RecInfo und fscreg Hallo,
ich habe in meinem Logfile zwei Dinge, die mir etwas verdächtig vorkommen: Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:26, on 16.07.2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [recinfo334] c:\RecInfo\RecInfo.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20090621
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatisches LiveUpdate - Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Update Service (gupdate1c9b9b583f44f3c) (gupdate1c9b9b583f44f3c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
--
End of file - 5742 bytes Nämlich:
O4 - HKLM\..\Run: [recinfo334] c:\RecInfo\RecInfo.exe
und
O4 - HKCU\..\Run: [fsc-reg] C:\ProgramData\fsc-reg\fscreg.exe 20090621
Dieses ist wohl unter Vista normal:
O13 - Gopher Prefix:
Ich habe RecInfo.exe und fscreg.exe mal bei VirusTotal hochgeladen:
Bei Recinfo.exe gab es keine Funde: Code:
File size: 2764800 bytes
MD5...: 8e382b0c5f16daf17b3c1cf5205846d1
SHA1..: 9bbcfe2ca30ec4683d3cbb389fb7ffb6d77eede5
SHA256: 916ef2f99050841fb5aa2662ae0451255eba0429122e4984cbe9d53b15f9e725
ssdeep: 768:iB+aCpZ4rt78B/rjAgrTBqPEBPjFJDD2krCbht9t7Mdpub3vcM6gwh4gQLu:
8lrt78BTjAgJBPZR2B3v7Mdpub8D46
PEiD..: -
TrID..: File type identification
Generic CIL Executable (.NET, Mono, etc.) (79.2%)
Windows Screen Saver (14.1%)
Win16/32 Executable Delphi generic (2.2%)
Generic Win/DOS Executable (2.1%)
DOS Executable Generic (2.1%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x2a0eee
timedatestamp.....: 0x471dee89 (Tue Oct 23 12:52:25 2007)
machinetype.......: 0x14c (I386)
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x2000 0x29eef4 0x29f000 0.87 8e0bce18abf50795e29b50a822ab8b1a
.sdata 0x2a2000 0xa6 0x1000 0.41 69bb16bae47cfa7016e13383b6a52f2a
.rsrc 0x2a4000 0x7f0 0x1000 1.62 4d6c785c8b5c126ed200222995afcc2d
.reloc 0x2a6000 0xc 0x1000 0.01 5549acc2afdb623692fcff1aa701b9eb
( 1 imports )
> mscoree.dll: _CorExeMain
( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
- Bei fscreg.exe gab es diese zwei Funde: Code:
eSafe 7.0.17.0 2009.07.15 Suspicious File
McAfee-GW-Edition 6.8.5 2009.07.16 Heuristic.BehavesLike.Win32.ModifiedUPX.J!90 Code:
File size: 533264 bytes
MD5...: fd57509795eb9bf0d713f1a13cf28cb0
SHA1..: c5b9a6873b2c6965ff363be42ae9ec3f1f5d2b5b
SHA256: 4f8dd6d374768a8b12bc3d9520eea17927bea0af11c1cb93c973b143d5b10fac
ssdeep: 12288:pUZRJdbcn1DxRyEmwcc0SH7Ytk+kiNvmpeBya6xZHHAoS:pU3y19RDm3c0
SH7ok6Opeo/nH
PEiD..: UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0xd2700
timedatestamp.....: 0x47331391 (Thu Nov 08 13:48:01 2007)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x54000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x55000 0x7f000 0x7e400 8.00 27b470ff6dd0d616366ac898b6534a57
.rsrc 0xd4000 0x3000 0x2800 4.03 3cb6461ac5fd067accb6baceae48acb4
( 12 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> CRTDLL.dll: atoi
> IMAGEHLP.dll: MakeSureDirectoryPathExists
> MSHTML.dll: ShowHTMLDialog
> OLE32.dll: CoTaskMemFree
> SETUPAPI.dll: UnicodeToMultiByte
> SHELL32.dll: StrStrIA
> SHLWAPI.dll: SHStrDupA
> urlmon.dll: CreateURLMonikerEx
> USER32.dll: EnumWindows
> WININET.dll: InternetCheckConnectionA
( 0 exports )
PDFiD.: -
RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=fd57509795eb9bf0d713f1a13cf28cb0' target='_blank'>http://www.threatexpert.com/report.aspx?md5=fd57509795eb9bf0d713f1a13cf28cb0</a>
packers (Kaspersky): UPX
packers (F-Prot): UPX_LZMA Soll ich mich da noch weiter drum kümmern oder sind die beiden Dateien sicher?
Ist mein Logfile denn sonst in Ordnung?
Gruß,
sikev |