiNt) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\VSApiNt.sys
"WDICA" (WDICA) - ? - C:\WINDOWS\system32\drivers\WDICA.sys (File not found)

[Explorer]
-----( HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components )-----
{89B4C1CD-B018-4511-B0A1-5476DBF70820} "StubPath" - "Microsoft Corporation" - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
-----( HKLM\Software\Classes\Folder\shellex\ColumnHandlers )-----
{7D4D6379-F301-4311-BEBA-E26EB0561882} "NeroDigitalColumnHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{F9DB5320-233E-11D1-9F84-707F02C10627} "PDF Shell Extension" - "Adobe Systems, Inc." - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll
-----( HKLM\Software\Classes\Protocols\Filter )-----
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{1E66F26B-79EE-11D2-8710-00C04F79ED0D} "Cor MIME Filter, CorFltr, CorFltr 1" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{807553E5-5146-11D5-A672-00B0D022E945} "text/xml" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
-----( HKLM\Software\Classes\Protocols\Handler )-----
{32505114-5902-49B2-880A-1F7738E5A384} "Data Page Plugable Protocal mso-offdap11 Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
{3D9F03FA-7A94-11D3-BE81-0050048385D1} "Data Page Pluggable Protocol mso-offdap Handler" - "Microsoft Corporation" - C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
{314111c7-a502-11d2-bbca-00c04f8ec294} "HxProtocol Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll
{0A9007C0-4076-11D3-8789-0000F8105754} "Microsoft Infotech Storage Protocol for IE 4.0" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Information Retrieval\msitss.dll
{CD00020A-8B95-11D1-82DB-00C04FB1625D} "Microsoft PKM KnowledgePluggable Class" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\pkmcdo.dll
{9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} "Quest RevNet Protocol" - ? - C:\PROGRA~1\QUESTS~1\SQLNAV~1\RNetPin.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved )-----
{23170F69-40C1-278A-1000-000100020000} "7-Zip Shell Extension" - "Igor Pavlov" - D:\Programme\7-Zip\7-zip.dll
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} "Acrobat Elements Context Menu" - "Adobe Systems Inc." - D:\Programme\Adobe Acrobat\Acrobat Elements\ContextMenu.dll
{D66DC78C-4F61-447F-942B-3FB6980118CF} "CInfoTipShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll
{42071714-76d4-11d1-8b24-00a0c9068ff3} "CPL-Erweiterung für Anzeigeverschiebung" - ? - deskpan.dll (File not found)
{1D2680C9-0E2A-469d-B787-065558BC7D43} "Fusion Cache" - "Microsoft Corporation" - C:\WINDOWS\system32\mscoree.dll
{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} "IE User Assist" - ? - (File not found | COM-object registry key not found)
{506F4668-F13E-4AA1-BB04-B43203AB3CC0} "ImageExtractorShellExt Class" - "Microsoft Corporation" - D:\Programme\Microsoft Office\Visio10\VisShe.dll
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "Kontextmenü für die Verschlüsselung" - ? - (File not found | COM-object registry key not found)
{42042206-2D85-11D3-8CFF-005004838597} "Microsoft Office HTML Icon Handler" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\msohev.dll
{00020D75-0000-0000-C000-000000000046} "Microsoft Office Outlook" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL
{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2} "NeroCoverEdLiveIcons Class" - "Nero AG" - D:\Nero\Nero 9\Nero CoverDesigner\CoverEdExtension.dll
{B327765E-D724-4347-8B16-78AE18552FC3} "NeroDigitalIconHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{7F1CF152-04F8-453A-B34C-E609530A9DC8} "NeroDigitalPropSheetHandler Class" - "Nero AG" - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll
{0006F045-0000-0000-C000-000000000046} "Outlook-Dateisymbolerweiterung" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL
{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} "Shell Icon Handler for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{764BF0E1-F219-11ce-972D-00AA00A14F56} "Shellerweiterungen für die Dateikomprimierung" - ? - (File not found | COM-object registry key not found)
{e82a2d71-5b2f-43a0-97b8-81be15854de8} "ShellLink for Application References" - "Microsoft Corporation" - C:\WINDOWS\system32\dfshim.dll
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} "Web Folders" - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Web Folders\MSONSEXT.DLL
{E0D79304-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79305-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79306-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
{E0D79307-84BE-11CE-9641-444553540000} "WinZip" - "WinZip Computing, Inc." - D:\PROGRA~1\WINZIP\WZSHLSTB.DLL
InCDShellExt extension "{CAE3251E-9B15-4810-B268-852AD9792A59}" - ? - (File not found | COM-object registry key not found)

[Internet Explorer]
-----( HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
ITBar7Height "ITBar7Height" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBar7Layout" - ? - (File not found | COM-object registry key not found)
<binary data> "ITBarLayout" - ? - (File not found | COM-object registry key not found)
<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
-----( HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units )-----
{4FDF3696-5078-4952-868C-CEEB9683B8C4} "DownloadFile Control" - ? - C:\WINDOWS\DOWNLO~1\Download.ocx / hxxp://192.168.10.31/cab/DownloadFile.cab
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} "Java Plug-in 1.5.0" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0\bin\npjpi150.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / https://st-entw1:2607/jre-1_5_0_06-windows-i586-p.exe
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} "Java Plug-in 1.5.0_06" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll / hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
{7D30109B-DD2B-4339-BE80-1CD48723C2BC} "LiveX(v6.0.1.0)" - ? - C:\WINDOWS\DOWNLO~1\LiveX.ocx / hxxp://192.168.10.31/cab/Live.cab
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars )-----
{182EC0BE-5110-49C8-A062-BEB1D02A220B} "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions )-----
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} "ClsidExtension" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\npjpi150_06.dll
"Knowledge Base" - ? - Microsoft Support (HTTP value)
{FF059E31-CC5A-4E2E-BF3B-96E929D65503} "Recherchieren" - "Microsoft Corporation" - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
-----( HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar )-----
<binary data> "Adobe PDF" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
<binary data> "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects )-----
{AE7CD045-E861-484f-8273-0445EE161910} "AcroIEToolbarHelper Class" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\AcroIEFavClient.dll
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} "Adobe PDF Link Helper" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} "Adobe PDF Reader" - "Adobe Systems Incorporated" - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
{56CF4856-ECB4-4e46-A897-A378821F97B9} "pdfMachine" - "Broadgun Software" - C:\WINDOWS\system32\bgstb.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} "SSVHelper Class" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll

[LSA Providers]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Lsa )-----
"Authentication packages" - "Acronis" - C:\WINDOWS\system32\relog_ap.dll

[Logon]
-----( %AllUsersProfile%\Startmenü\Programme\Autostart )-----
"Adobe Acrobat - Schnellstart.lnk" - "Adobe Systems Incorporated" - D:\Programme\Adobe Acrobat\Acrobat\acrobat_sl.exe (Shortcut exists | File exists)
"desktop.ini" - ? - C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
-----( %UserProfile%\Startmenü\Programme\Autostart )-----
"desktop.ini" - ? - C:\Dokumente und Einstellungen\schoenea.STW\Startmenü\Programme\Autostart\desktop.ini
"Microsoft Office Outlook 2003.lnk" - "Microsoft Corporation" - D:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE (Shortcut exists | File exists)
-----( HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run )-----
"SpybotSD TeaTimer" - "Safer Networking Limited" - D:\Programme\Spybot - Search & Destroy\TeaTimer.exe
-----( HKLM\Software\Microsoft\Windows\CurrentVersion\Run )-----
"Acrobat Assistant 7.0" - "Adobe Systems Inc." - "D:\Programme\Adobe Acrobat\Distillr\Acrotray.exe"
"Acronis Scheduler2 Service" - "Acronis" - "C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"
"bgsmsnd.exe" - "Broadgun Software" - C:\WINDOWS\system32\bgsmsnd.exe
"OfficeScanNT Monitor" - "Trend Micro Inc." - "C:\Programme\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
"OSSelectorReinstall" - ? - C:\Programme\Gemeinsame Dateien\Acronis\Acronis Disk Director\oss_reinstall.exe (File found, but it contains no detailed information)
"Pfannenupdate" - "Georgsmarienhuette GmbH" - c:\Programme\PFANNEN\Pfannen_Update.exe
"SunJavaUpdateSched" - "Sun Microsystems, Inc." - C:\Programme\Java\jre1.5.0_06\bin\jusched.exe
"TrueImageMonitor.exe" - "Acronis" - D:\Programme\Acronis\True Image 9.0\TrueImageMonitor.exe

[Print Monitors]
-----( HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors )-----
"Adobe PDF Port" - "Adobe Systems Incorporated." - C:\WINDOWS\system32\AdobePDF.dll
"Microsoft Document Imaging Writer Monitor" - "Microsoft Corporation" - C:\WINDOWS\system32\mdimon.dll
"pcAnywhere Remote Printing" - "Symantec Corporation" - C:\WINDOWS\system32\awmon.dll
"PDF Port Monitor" - ? - C:\WINDOWS\system32\bgspmnt.dll (File found, but it contains no detailed information)

[Services]
-----( HKLM\SYSTEM\CurrentControlSet\Services )-----
".NET Runtime Optimization Service v2.0.50727_X86" (clr_optimization_v2.0.50727_32) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
"Acronis Scheduler2 Service" (AcrSch2Svc) - "Acronis" - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
"Adobe LM Service" (Adobe LM Service) - "Adobe Systems" - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
"ASP.NET State Service" (aspnet_state) - "Microsoft Corporation" - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
"Machine Debug Manager" (MDM) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
"Nero BackItUp Scheduler 4.0" (Nero BackItUp Scheduler 4.0) - "Nero AG" - C:\Programme\Gemeinsame Dateien\Nero\Nero BackItUp 4\NBService.exe
"NMSAccessU" (NMSAccessU) - ? - D:\Programme\CDBurnerXP\NMSAccessU.exe (File found, but it contains no detailed information)
"NWC Service" (NWC_Service) - ? - C:\NWC\NWC_SERVICE.EXE (File found, but it contains no detailed information)
"Office Source Engine" (ose) - "Microsoft Corporation" - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Source Engine\OSE.EXE
"OfficeScan NT Listener" (tmlisten) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\tmlisten.exe
"OfficeScan NT Proxy Service" (TmProxy) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\TmProxy.exe
"OfficeScanNT RealTime Scan" (ntrtscan) - "Trend Micro Inc." - C:\Programme\Trend Micro\OfficeScan Client\ntrtscan.exe
"pcAnywhere Host-Modul" (awhost32) - "Symantec Corporation" - D:\Programme\Symantec\PCAnywhere\awhost32.exe
"Pml Driver HPZ12" (Pml Driver HPZ12) - "Hewlett-Packard" - C:\WINDOWS\system32\hpzipm12.dll
"SolidWorks Licensing Service" (SolidWorks Licensing Service) - "SolidWorks" - C:\Programme\Gemeinsame Dateien\SolidWorks Shared\Service\SolidWorksLicensing.exe
"SQL Server (SQLEXPRESS)" (MSSQL$SQLEXPRESS) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
"SQL Server VSS Writer" (SQLWriter) - "Microsoft Corporation" - c:\Programme\Microsoft SQL Server\90\Shared\sqlwriter.exe

[Winlogon]
-----( HKCU\Control Panel\IOProcs )-----
(Disabled) "MVB" - ? - mvfs32.dll (File not found)
-----( HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify )-----
"PCANotify" - "Symantec Corporation" - C:\WINDOWS\system32\PCANotify.dll

===[ Logfile end ]=========================================[ Logfile end ]===

If You have questions or want to get some help, You can visit Online Solutions :: Index


Was ist hier mit mvfs32.dll?

Gruß

Antwort

Themen zu Worm_downad.ad ?
alarm, befallen, bezüglich, c:\windows, einträge, entfernen, fehlermeldungen, hartnäckigen, hijack, hijackthis, malwarebytes, neuste, scan, scanner, schlägt, server, system, system32, systeme, tools, virenscan, virenscanner, windows, worm, wurm




Zum Thema Worm_downad.ad ? - Hallo, ich habe in unserem Netz einen sehr hartnäckigen Wurm der alle Server und Clients befallen hat! Ich nutze den Virenscanner TrendMicro OfficeScan! Dieser schlägt ständig Alarm mit den Einträgen: - Worm_downad.ad ?...
Archiv
Du betrachtest: Worm_downad.ad ? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.