Trojaner-Board

Trojaner-Board (https://www.trojaner-board.de/)
-   Plagegeister aller Art und deren Bekämpfung (https://www.trojaner-board.de/plagegeister-aller-art-deren-bekaempfung/)
-   -   Virenproblem ? - Pc Extremst Verlangsamt (https://www.trojaner-board.de/66014-virenproblem-pc-extremst-verlangsamt.html)

DigitalDeath 07.12.2008 18:36
Virenproblem ? - Pc Extremst Verlangsamt
 
hi, da mir bereits hier schonmal hervorragend - kompetent und hilfreich geholfen wurde, würde ich diesen dienst gerne erneut in anspruch nehmen :-)

es geht um folgendes - mein pc ist teilweise sehr verlangsamt - und ad aware findet manchmal infekte und manchmal nicht - ich lad mal ein paar logfiles hoch wäre nett wenn ihr das überprüfen könntet.

ist ein privater und sehr teurer pc :)


--------------------------------------------------------------------------
--------------------------------------------------------------------------

Zitat:
hijack log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30:11, on 07.12.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Primärordner\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Primärordner\ICQ6\ICQ.exe
C:\Primärordner\DAEMON Tools Lite\daemon.exe
C:\Program Files (x86)\DNA\btdna.exe
C:\Sekundärordner\Xfire\Xfire.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe
C:\Primärordner\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Primärordner\Razer\Lachesis\razerhid.exe
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Primärordner\Razer\Lachesis\OSD.exe
C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Primärordner\Logitech\QuickCam\Quickcam.exe
C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PDVD8Serv.exe
C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Primärordner\Razer\Lachesis\razertra.exe
C:\Primärordner\Razer\Lachesis\razerofa.exe
C:\Program Files (x86)\Skype\Plugin Manager\skypePM.exe
C:\Program Files (x86)\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Primärordner\Hamachi\hamachi.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PRIMRO~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Primärordner\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\PROGRA~2\AUTOLO~1\AL2DLL.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [avgnt] "C:\Primärordner\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Lachesis] C:\Primärordner\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Primärordner\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [RemoteControl8] C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PDVD8Serv.exe
O4 - HKLM\..\Run: [PDVD8LanguageShortcut] C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\Language\Language.exe
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Primärordner\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /install /silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Primärordner\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ICQ] "C:\Primärordner\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Primärordner\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EPSON Stylus DX7400 Series] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATICDE.EXE /FU "C:\Windows\TEMP\E_S97A.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files (x86)\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1 (User 'Default user')
O4 - Startup: Xfire.lnk = ?
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PRIMRO~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PRIMRO~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PRIMRO~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PRIMRO~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PRIMRO~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PRIMRO~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Primärordner\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Primärordner\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/.../GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://icq.oberon-media.com/Gameshel...onGameHost.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Primärordner\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~2\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Primärordner\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Primärordner\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Primärordner\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVCSer64.exe
O23 - Service: Process Monitor (LVPrcS64) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Stardock Corporation - C:\Sekundärordner\Stardock\MyColors\VistaSrv.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11967 bytes

-------------------------------------
-------------------------------------


Zitat:
mbr :

device: opened successfully
user: MBR read successfully
kernel: error reading mbr
-------------------------------------
-------------------------------------

DigitalDeath 07.12.2008 18:37
----------------------------------------------------------------------------------------

Silent Runner Log :

----------------------------------------------------------------------------------------

Zitat:
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows Vista
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Primärordner\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"MsnMsgr" = ""C:\Program Files (x86)\Windows Live\Messenger\MsnMsgr.Exe" /background" [MS]
"Skype" = ""C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"ICQ" = ""C:\Primärordner\ICQ6\ICQ.exe" silent" ["ICQ, Inc."]
"DAEMON Tools Lite" = ""C:\Primärordner\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"]
"EPSON Stylus DX7400 Series" = "C:\Windows\system32\spool\DRIVERS\x64\3\E_IATICDE.EXE /FU "C:\Windows\TEMP\E_S97A.tmp" /EF "HKCU"" ["SEIKO EPSON CORPORATION"]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"BitTorrent DNA" = ""C:\Program Files (x86)\DNA\btdna.exe"" ["BitTorrent, Inc."]
"WMPNSCFG" = "C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"Launch LCDMon" = ""C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"" ["Logitech Inc."]
"Launch LGDCore" = ""C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE" ["Logitech Inc."]
"NvSvc" = "RUNDLL32.EXE C:\Windows\system32\nvsvc64.dll,nvsvcStart" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Primärordner\Avira\AntiVir PersonalEdition Classic\shlext64.dll" ["Avira GmbH"]
"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\Windows\system32\erasext.dll" ["-"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MSOHEVI.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{40FDFA48-5F4E-4627-A78E-6A49A3D4492F}" = "SmartFTP ShellDropHandler"
-> {HKLM...CLSID} = "SmartFTP ShellDropHandler Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}" = "SmartFTP Drop ShellIconOverlayHandler"
-> {HKLM...CLSID} = "SmartFTP Drop ShellIconOverlayHandler"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}" = "SmartFTP ContextMenu"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{EB5EE1F3-041A-4c03-9D51-2BEC6715FB00}" = "SmartFTP Search Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderSearchRoot Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{2ED7FD81-CBA6-45E5-A49A-5E84889A94E2}" = "SmartFTP Drop Handler"
-> {HKLM...CLSID} = "ShellFolderDragDropHandler Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{119310E6-5FB7-4eeb-BEDB-9E229E76B9B4}" = "SmartFTP MultiUpload Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderMultiUploadDestination Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{3B164627-7060-47BB-A1BE-DF5540B02821}" = "SmartFTP MultiUpload Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderMultiUploadSource Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{82AA9188-44E0-40B9-B956-43A10C315B4F}" = "SmartFTP Shell Namespace Extension"
-> {HKLM...CLSID} = "RootShellFolder Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{39DD67E0-73B6-4a11-AF55-49E1EBBF72BE}" = "SmartFTP Favorites Namespace"
-> {HKLM...CLSID} = "SmartFTP FavoritesShellFolder Class"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFavoritesShellExtension.dll" ["SmartSoft Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
<<!>> "{E31004D1-A431-41B8-826F-E902F9D95C81}" = "Windows DreamScene"
-> {HKLM...CLSID} = "Windows DreamScene"
\InProcServer32\(Default) = "C:\Windows\System32\DreamScene.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\Windows\system32\erasext.dll" ["-"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Primärordner\Avira\AntiVir PersonalEdition Classic\shlext64.dll" ["Avira GmbH"]
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\Windows\system32\erasext.dll" ["-"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Primärordner\Avira\AntiVir PersonalEdition Classic\shlext64.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files (x86)\WinRAR\rarext64.dll" [null data]


Default executables:
--------------------

HKLM\SOFTWARE\Classes\.hta\(Default) = "htafile"
<<!>> HKLM\SOFTWARE\Classes\htafile\shell\open\command\(Default) = "C:\Windows\SysWOW64\mshta.exe "%1" %*" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoActiveDesktopChanges" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ForceActiveDesktopOn" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}

"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Users\Progamer\AppData\Roaming\Microsoft\Windows Photo Gallery\Hintergrundbild der Windows-Fotogalerie.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\DREAMA~2.SCR" (DreamAquarium.scr) [null data]


Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

F:\
<<!>> F:\AUTORUN.INF -> "Open="Launch.exe" /run" [file not found]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSPlayCDAudioOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.AudioCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.AudioCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"" [MS]

MSPlayDVDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.DVD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.DVD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"" [MS]

MSPlaySuperVideoCDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.VCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]

MSPlayVideoCDMovieOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.VCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\WMP.VCD\shell\play\command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:4 /device:VCD "%L"" [MS]

MSRipCDAudioOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.RipCD"
"InvokeVerb" = "Rip"
HKLM\SOFTWARE\Classes\WMP.RipCD\shell\Rip\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /RipAudioCD "%L" " [MS]

MSWMPBurnCDOnArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.BurnCD"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\WMP.BurnCD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:CDWrite /Device:"%L" " [MS]

MSWMPBurnDataDVDArrival\
"Provider" = "@wmploc.dll,-6502"
"InvokeProgID" = "WMP.BurnDVD"
"InvokeVerb" = "Burn"
HKLM\SOFTWARE\Classes\WMP.BurnDVD\shell\Burn\Command\(Default) = ""C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:3 /Task:DVDWrite /Device:"%L" " [MS]

PDVD8PlayBluRayOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "BluRay"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\BluRay\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlayCDAudioOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlayDVDMovieOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlayHDDVDOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "HDDVD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\HDDVD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlaySVCDOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "SVCD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\SVCD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

PDVD8PlayVCDMovieOnArrival\
"Provider" = "PowerDVD 8"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPowerDVD8"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD8\Command\(Default) = "C:\Primärordner\CyberLink\PowerDVD8\PowerDVD8\PowerDVD8.exe "%L"" ["CyberLink Corp."]

WIA_{7DAB822B-80F0-465A-85D9-46FFFBCE6CAD}\
"Provider" = "ABBYY FineReader 6.0 Sprint"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Program Files (x86)\ABBYY FineReader 6.0 Sprint\Sprint.exe /StiDevice:%1 /StiEvent:%2;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]

WIA_{A481DBE1-6FAE-41B6-AF2A-D295089509D4}\
"Provider" = "Microsoft Office Word"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = "/WiaCmd;C:\Primärordner\Microsoft Office\Office12\WINWORD.EXE /IMG_WIA;"
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]


Startup items in "Progamer" & "All Users" startup folders:
----------------------------------------------------------

C:\Users\Progamer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
"Xfire" -> shortcut to: "C:\Sekundärordner\Xfire\Xfire.exe" ["Xfire Inc."]


Non-disabled Scheduled Tasks:
-----------------------------

C:\Windows\System32\Tasks
"User_Feed_Synchronization-{32DB3217-A3AD-4EE9-9FAF-3DEEEA87E541}" -> (HIDDEN!) launches: "C:\Windows\system32\msfeedssync.exe sync" [MS]

C:\Windows\System32\Tasks\Apple
"AppleSoftwareUpdate" -> launches: "C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client
"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}"
-> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth
"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient
"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]
"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}"
-> {HKLM...CLSID} = "Certificate Services Client Task Handler"
\InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program
"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]
"OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\Defrag
"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS]

C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic
"Microsoft-Windows-DiskDiagnosticDataCollector" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART" [MS]

DigitalDeath 07.12.2008 18:39
Zitat:
c:\windows\system32\tasks\microsoft\windows\media center
"ehdrminit" -> launches: "%systemroot%\ehome\ehprivjob.exe /drminit" [ms]
"mcupdate" -> launches: "%systemroot%\ehome\mcupdate $(arg0) -gc" [ms]
"ocuractivate" -> launches: "%systemroot%\ehome\ehprivjob.exe /ocuractivate" [ms]
"ocurdiscovery" -> launches: "%systemroot%\ehome\ehprivjob.exe /ocurdiscovery" [ms]
"updaterecordpath" -> launches: "%systemroot%\ehome\ehprivjob.exe /doupdaterecordpath $(arg0)" [ms]

c:\windows\system32\tasks\microsoft\windows\mobilepc
"hotstart" -> launches: "{06da0625-9701-43da-bfd7-fbeea2180a1e}"
-> {hklm...clsid} = "hotstart user agent"
\inprocserver32\(default) = "c:\windows\system32\hotstartuseragent.dll" [ms]
"tmm" -> launches: "{35ef4182-f900-4632-b072-8639e4478a61}"
-> {hklm...clsid} = "transient multi-monitor manager"
\inprocserver32\(default) = "c:\windows\system32\tmm.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\mui
"lpremove" -> launches: "%windir%\system32\lpremove.exe" [ms]

c:\windows\system32\tasks\microsoft\windows\multimedia
"systemsoundsservice" -> launches: "{2dea658f-54c1-4227-af9b-260ab5fc3543}"
-> {hklm...clsid} = "microsoft playsoundservice class"
\inprocserver32\(default) = "c:\windows\system32\playsndsrv.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\networkaccessprotection
"napstatus ui" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}"
-> {hklm...clsid} = "nap itask handler implementation"
\inprocserver32\(default) = "c:\windows\system32\qagent.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\pla\system
"convertlogentries" -> (hidden!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,placonvertlogentries" [ms]

c:\windows\system32\tasks\microsoft\windows\rac
"racagent" -> (hidden!) launches: "%windir%\system32\racagent.exe" [ms]

c:\windows\system32\tasks\microsoft\windows\remoteassistance
"remoteassistancetask" -> (hidden!) launches: "%windir%\system32\raserver.exe /offerraupdate" [ms]

c:\windows\system32\tasks\microsoft\windows\shell
"crawlstartpages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}"
-> {hklm...clsid} = "crawlstartpages task handler"
\inprocserver32\(default) = "c:\windows\system32\srchadmin.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\sideshow
"gadgetmanager" -> launches: "{ff87090d-4a9a-4f47-879b-29a80c355d61}"
-> {hklm...clsid} = "gadgetsmanager class"
\inprocserver32\(default) = "c:\windows\system32\auxiliarydisplayservices.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\systemrestore
"sr" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,executescheduledsppcreation" [ms]

c:\windows\system32\tasks\microsoft\windows\tcpip
"ipaddressconflict1" -> launches: "rundll32 ndfapi.dll,ndfrundllduplicateipoffendingsystem" [ms]
"ipaddressconflict2" -> launches: "rundll32 ndfapi.dll,ndfrundllduplicateipdefendingsystem" [ms]

c:\windows\system32\tasks\microsoft\windows\textservicesframework
"msctfmonitor" -> (hidden!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}"
-> {hklm...clsid} = "msctfmonitor task handler"
\inprocserver32\(default) = "c:\windows\system32\msctfmonitor.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\upnp
"upnphostconfig" -> launches: "sc.exe config upnphost start= auto" [ms]

c:\windows\system32\tasks\microsoft\windows\wdi
"resolutionhost" -> (hidden!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}"
-> {hklm...clsid} = "diagnosticinfrastructurecustomhandler"
\inprocserver32\(default) = "c:\windows\system32\wdi.dll" [ms]

c:\windows\system32\tasks\microsoft\windows\windows error reporting
"queuereporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [ms]

c:\windows\system32\tasks\microsoft\windows\wired
"gatherwiredinfo" -> launches: "%windir%\system32\gatherwiredinfo.vbs" [null data]

c:\windows\system32\tasks\microsoft\windows\wireless
"gatherwirelessinfo" -> launches: "%windir%\system32\gatherwirelessinfo.vbs" [null data]

c:\windows\system32\tasks\microsoft\windows defender
"mp scheduled scan" -> (hidden!) launches: "c:\program files\windows defender\mpcmdrun.exe scan -restrictprivileges" [ms]


winsock2 service provider dlls:
-------------------------------

namespace service providers

hklm\system\currentcontrolset\services\winsock2\parameters\namespace_catalog5\catalog_entries\ {++}
000000000001\librarypath = "%systemroot%\system32\nlaapi.dll" [ms]
000000000002\librarypath = "%systemroot%\system32\napinsp.dll" [ms]
000000000003\librarypath = "%systemroot%\system32\pnrpnsp.dll" [ms]
000000000004\librarypath = "%systemroot%\system32\pnrpnsp.dll" [ms]
000000000005\librarypath = "%systemroot%\system32\mswsock.dll" [ms]
000000000006\librarypath = "%systemroot%\system32\winrnr.dll" [ms]

transport service providers

hklm\system\currentcontrolset\services\winsock2\parameters\protocol_catalog9\catalog_entries\ {++}
0000000000##\packedcatalogitem (contains) dll [company name], (at) ## range:
%systemroot%\system32\mswsock.dll [ms], 01 - 10


running services (display name, service name, path {service dll}):
------------------------------------------------------------------

anschlussumleitung für terminaldienst im benutzermodus, umrdpservice, "c:\windows\system32\svchost.exe -k localsystemnetworkrestricted" {"c:\windows\system32\umrdp.dll" [ms]}
avira antivir personal - free antivirus guard, antivirservice, ""c:\primärordner\avira\antivir personaledition classic\avguard.exe"" ["avira gmbh"]
avira antivir personal - free antivirus planer, antivirscheduler, ""c:\primärordner\avira\antivir personaledition classic\sched.exe"" ["avira gmbh"]
bonjour-dienst, bonjour service, ""c:\program files (x86)\bonjour\mdnsresponder.exe"" ["apple inc."]
creative audio service, ctaudsvcservice, "c:\program files (x86)\creative\shared files\ctaudsvc.exe" ["creative technology ltd"]
cyberlink richvideo service(crvs), richvideo, ""c:\program files (x86)\cyberlink\shared files\richvideo.exe"" [empty string]
lavasoft ad-aware service, aawservice, "c:\primärordner\lavasoft\ad-aware\aawservice.exe" ["lavasoft"]
lvcomser, lvcomser, ""c:\program files\common files\logishrd\lvcomser\lvcser64.exe"" ["logitech inc."]
messenger usn journal reader-service für freigegebene ordner, usnjsvc, ""c:\program files (x86)\windows live\messenger\usnsvc.exe"" [ms]
nvidia display driver service, nvsvc, "c:\windows\system32\nvvsvc.exe" ["nvidia corporation"]
peer name resolution-protokoll, pnrpsvc, "c:\windows\system32\svchost.exe -k localservicenetworkrestricted" {"c:\windows\system32\p2psvc.dll" [ms]}
peernetzwerkidentitäts-manager, p2pimsvc, "c:\windows\system32\svchost.exe -k localservicenetworkrestricted" {"c:\windows\system32\p2psvc.dll" [ms]}
pnkbstra, pnkbstra, "c:\windows\system32\pnkbstra.exe" [file not found]
pnp-x-ip-busauflistung, ipbusenum, "c:\windows\system32\svchost.exe -k localsystemnetworkrestricted" {"c:\windows\system32\ipbusenum.dll" [ms]}
process monitor, lvprcs64, ""c:\program files\common files\logishrd\lvmvfm\lvprcsrv.exe"" ["logitech inc."]
sstp-dienst, sstpsvc, "c:\windows\system32\svchost.exe -k localservice" {"c:\windows\system32\sstpsvc.dll" [ms]}
stardock windowblinds, windowblinds, "c:\sekundärordner\stardock\mycolors\vistasrv.exe" ["stardock corporation"]
terminaldienstekonfiguration, sessionenv, "c:\windows\system32\svchost.exe -k netsvcs" {"c:\windows\system32\sessenv.dll" [ms]}
windows driver foundation - benutzermodus-treiberframework, wudfsvc, "c:\windows\system32\svchost.exe -k localsystemnetworkrestricted" {"c:\windows\system32\wudfsvc.dll" [ms]}
windows media center extender-dienst, mcx2svc, "c:\windows\system32\svchost.exe -k localservice" {"c:\windows\system32\mcx2svc.dll" [ms]}
windows media player-netzwerkfreigabedienst, wmpnetworksvc, ""c:\program files\windows media player\wmpnetwk.exe"" [ms]
windows-bilderfassung, stisvc, "c:\windows\system32\svchost.exe -k imgsvc" {"c:\windows\system32\wiaservc.dll" [ms]}
zertifikatverteilung, certpropsvc, "c:\windows\system32\svchost.exe -k netsvcs" {"c:\windows\system32\certprop.dll" [ms]}
zugriff auf eingabegeräte, hidserv, "c:\windows\system32\svchost.exe -k localsystemnetworkrestricted" {"c:\windows\system32\hidserv.dll" [ms]}


print monitors:
---------------

hklm\system\currentcontrolset\control\print\monitors\
epson stylus dx7400 series 64monitorbe\driver = "e_ilmcde.dll" ["seiko epson corporation"]


---------- (launch time: 2008-12-07 18:34:29)
<<!>>: Suspicious data at a malware launch point.

+ this report excludes default entries except where indicated.
+ to see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ to search all directories of local fixed drives for desktop.ini
dll launch points, use the -supp parameter or answer "no" at the
first message box and "yes" at the second message box.
---------- (total run time: 35 seconds, including 13 seconds for message boxes)

---------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------

DigitalDeath 07.12.2008 18:45
ich lass gerade malwarebytes drüber laufen, und poste dann ebenfalls das log hier :)

DigitalDeath 08.12.2008 15:40
das erste malware log :

Zitat:
Malwarebytes' Anti-Malware 1.31
Datenbank Version: 1471
Windows 6.0.6001 Service Pack 1

07.12.2008 23:56:50
mbam-log-2008-12-07 (23-56-50).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 49184
Laufzeit: 2 minute(s), 33 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 1
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
danach nochmal drüber laufen lassen, kein fund

Chris4You 09.12.2008 08:10
Hi,

installiere mal die Grafiktreiber neu (nVidia)?,
da werden teile nicht gefunden...

Weiterhin gibt es IP-Adresskonflikte auf Deinem Rechner,
der entsprechende Dienst läuft...

Dann läuft der Vista-Service für "Corrupted or Damaged File Repair for Windows Disk Failure",
Du solltest Deine Festplatte mal überprüfen...

Scanne mit Dr. Web & poste das Log;
http://www.trojaner-board.de/59299-anleitung-drweb-cureit.html

Das der MBR nicht gelesen werden kann, gefällt mir nicht, kann aber
an der Rechtesteuerung von Vista hängen;

Erster Anlauf:
Avira-Antirootkit
Downloade Avira Antirootkit und Scanne dein system, poste das logfile.
http://dl.antivir.de/down/windows/antivir_rootkit.zip

Sonst sieht das eher unauffällig aus, bin aber kein Vista-Experte.
Zur Sicherheit noch Prevx mal drüberlassen...
http://www.prevx.com/freescan.asp
Funde bitte posten...

Bitte folgende Files prüfen:

Dateien Online überprüfen lassen:
  • Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:
Code:
C:\Windows\TEMP\E_S97A.tmp
C:\Windows\SysWOW64\mshta.exe
C:\Windows\system32\dimsjob.dll
  • Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
  • Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
  • Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!

chris

DigitalDeath 09.12.2008 19:25
hi, vielen dank für die antwort - prevx und anti vir rootkit kann ich nicht benutzen - da eine fehlermeldung kommt - bei prevx kommt eine inkompatibilitätsmeldung, da ich ein 64 bit system habe, und es nur 32 unterstützt - anti vir root kit, kann nicht gestartet werden -
fehlermeldung " Error loading Driver !"

ich werde eben grakatreiber neu installieren, sowie festplatte überprüfen ( windows dienst ) und dr.web drüberlafen lassen, und anschließend log posten

überbrückungsweise - bis überprüfung abgeschlossen ist - eben die Virus Total Ergebnisse :

---------------

C:\Windows\TEMP\E_S97A.tmp - diese datei existiert nicht :)

---------------
---------------

mshta.exe Bericht :
Zitat:
Datei mshta.exe empfangen 2008.12.09 19:17:05 (CET)
Status: Beendet
Ergebnis: 0/38 (0%)
Filter
Drucken der Ergebnisse Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.12.10.0 2008.12.09 -
AntiVir 7.9.0.43 2008.12.09 -
Authentium 5.1.0.4 2008.12.09 -
Avast 4.8.1281.0 2008.12.09 -
AVG 8.0.0.199 2008.12.09 -
BitDefender 7.2 2008.12.09 -
CAT-QuickHeal 10.00 2008.12.09 -
ClamAV 0.94.1 2008.12.09 -
Comodo 713 2008.12.09 -
DrWeb 4.44.0.09170 2008.12.09 -
eSafe 7.0.17.0 2008.12.09 -
eTrust-Vet 31.6.6252 2008.12.09 -
Ewido 4.0 2008.12.09 -
F-Prot 4.4.4.56 2008.12.09 -
F-Secure 8.0.14332.0 2008.12.09 -
Fortinet 3.117.0.0 2008.12.09 -
GData 19 2008.12.09 -
Ikarus T3.1.1.45.0 2008.12.08 -
K7AntiVirus 7.10.549 2008.12.09 -
Kaspersky 7.0.0.125 2008.12.09 -
McAfee 5458 2008.12.08 -
McAfee+Artemis 5458 2008.12.09 -
Microsoft 1.4205 2008.12.09 -
NOD32 3677 2008.12.09 -
Norman 5.80.02 2008.12.09 -
Panda 9.0.0.4 2008.12.09 -
PCTools 4.4.2.0 2008.12.09 -
Prevx1 V2 2008.12.09 -
Rising 21.07.12.00 2008.12.09 -
SecureWeb-Gateway 6.7.6 2008.12.09 -
Sophos 4.36.0 2008.12.09 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.09 -
TheHacker 6.3.1.2.180 2008.12.09 -
TrendMicro 8.700.0.1004 2008.12.09 -
VBA32 3.12.8.10 2008.12.09 -
ViRobot 2008.12.9.1509 2008.12.09 -
VirusBuster 4.5.11.0 2008.12.09 -
weitere Informationen
File size: 45568 bytes
MD5...: 98dbb19126ffb940dfd40cc3c8706e89
SHA1..: 5a2f4f5c8eed5701f16bf16601197412147cc0d9
SHA256: 830aec1bd342b65d6fd5c6bb4196d541a3d7911d0d4849311be304599d16c85a
SHA512: a6b408cd3e7fda3fb19e33399c5407fa0ba12b36c4ddd6ee244619525b94b254
5a639b926e330fe6c7b3388e67734295d18034cc9e08ce060a94fdbece0f9bbd
ssdeep: 768:lnb3ctK41cd3ThMM2Le/Vb9Q+kCT850JdvQE4krx:lrm3qdDhB2LYA+kC7Q1
kV
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1002823
timedatestamp.....: 0x47918edd (Sat Jan 19 05:47:09 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7f8a 0x8000 6.58 99e874473d081b4c873b642d428bd537
.data 0x9000 0x1840 0xe00 2.35 4d344bb93bfc62cd114659199cf1d753
.rsrc 0xb000 0x11b0 0x1200 3.94 5fb4fe3a8796e01f864e5058708743ec
.reloc 0xd000 0xc4c 0xe00 4.05 76156172086e563f00327509992ebb6d

( 2 imports )
> ADVAPI32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> KERNEL32.dll: GetVersion, GetProcAddress, GetModuleHandleW, FreeLibrary, MultiByteToWideChar, lstrlenA, LoadLibraryW, LoadLibraryA, ExpandEnvironmentStringsA, GetCommandLineA, GetVersionExA, GetStartupInfoA, SetUnhandledExceptionFilter, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetLastError, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, GetCurrentThreadId, HeapDestroy, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapAlloc, LeaveCriticalSection, EnterCriticalSection, OutputDebugStringA, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, Sleep, VirtualAlloc, HeapReAlloc, RtlUnwind, UnhandledExceptionFilter, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, TerminateProcess, GetCurrentProcess, VirtualProtect, GetSystemInfo, VirtualQuery

( 0 exports )
---------------
---------------

dimsjob.dll Bericht :

Zitat:
Datei dimsjob.dll empfangen 2008.12.09 19:21:46 (CET)
Status: Beendet
Ergebnis: 0/38 (0%)
Filter
Drucken der Ergebnisse Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.12.10.0 2008.12.09 -
AntiVir 7.9.0.43 2008.12.09 -
Authentium 5.1.0.4 2008.12.09 -
Avast 4.8.1281.0 2008.12.09 -
AVG 8.0.0.199 2008.12.09 -
BitDefender 7.2 2008.12.09 -
CAT-QuickHeal 10.00 2008.12.09 -
ClamAV 0.94.1 2008.12.09 -
Comodo 713 2008.12.09 -
DrWeb 4.44.0.09170 2008.12.09 -
eSafe 7.0.17.0 2008.12.09 -
eTrust-Vet 31.6.6252 2008.12.09 -
Ewido 4.0 2008.12.09 -
F-Prot 4.4.4.56 2008.12.09 -
F-Secure 8.0.14332.0 2008.12.09 -
Fortinet 3.117.0.0 2008.12.09 -
GData 19 2008.12.09 -
Ikarus T3.1.1.45.0 2008.12.08 -
K7AntiVirus 7.10.549 2008.12.09 -
Kaspersky 7.0.0.125 2008.12.09 -
McAfee 5458 2008.12.08 -
McAfee+Artemis 5458 2008.12.09 -
Microsoft 1.4205 2008.12.09 -
NOD32 3677 2008.12.09 -
Norman 5.80.02 2008.12.09 -
Panda 9.0.0.4 2008.12.09 -
PCTools 4.4.2.0 2008.12.09 -
Prevx1 V2 2008.12.09 -
Rising 21.07.12.00 2008.12.09 -
SecureWeb-Gateway 6.7.6 2008.12.09 -
Sophos 4.36.0 2008.12.09 -
Sunbelt 3.1.1832.2 2008.12.01 -
Symantec 10 2008.12.09 -
TheHacker 6.3.1.2.180 2008.12.09 -
TrendMicro 8.700.0.1004 2008.12.09 -
VBA32 3.12.8.10 2008.12.09 -
ViRobot 2008.12.9.1509 2008.12.09 -
VirusBuster 4.5.11.0 2008.12.09 -
weitere Informationen
File size: 35328 bytes
MD5...: 70c6489d56008d75dedf73226fa63c11
SHA1..: 1f43ccbd2092f8c51ecdf2a81641db804b37216e
SHA256: 7ab4c89d7a259bb7dd6f24c5ca181749c3015a06b160b91593f2f1fc1e4aedce
SHA512: a01ff5a1598d9b6a48954135f69ccd66d92a0c32d5de05f8d4c0d5ee2eb2f8b6
b776ef8627b991c39a7fe485ef58d53241604839f11ca65e498c9493f8eaa32c
ssdeep: 384:0vqAeyIn+sRBkgCYCLGUS7rkj8P3Au5tgW8s/8UK+meX/B9rKqmtSyHpllO5
O5BQ:wA+I9FrhfgVs/jKu2zHpvNegugaim
PEiD..: -
TrID..: File type identification
DirectShow filter (58.4%)
Win64 Executable Generic (24.8%)
Win32 Executable MS Visual C++ (generic) (10.9%)
Win32 Executable Generic (2.4%)
Win32 Dynamic Link Library (generic) (2.1%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4a445864
timedatestamp.....: 0x4791a66f (Sat Jan 19 07:27:43 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x66c4 0x6800 6.31 6ad59d53f0cdd81bbf02db60ffa86c7e
.data 0x8000 0x3d4 0x200 0.66 50adaaeffff3dfb352f16eb7f4052a67
.rsrc 0x9000 0x1210 0x1400 3.47 e73042764d0290ee1494c71183fb54a9
.reloc 0xb000 0x7c2 0x800 6.17 c2c61b94a01db00dac881ed6e3fd474a

( 6 imports )
> msvcrt.dll: _wcsicmp, __CxxFrameHandler3, rand, _adjust_fdiv, memcpy, wcscat_s, _XcptFilter, malloc, _terminate@@YAXXZ, _except_handler4_common, _onexit, _lock, __dllonexit, _unlock, __1type_info@@UAE@XZ, _CxxThrowException, _amsg_exit, _initterm, free
> ntdll.dll: TpAllocTimer, RtlAcquireSRWLockExclusive, TpSetTimer, RtlReleaseSRWLockShared, RtlInitializeSRWLock, RtlAcquireSRWLockShared, TpReleaseTimer, RtlReleaseSRWLockExclusive, TpWaitForTimer, TpAllocWait, TpReleaseWait, TpSetWait, TpWaitForWait
> KERNEL32.dll: SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentProcessId, GetCurrentThreadId, QueryPerformanceCounter, InterlockedCompareExchange, Sleep, LocalReAlloc, LocalAlloc, GetCurrentThread, DisableThreadLibraryCalls, InterlockedDecrement, InterlockedIncrement, InterlockedExchangeAdd, GetLastError, GetModuleFileNameW, LocalFree, MulDiv, GetTickCount, CloseHandle, FindCloseChangeNotification, FindNextChangeNotification, FindFirstChangeNotificationW, CreateEventW, InterlockedExchange, FreeLibrary, GetProcAddress, LoadLibraryW, GetSystemDirectoryW, GetCurrentProcess
> ADVAPI32.dll: EventWrite, EventUnregister, EventRegister, GetTraceEnableFlags, OpenThreadToken, OpenProcessToken, GetTokenInformation, ConvertSidToStringSidW, RegQueryValueExW, RegDeleteKeyW, RegSetValueExW, RegCloseKey, RegOpenKeyExW, RegCreateKeyExW, UnregisterTraceGuids, RegisterTraceGuidsW, GetTraceLoggerHandle, GetTraceEnableLevel, TraceMessage
> USERENV.dll: UnregisterGPNotification, GetUserProfileDirectoryW, RegisterGPNotification
> ncrypt.dll: NCryptNotifyChangeKey, NCryptOpenStorageProvider, NCryptFreeObject

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

DigitalDeath 10.12.2008 00:33
hi, das problem hat sich erledigt - da der pc noch nicht einmal mehr hochfahren wollte, und der bildschirm stets schwarz blieb - hab ich mich entschlossen zu formatieren , das hab ich dann auch getan, und nun bin ich wieder virenfrei und alles funktioniert wieder - trotzdem jedoch vielen dank für die hilfe ! :dankeschoen:

mfg


Alle Zeitangaben in WEZ +1. Es ist jetzt 12:17 Uhr.

Copyright ©2000-2025, Trojaner-Board


Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19