Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

Antwort
Alt 21.04.2010, 01:43   #1
Seepferd
 
antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe - Standard

antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe



Hallo! Mein Pc wurde heute von dem antimalware doctor trojaner heimgesucht. Mit HijackThis und Malwarebytes habe ich es geschafft, dass zumindest die nervigen Fakevirusmeldungen aufgehört haben. Mein Antivir zeigt mir aber alle paar Minuten die Meldung "Virus gefunden in C:\Windows\Temp\xxx.tmp\svchost.exe", wobei "xxx.tmp" für immer anders lautende *.tmp-Ordner steht. Ich klicke dann immer auf löschen, die Meldung kommt aber immer wieder. Zudem öffnen sich in unregelmäßigen Abständen irgendwelche Werbepopups im IE, obwohl ich den gar nicht nutze. Ich poste hier mal meine Hijackthis & Silentrunners Logfiles. Hoffentlich kann mir jemand helfen, ich wäre sehr dankbar dafür! Viele Grüße.

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:25:36, on 21.04.2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18444)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe
C:\Program Files\DellTPad\Apoint.exe
F:\Programme\Winamp\winampa.exe
C:\Program Files\Java\jre6\bin\jusched.exe
F:\Programme\Avira\AntiVir Desktop\avgnt.exe
F:\ProgrammeNero 10\Nero BackItUp\NBAgent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
F:\Programme\TVCenter\PMCLoader.exe
F:\Program Files\Pinnacle\Shared Files\Programs\StrmServer\StrmServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\wuauclt.exe
F:\Internet\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
F:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "F:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Programme\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NBAgent] "F:\ProgrammeNero 10\Nero BackItUp\NBAgent.exe" /WinStart
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PMCLoader] F:\Programme\TVCenter\PMCLoader.exe -checktasks
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Global Startup: Pinnacle Streaming Server.lnk = F:\Program Files\Pinnacle\Shared Files\Programs\StrmServer\StrmServer.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Internet\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Internet\ICQ6.5\ICQ.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - F:\Programme\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - F:\Programme\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - F:\Programme\ComputerBild\Ashampoo WinOptimizer 2010 CBE\Dfsdks.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 6718 bytes



Silent Runners:

"Silent Runners.vbs", revision 61, hxxp://www.silentrunners.org/
Operating System: Windows Vista SP1
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
"PMCRemote" = "(empty string)" [file not found]
"PMCLoader" = "F:\Programme\TVCenter\PMCLoader.exe -checktasks" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"SysTrayApp" = "C:\Program Files\IDT\WDM\sttray.exe"
"Broadcom Wireless Manager UI" = "C:\Windows\system32\WLTRAY.exe" ["Dell Inc."]
"Dell Webcam Central" = ""C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell.exe" /mode2" ["Creative Technology Ltd."]
"StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun" ["Advanced Micro Devices, Inc."]
"Apoint" = "C:\Program Files\DellTPad\Apoint.exe" ["Alps Electric Co., Ltd."]
"WinampAgent" = "F:\Programme\Winamp\winampa.exe" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"avgnt" = ""F:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"]
"Adobe Reader Speed Launcher" = ""F:\Programme\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"Adobe ARM" = ""C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"" ["Adobe Systems Incorporated"]
"NBAgent" = ""F:\ProgrammeNero 10\Nero BackItUp\NBAgent.exe" /WinStart" ["Nero AG"]
"LogMeIn Hamachi Ui" = ""C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start" ["LogMeIn Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll" ["Google Inc."]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\WinRAR\rarext.dll" ["Alexander Roshal"]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "F:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{F764812A-132C-4013-9960-5CBBEB408A0E}" = "Nero Shell Extension"
-> {HKLM...CLSID} = "NeroShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll" ["Nero AG"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\

<<!>> skype4com\CLSID = "{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D}"
-> {HKLM...CLSID} = "IEProtocolHandler Class"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL" ["Skype Technologies"]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "F:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\WinRAR\rarext.dll" ["Alexander Roshal"]

{55E482A2-D62F-4067-87ED-28E1C7F94C03}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "f:\PROGRA~1\COMPUT~1\ASHAMP~1\CONTEX~1.DLL" [null data]

{A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "NBShellHook Class"
\InProcServer32\(Default) = "F:\ProgrammeNero 10\Nero BackItUp\NBShell.dll" ["Nero AG"]

{F764812A-132C-4013-9960-5CBBEB408A0E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "NeroShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll" ["Nero AG"]

HKLM\SOFTWARE\Classes\*\shellex\DragDropHandlers\

NBShellHook\(Default) = "{A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}"
-> {HKLM...CLSID} = "NBShellHook Class"
\InProcServer32\(Default) = "F:\ProgrammeNero 10\Nero BackItUp\NBShell.dll" ["Nero AG"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "f:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\WinRAR\rarext.dll" ["Alexander Roshal"]

{F764812A-132C-4013-9960-5CBBEB408A0E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "NeroShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Nero\NeroShellExt\\NeroShellExt.dll" ["Nero AG"]

HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\

ACE\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "f:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "F:\Programme\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\WinRAR\rarext.dll" ["Alexander Roshal"]

{55E482A2-D62F-4067-87ED-28E1C7F94C03}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "f:\PROGRA~1\COMPUT~1\ASHAMP~1\CONTEX~1.DLL" [null data]

{A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "NBShellHook Class"
\InProcServer32\(Default) = "F:\ProgrammeNero 10\Nero BackItUp\NBShell.dll" ["Nero AG"]

HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\

NBShellHook\(Default) = "{A4FD8DDB-5800-4414-97F9-7457AC8EE4F0}"
-> {HKLM...CLSID} = "NBShellHook Class"
\InProcServer32\(Default) = "F:\ProgrammeNero 10\Nero BackItUp\NBShell.dll" ["Nero AG"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "F:\Programme\WinRAR\rarext.dll" ["Alexander Roshal"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoResolveTrack" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableLinkedConnections" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Kristian\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

AlcoholAutoPlayV2.BurnDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""F:\Programme\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

AlcoholAutoPlayV2.ReadDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "ReadDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command\(Default) = ""F:\Programme\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

MediaHub10BluRayOnArrival\
"Provider" = "Nero MediaHub 10"
"InvokeProgID" = "OpenWithNeroMediaHub10"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = ""F:\ProgrammeNero 10\Nero MediaHub\MediaHub.exe" %L" [null data]

MediaHub10CDAudioOnArrival\
"Provider" = "Nero MediaHub 10"
"InvokeProgID" = "OpenWithNeroMediaHub10"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = ""F:\ProgrammeNero 10\Nero MediaHub\MediaHub.exe" %L" [null data]

MediaHub10DVDMovieOnArrival\
"Provider" = "Nero MediaHub 10"
"InvokeProgID" = "OpenWithNeroMediaHub10"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = ""F:\ProgrammeNero 10\Nero MediaHub\MediaHub.exe" %L" [null data]

MediaHub10SVCDMovieOnArrival\
"Provider" = "Nero MediaHub 10"
"InvokeProgID" = "OpenWithNeroMediaHub10"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = ""F:\ProgrammeNero 10\Nero MediaHub\MediaHub.exe" %L" [null data]

MediaHub10VCDMovieOnArrival\
"Provider" = "Nero MediaHub 10"
"InvokeProgID" = "OpenWithNeroMediaHub10"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\OpenWithNeroMediaHub10\shell\open\command\(Default) = ""F:\ProgrammeNero 10\Nero MediaHub\MediaHub.exe" %L" [null data]

MediaHub10WPDOnArrival\
"Provider" = "Nero MediaHub 10"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;"F:\ProgrammeNero 10\Nero MediaHub\MediaHub.exe" -Import %1 %2;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

MPCPlayCDAudioOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayCDAudio"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"]

MPCPlayDVDMovieOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayDVDMovie"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"]

MPCPlayMusicFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayMusicFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

MPCPlayVideoFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayVideoFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

NeroBurningROM10CopyCD\
"Provider" = "Nero Burning ROM 10"
"InvokeProgID" = "Nero.BurningROM.10.AutoPlay"
"InvokeVerb" = "CopyCD"
HKLM\SOFTWARE\Classes\Nero.BurningROM.10.AutoPlay\shell\CopyCD\command\(Default) = "F:\ProgrammeNero 10\Nero Burning ROM\nero.exe -w /DialogiscCopy" ["Nero AG"]

NeroBurningROM10LaunchNBR\
"Provider" = "Nero Burning ROM 10"
"InvokeProgID" = "Nero.BurningROM.10.AutoPlay"
"InvokeVerb" = "LanchNE"
HKLM\SOFTWARE\Classes\Nero.BurningROM.10.AutoPlay\shell\LanchNE\command\(Default) = "F:\ProgrammeNero 10\Nero Burning ROM\nero.exe" ["Nero AG"]

NeroExpress10CopyCD\
"Provider" = "Nero Express 10"
"InvokeProgID" = "Nero.Express.10.AutoPlay"
"InvokeVerb" = "CopyCD"
HKLM\SOFTWARE\Classes\Nero.Express.10.AutoPlay\shell\CopyCD\command\(Default) = "F:\ProgrammeNero 10\Nero Express\NeroExpress.exe -w /DialogiscCopy" ["Nero AG"]

NeroExpress10LaunchNE\
"Provider" = "Nero Express 10"
"InvokeProgID" = "Nero.Express.10.AutoPlay"
"InvokeVerb" = "LanchNE"
HKLM\SOFTWARE\Classes\Nero.Express.10.AutoPlay\shell\LanchNE\command\(Default) = "F:\ProgrammeNero 10\Nero Express\NeroExpress.exe" ["Nero AG"]

NeroVision10VideoCapture\
"Provider" = "Nero Vision 10"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""F:\ProgrammeNero 10\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "Shell Execute Hardware Event Handler"
\LocalServer32\(Default) = "C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""F:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""F:\Programme\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "Kristian" & "All Users" startup folders:
----------------------------------------------------------

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"Pinnacle Streaming Server" -> shortcut to: "F:\Program Files\Pinnacle\Shared Files\Programs\StrmServer\StrmServer.exe /Start" ["Avid Development GmbH"]


Windows Sidebar Gadgets:
------------------------

C:\Users\Kristian\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
%PROGRAMFILES%\windows sidebar\gadgets\Clock.gadget
%PROGRAMFILES%\windows sidebar\gadgets\SlideShow.Gadget
"C:%5CUsers%5CKristian%5CAppData%5CLocal%5CMicrosoft%5CWindows%20Sidebar%5CGadgets%5CMultiMeterD124.gadget"
"C:%5CUsers%5CKristian%5CAppData%5CLocal%5CMicrosoft%5CWindows%20Sidebar%5CGadgets%5CSystemMonitorSDC.gadget"


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"Google Software Updater" -> launches: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe scheduled_start" ["Google"]
"GoogleUpdateTaskMachineCore" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]
"GoogleUpdateTaskMachineUA" -> launches: "C:\Program Files\Google\Update\GoogleUpdate.exe /ua /installsource scheduler" ["Google Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Media Center
"ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS]
"mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS]
"OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS]
"OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS]
"UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC
"HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}"
-> {HKLM...CLSID} = "HotStart User Agent"
\InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS]
"TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}"
-> {HKLM...CLSID} = "Transient Multi-Monitor Manager"
\InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\MUI
"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [file not found]

C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia
"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}"
-> {HKLM...CLSID} = "Microsoft PlaySoundService Class"
\InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection
"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"
-> {HKLM...CLSID} = "Nap ITask Handler Implementation"
\InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System
"ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RAC
"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance
"RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Shell
"CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"
-> {HKLM...CLSID} = "CrawlStartPages Task Handler"
\InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SideShow
"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}"
-> {HKLM...CLSID} = "GadgetsManager Class"
\InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
"SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip
"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]
"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework
"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {HKLM...CLSID} = "MsCtfMonitor task handler"
\InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\UPnP
"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\WDI
"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler"
\InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting
"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Wired
"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows\Wireless
"GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data]

C:\Windows\System32\Tasks\Microsoft\Windows Defender
"MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 34


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "f:\Internet\ICQ6.5\ICQ.exe" ["ICQ, LLC."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Andrea ST Filters Service, AESTFilters, "C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\aestsrv.exe" ["Andrea Electronics Corporation"]
Ati External Event Utility, Ati External Event Utility, "C:\Windows\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Audio Service, STacSV, "C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f091b975\STacSV.exe" ["IDT, Inc."]
Automatische WLAN-Konfiguration, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
Avira AntiVir Guard, AntiVirService, ""F:\Programme\Avira\AntiVir Desktop\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Planer, AntiVirSchedulerService, ""F:\Programme\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"]
CNG-Schlüsselisolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Computerbrowser, Browser, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\browser.dll" [MS]}
Dell Wireless WLAN Tray Service, wltrysvc, "C:\Windows\System32\WLTRYSVC.EXE C:\Windows\System32\bcmwltry.exe" [null data]
Extensible Authentication-Protokoll, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Gatewaydienst auf Anwendungsebene, ALG, "C:\Windows\System32\alg.exe" [MS]
Gemeinsame Nutzung der Internetverbindung, SharedAccess, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\ipnathlp.dll" [MS]}
LogMeIn Hamachi 2.0 Tunneling Engine, Hamachi2Svc, ""C:\Program Files\LogMeIn Hamachi\hamachi-2.exe" -s" ["LogMeIn Inc."]
Nero Update, NAUpdate, ""C:\Program Files\Nero\Update\NASvc.exe"" ["Nero AG"]
Windows Driver Foundation - Benutzermodus-Treiberframework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}
Windows Media Player-Netzwerkfreigabedienst, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\wmpnetwk.exe"" [MS]
Windows-Bilderfassung, stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}
Zugriff auf Eingabegeräte, hidserv, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\system32\hidserv.dll" [MS]}


Safe Mode Drivers & Services (subkey name, subkey default value):
-----------------------------------------------------------------

HKLM\System\CurrentControlSet\Control\SafeBoot\Network\

<<!>> Hamachi2Svc, "Service"


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Bullzip PDF Print Monitor\Driver = "bzpdf.dll" ["Bullzip"]
LIDIL hpzlllhn\Driver = "hpzlllhn.dll" ["Hewlett-Packard Company"]


---------- (launch time: 2010-04-21 01:24:30)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 34 seconds, including 4 seconds for message boxes)

Alt 21.04.2010, 22:15   #2
Sion
 
antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe - Standard

antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe



1. Poste das (alte) Log von dem Malwarebytesdurchlauf.

Alle Progs mit Rechtsklick "Als Administrator ausführen" starten.

2. http://www.trojaner-board.de/74908-a...t-scanner.html
Log posten.

3. Hol dir OTL
Starte OTL
Kopiere unten in das Skript-Feld rein:

Zitat:
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
ndis.sys
ftdisk.sys
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
nvraid.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav

Schließe alle anderen Programme.
Klicke auf Quick Scan.
Poste die beiden Logs - OTL.txt und Extras.txt
__________________


Antwort

Themen zu antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe
antivir, antivir guard, avg, avira, bho, browser, c:\windows\system32\rundll32.exe, defender, desktop, error, finds, firefox, google, gpedit.msc, gupdate, hijack, hijackthis, internet, internet explorer, localsystemnetworkrestricted, malwarebytes' anti-malware, mozilla, notification, programdata, registry, rundll, saver, shell32.dll, shortcut, software, start menu, svchost.exe, system, trojaner, user agent, virus gefunden, vista, windows, wlan, wlansvc



Ähnliche Themen: antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe


  1. [TR/CoinMiner bzw. Trojan.Agent.Gen] svchost.exe und lsass.exe in Windows\Temp
    Plagegeister aller Art und deren Bekämpfung - 21.03.2015 (17)
  2. Windows Live Trojaner und SVchost.exe im Temp-ordner
    Plagegeister aller Art und deren Bekämpfung - 26.12.2011 (1)
  3. Nach Antimalware Doctor: Windows Explorer funktioniert nicht mehr
    Plagegeister aller Art und deren Bekämpfung - 30.08.2010 (6)
  4. Antimalware Doctor entfernt (XP) - aber Windows-Login nicht mehr möglich (gibt es noch Hoffnung?)
    Plagegeister aller Art und deren Bekämpfung - 22.08.2010 (2)
  5. tr downloader.gen C:\WINDOWS\Temp\cmqk.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 05.07.2010 (13)
  6. C:\Windows\Temp\pgsi.tmp\svchost.exe TR/Hijacker.Gen funde (mehere)
    Plagegeister aller Art und deren Bekämpfung - 30.06.2010 (3)
  7. Antimalware Doctor, Windows startet nichtmehr
    Plagegeister aller Art und deren Bekämpfung - 28.05.2010 (2)
  8. TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 13.05.2010 (46)
  9. Windows XP SP3 Antimalware Doctor Entfernung erfolgreich?
    Log-Analyse und Auswertung - 12.05.2010 (9)
  10. TR\Crypt.ZPACK.Gen in C:\Windows\Temp\gsxm.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 01.05.2010 (1)
  11. TR/Crypt.ZPACK.Gen C:\WINDOWS\Temp\uagx.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 01.05.2010 (1)
  12. Trojaner TR/Crypt.ZPACK.gen in C:/WINDOWS/TEMP/xxxx.temp/svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 30.04.2010 (33)
  13. Antivir meldet TR/Crypt.ZPACK.Gen in C/Windows/Temp/xxxx.tmp/svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 26.04.2010 (2)
  14. Avira meldet TR/Crypt.ZPACK.Gen in C:\Windows\Temp\xxxx.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 24.04.2010 (1)
  15. Avira meldet TR/Hijacker.gen in C:\WINDOWS\Temp\****.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 24.04.2010 (1)
  16. TR/Crypt.ZPACK.Gen in C:\Windows\Temp\rmwc.tmp\svchost.exe
    Plagegeister aller Art und deren Bekämpfung - 17.04.2010 (53)
  17. TR/Crypt.ZPACK.Gen in C:\Temp\bcot.tmp\svchost.exe , C:\Temp\qmub.tmp\svchost.exe usw
    Plagegeister aller Art und deren Bekämpfung - 12.04.2010 (1)

Zum Thema antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe - Hallo! Mein Pc wurde heute von dem antimalware doctor trojaner heimgesucht. Mit HijackThis und Malwarebytes habe ich es geschafft, dass zumindest die nervigen Fakevirusmeldungen aufgehört haben. Mein Antivir zeigt mir - antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe...
Archiv
Du betrachtest: antimalware doctor + C:\Windows\Temp\xxx.tmp\svchost.exe auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.