| brat.wurst | 20.09.2008 14:20 |
Liste der Anhänge anzeigen (Anzahl: 1) Bin wieder da und habe hoffentlich das geschafft, was Sie wissen und sehen möchte. Leider habe ich von Computern keine Ahnung. Also versuchen wir es mal:
1. Hijackthis Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:14, on 20.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Applications\wcs.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Applications\wcm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\Dokumente und Einstellungen\Heinzelmann\Lokale Einstellungen\Temporary Internet Files\Content.IE5\POD1U8Z8\qlketzd[1].com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo RX420 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [smile] C:\Programme\Applications\wcs.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Programme\CDBurnerXP\NMSAccessU.exe
--
End of file - 4359 bytes
2. MBR Code:
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
3. Malwarebytes Code:
Malwarebytes' Anti-Malware 1.20
Datenbank Version: 941
Windows 5.1.2600 Service Pack 2
13:55:30 20.09.2008
mbam-log-9-20-2008 (13-55-30).txt
Scan Art: Komplett Scan (C:\|D:\|)
Objekte gescannt: 79407
Scan Dauer: 15 minute(s), 2 second(s)
Infizierte Speicher Prozesse: 0
Infizierte Speicher Module: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Datei Objekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicher Prozesse:
(Keine Malware Objekte gefunden)
Infizierte Speicher Module:
(Keine Malware Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine Malware Objekte gefunden)
Infizierte Registrierungswerte:
(Keine Malware Objekte gefunden)
Infizierte Datei Objekte der Registrierung:
(Keine Malware Objekte gefunden)
Infizierte Verzeichnisse:
(Keine Malware Objekte gefunden)
Infizierte Dateien:
(Keine Malware Objekte gefunden)
4. Silentrunners Code:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"smile" = "C:\Programme\Applications\wcs.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"EPSON Stylus Photo RX420 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"" ["SEIKO EPSON CORPORATION"]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"Sony Ericsson PC Suite" = ""C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}\(Default) = (no title provided)
-> {HKLM...CLSID} = "EpsonToolBandKicker Class"
\InProcServer32\(Default) = "C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{03DAACC5-10BA-4E3E-9D54-2A569F6B4B87}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
"{738D66C6-0149-4D40-84E4-A7BB2D0CE949}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Programme\Sony Ericsson\Mobile2\File Manager\FM.dll" ["Popwire AB"]
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
LockFolder\(Default) = "{4852341A-43E6-4994-B29B-E82904992884}"
-> {HKLM...CLSID} = "LckFldMenu.Locker"
\InProcServer32\(Default) = "C:\Programme\FolderAccess\LckFldMenu.dll" ["Topdownloads Network"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
Default executables:
--------------------
<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"
HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Heinzelmann\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
CDBurnerXP\
"Provider" = "CDBurnerXP"
"InvokeProgID" = "CDBurnerXPOpen"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CDBurnerXPOpen\shell\open\command\(Default) = ""C:\Programme\CDBurnerXP\cdbxpp.exe"" [null data]
EPSONCardMonitor\
"Provider" = "EPSON CardMonitor1.2"
"InvokeProgID" = "EPSON.CardMonitor.1"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\EPSON.CardMonitor.1\shell\Play\DropTarget\CLSID = "{95ABECB2-A2BC-4fdc-A413-554CB2AAD55F}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Programme\EPSON\EPSON CardMonitor\epcmcom.exe" [null data]
Startup items in "Heinzelmann" & "All Users" startup folders:
-------------------------------------------------------------
WARNING! "All Users" startup folder not found!
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}"
-> {HKLM...CLSID} = "EPSON Web-To-Page"
\InProcServer32\(Default) = "C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EE5D279F-081B-4404-994D-C6B60AAEBA6D}" = (no title provided)
-> {HKLM...CLSID} = "EPSON Web-To-Page"
\InProcServer32\(Default) = "C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll" ["SEIKO EPSON CORPORATION"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, ""C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
NMSAccessU, NMSAccessU, "C:\Programme\CDBurnerXP\NMSAccessU.exe" [null data]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
EPSON Stylus Photo RX420 Series 2KMonitor5E\Driver = "E_FLM9CE.DLL" ["SEIKO EPSON CORPORATION"]
---------- (launch time: 2008-09-20 14:38:52)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 69 seconds, including 5 seconds for message boxes)
5. Combofix Code:
ComboFix 08-09-19.09 - Heinzelmann 2008-09-20 14:47:06.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.185 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Heinzelmann\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\actskn43.ocx
.
((((((((((((((((((((((( Dateien erstellt von 2008-08-20 bis 2008-09-20 ))))))))))))))))))))))))))))))
.
2008-09-20 09:12 . 2008-09-20 09:12 <DIR> d-------- C:\Programme\Applications
2008-09-06 11:44 . 2008-09-06 11:44 <DIR> d-------- C:\Dokumente und Einstellungen\Heinzelmann\Anwendungsdaten\U3
2008-09-02 18:54 . 2004-08-04 00:57 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-09-02 18:54 . 2001-08-18 04:54 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-14 16:41 --------- d-----w C:\Dokumente und Einstellungen\Heinzelmann\Anwendungsdaten\Teleca
2008-08-14 16:40 --------- d-----w C:\Dokumente und Einstellungen\Heinzelmann\Anwendungsdaten\Sony Ericsson
2008-08-14 16:34 --------- d-----w C:\Programme\Gemeinsame Dateien\Teleca Shared
2008-08-14 16:34 --------- d-----w C:\Programme\Gemeinsame Dateien\Sony Ericsson Shared
2008-08-14 16:34 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sony Ericsson
2008-08-14 16:33 --------- d-----w C:\Programme\Sony Ericsson
2008-08-14 16:33 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Teleca
2008-07-16 15:19 36,736 ----a-w C:\Dokumente und Einstellungen\Heinzelmann\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-07-04 08:44 3,063,808 ----a-w C:\WINDOWS\system32\PEGRPDL.DLL
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo RX420 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9CE.EXE" [2004-04-09 98304]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Sony Ericsson PC Suite"="C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-01-26 495616]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"smile"="C:\Programme\Applications\wcs.exe" [2008-09-20 17408]
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^VIWAS-Update Scheduler.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VIWAS-Update Scheduler.lnk
backup=C:\WINDOWS\pss\VIWAS-Update Scheduler.lnkCommon Startup
[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^VIWAS-Update.lnk]
path=C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\VIWAS-Update.lnk
backup=C:\WINDOWS\pss\VIWAS-Update.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ViwasService"=2 (0x2)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"LckFldService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 NMSAccessU;NMSAccessU;C:\Programme\CDBurnerXP\NMSAccessU.exe [2008-06-15 71096]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2007-02-08 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2007-02-08 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2007-02-08 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2007-02-08 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2007-02-08 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2007-02-08 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2007-02-08 90800]
S4 ViwasService;VIWAS Updatedienst;C:\DATEV\PROGRAMM\VIWAS\ViwaServ.EXE [ ]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
*Newly Created Service* - MBR
.
.
------- Zusätzlicher Suchlauf -------
.
R0 -: HKCU-Main,Start Page = about:blank
O8 -: Nach Microsoft &Excel exportieren - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 14:48:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
Zeit der Fertigstellung: 2008-09-20 14:50:46
ComboFix-quarantined-files.txt 2008-09-20 12:50:44
Vor Suchlauf: 9,165,406,208 Bytes frei
Nach Suchlauf: 9,154,478,080 Bytes frei
95
6. Listinglog befindet sich unter Code:
http://www.file-upload.net/download-1124568/listinglog.txt.html
7. Blacklight siehe anliegende Hardcopy |
