| Denise88 | 11.11.2008 18:37 |
Das ist der von Combofix: Code:
ComboFix 08-11-10.01 - Nicole 2008-11-11 18:22:55.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1031.18.483 [GMT 1:00]
ausgeführt von:: c:\users\Nicole\Downloads\ComboFix.exe
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Nicole\AppData\Local\gaosq.dat
c:\users\Nicole\AppData\Local\gaosq_nav.dat
c:\users\Nicole\AppData\Local\gaosq_navps.dat
c:\users\Nicole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Videos.url
c:\users\Nicole\FAVORI~1\Videos.url
c:\users\Nicole\Favorites\Videos.url
c:\windows\pi.exe
.
((((((((((((((((((((((( Dateien erstellt von 2008-10-11 bis 2008-11-11 ))))))))))))))))))))))))))))))
.
2008-11-10 18:36 . 2008-11-10 18:36 <DIR> d-------- c:\users\Nicole\AppData\Roaming\Malwarebytes
2008-11-10 18:36 . 2008-11-10 18:36 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-11-10 18:36 . 2008-11-10 18:36 <DIR> d-------- c:\programdata\Malwarebytes
2008-11-10 18:36 . 2008-11-10 18:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-10 18:36 . 2008-10-22 16:10 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-11-10 18:36 . 2008-10-22 16:10 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-11-09 21:16 . 2008-11-09 21:16 <DIR> d-------- c:\users\All Users\Avira
2008-11-09 21:16 . 2008-11-09 21:16 <DIR> d-------- c:\programdata\Avira
2008-11-09 21:16 . 2008-11-09 21:16 <DIR> d-------- c:\program files\Avira
2008-10-29 18:30 . 2008-08-12 04:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-29 18:30 . 2008-09-18 05:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-29 18:30 . 2008-09-18 05:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-27 19:04 . 2008-10-27 19:04 27,430 --a------ c:\users\Nicole\AppData\Roaming\nvModes.dat
2008-10-23 05:47 . 2008-08-05 10:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-23 05:47 . 2008-08-05 10:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-23 05:47 . 2008-08-05 10:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-23 05:47 . 2008-08-05 10:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-23 05:47 . 2008-08-05 10:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-17 20:34 . 2008-10-18 11:36 <DIR> d-------- c:\users\All Users\NVIDIA
2008-10-17 20:34 . 2008-10-18 11:36 <DIR> d-------- c:\programdata\NVIDIA
2008-10-17 20:16 . 2008-10-17 20:16 <DIR> d-------- c:\users\Nicole\AppData\Roaming\GTek
2008-10-16 11:32 . 2008-09-18 06:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-16 11:32 . 2008-09-18 06:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-16 11:32 . 2008-09-18 03:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-16 11:32 . 2008-10-02 02:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-16 11:32 . 2008-10-02 04:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-16 11:32 . 2008-08-27 02:06 288,768 --a------ c:\windows\System32\drivers\srv.sys
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 16:20 352,615 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2008-11-10 16:31 --------- d-----w c:\programdata\Google Updater
2008-11-08 14:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-08 14:31 --------- d-----w c:\program files\Norton Security Scan
2008-11-02 09:55 --------- d-----w c:\programdata\Hewlett-Packard
2008-11-01 11:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-30 12:07 --------- d-----w c:\users\Nicole\AppData\Roaming\Maxthon2
2008-10-28 18:52 --------- d-----w c:\users\Nicole\AppData\Roaming\MxBoost
2008-10-22 15:21 21,248 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe
2008-10-17 19:17 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-17 19:15 --------- d-----w c:\program files\HP
2008-10-17 19:14 --------- d-----w c:\program files\Hewlett-Packard
2008-10-17 19:04 --------- d-----w c:\users\Nicole\AppData\Roaming\Hewlett-Packard
2008-10-16 20:50 --------- d-----w c:\program files\Windows Mail
2008-10-16 20:46 --------- d-----w c:\programdata\Microsoft Help
2008-10-16 13:41 --------- d-----w c:\users\Nicole\AppData\Roaming\ICQ
2008-10-06 18:10 --------- d-----w c:\program files\Sun
2008-10-06 18:08 --------- d-----w c:\program files\Java
2008-10-06 10:51 20,224 ----a-w c:\windows\Help\OEM\scripts\HC_checkMUI.dll
2008-10-06 05:19 --------- d-----w c:\program files\Opera
2008-10-04 11:39 --------- d-----w c:\program files\Google
2008-10-03 08:27 --------- d-----w c:\program files\Alwil Software
2008-10-02 12:54 --------- d---a-w c:\programdata\TEMP
2008-10-01 06:29 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-09-21 04:36 --------- d-----w c:\users\Nicole\AppData\Roaming\GMX
2008-09-20 00:46 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-09-19 19:07 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-09-19 12:52 --------- d-----w c:\programdata\WindowsSearch
2008-09-18 05:58 --------- d-----w c:\program files\IncrediMail
2008-09-16 07:23 174 --sha-w c:\program files\desktop.ini
2008-09-16 07:11 --------- d-----w c:\program files\Windows Sidebar
2008-09-16 07:11 --------- d-----w c:\program files\Windows Photo Gallery
2008-09-16 07:11 --------- d-----w c:\program files\Windows Journal
2008-09-16 07:11 --------- d-----w c:\program files\Windows Defender
2008-09-16 07:11 --------- d-----w c:\program files\Windows Collaboration
2008-09-16 07:11 --------- d-----w c:\program files\Windows Calendar
2008-09-16 06:45 82,432 ----a-w c:\windows\System32\axaltocm.dll
2008-09-16 06:45 101,888 ----a-w c:\windows\System32\ifxcardm.dll
2008-09-12 21:07 --------- d-----w c:\program files\ICQ6Toolbar
2008-09-12 21:06 --------- d-----w c:\programdata\ICQ
2008-08-25 14:25 2,257,415 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-08-21 15:16 11,520 ----a-w c:\windows\Help\OEM\scripts\HCNetworkTest.exe
2008-06-23 14:43 2,674 ----a-w c:\users\Nicole\AppData\Roaming\wklnhst.dat
2008-06-21 21:01 22 ----a-w c:\users\Nicole\NTX30.zip
2008-06-08 19:42 2,863,976 ----a-w c:\users\Nicole\MpfPlus_Aol_DE.exe
2007-10-20 02:04 22 --sha-w c:\windows\SMINST\HPCD.sys
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-02 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-24 176128]
"NapsterShell"="c:\program files\Napster\napster.exe" [2007-01-13 323216]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-11 317128]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-29 77824]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 959976]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
c:\users\Nicole\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E54729E8-BB3D-4270-9D49-7389EA579090}"= "c:\windows\system32\EZUPBH~1.DLL" [2007-11-24 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F19B98FA-6A66-4FDB-BFCD-830C19AF6555}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A721823F-573A-40F0-8992-69F11FDAB706}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8E2A0E27-212D-473F-BD20-395990CB367E}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{6109805B-5ADA-42BA-A81F-9EADC7279195}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{FAA9B961-6E19-4BB0-8D0D-83FE038F4226}"= Disabled:UDP:c:\users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BGU2K7DE\incredimail_install[1].exe:IncrediMail Installer
"{69F042B2-8A9F-4A51-A83E-F3A2457079FF}"= Disabled:TCP:c:\users\Nicole\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BGU2K7DE\incredimail_install[1].exe:IncrediMail Installer
"TCP Query User{CC62203A-A843-4C09-A1B8-0F9AFCD0E157}c:\\program files\\icq6\\icq.exe"= UDP:c:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{D0E828C7-E705-4CF6-8139-3845111FA9C0}c:\\program files\\icq6\\icq.exe"= TCP:c:\program files\icq6\icq.exe:ICQ Library
"{01846461-8308-4382-A2AF-4387501F61F8}"= Disabled:UDP:c:\program files\Magentic\bin\MgImp.exe:Magentic
"{981DC1F1-80A5-474E-BEA1-939F323B9D81}"= Disabled:TCP:c:\program files\Magentic\bin\MgImp.exe:Magentic
"{121CE298-5641-4B92-8265-AD8791BF2772}"= Disabled:UDP:c:\program files\Magentic\bin\MgApp.exe:Magentic
"{508706CA-5F8D-4BEC-A45B-C91C1498AD94}"= Disabled:TCP:c:\program files\Magentic\bin\MgApp.exe:Magentic
"{3CF82762-0AAF-41AA-9D9A-DA1F636AE637}"= Disabled:UDP:c:\program files\Magentic\bin\Magentic.exe:Magentic
"{7D059512-7761-4242-AC01-EB3EF6D68A99}"= Disabled:TCP:c:\program files\Magentic\bin\Magentic.exe:Magentic
"{AED1FD81-E458-463E-B6B8-7BA6C380277A}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{95887BB7-72A7-4658-9515-4B480AC51314}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{56B1A503-0E2C-44A4-B40D-3DEF12760BA9}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CBF0EAF9-14D0-49AC-8972-FCD0583A5ACC}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D3899175-1870-4ED0-AB97-10E4A634291F}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{B454CD59-7578-4DD5-9963-C8A07C38BDFF}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9764CA0A-9C35-4C3F-8E74-A803116D3BCB}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{A492A37E-6E5B-44CF-99C0-A2D798F59B25}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{03D4BD00-5FD5-4A87-B4E6-0605D7F5209E}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{BB36E217-C28B-49C3-A24C-542FEE65A910}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{FDAA8FA9-CC89-42B2-A6D0-A4FF40710D19}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{115050CE-8CDF-4A64-9775-5550825D16DC}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
R2 ezntsvc;EasyBits Magic Desktop Services for Windows NT;c:\windows\system32\ezNTSvc.exe [2007-11-24 33792]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccfcd74d-07d1-11dd-ac1e-001b24856f12}]
\shell\Auto\command - auto.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccfcd764-07d1-11dd-ac1e-001b24856f12}]
\shell\Auto\command - F:\auto.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\auto.exe
*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners
2008-10-24 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-18 22:42]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
HKCU-Run-Magentic - c:\progra~1\Magentic\bin\Magentic.exe
HKLM-Run-Performance Center - c:\program files\Ascentive\Performance Center\APCMain.exe
.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - c:\users\Nicole\AppData\Roaming\Mozilla\Firefox\Profiles\jn26s94s.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://de.google.mozilla.com/firefox&client=firefox-a&rls=com.google:de:official
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 18:29:36
Windows 6.0.6001 Service Pack 1 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
**************************************************************************
.
Zeit der Fertigstellung: 2008-11-11 18:33:06
ComboFix-quarantined-files.txt 2008-11-11 17:32:02
Vor Suchlauf: 21 Verzeichnis(se), 101.519.069.184 Bytes frei
Nach Suchlauf: 21 Verzeichnis(se), 101,745,442,816 Bytes frei
217 --- E O F --- 2008-11-08 13:22:54
|
