| schlumpf | 28.01.2010 17:11 |
Firewall, Virenscanner werden beendet, kann aber keinen Grund finden. W32/Bagle?
Mein System zickte vorige Tage etwas rum. So gut wie alle Programme aus dem Trybar (Zonealarm, Avira Antivir usw.) verschwanden bei Mouseover. Ich konnte dann beide Tools auch nicht mehr manuell starten. Windows abgesicherter Modus startete immer neu ohne hochzufahren. Systemwiderherstellung weigerte sich ältere Zustände wiederherzustellen. Also mal die aktuelle c't desinfec't mmit allen 4 Scannern laufen lassen. Ich weiß jetzt nicht mehr genau, aber ich denke nichts gefunden. Gegoogled und Hinweise auf Hijack this und combofix gefunden. Beide Programme lassen sich nicht starten. Auch nicht nach Umbenennung. Auch wird der Webbrowser stets geschlossen, wenn ich "Hijackthis" eingebe. Also kam der Verdacht nach W32/Bagle auf. Nach weiteren Versuchen habe ich dann C Platt gemacht und Windows zähneknirschend neu installiert. Ich habe auch gleich als erstes wieder ZA und Avira (aktuell) installiert. Nach einigen weiteren Installationen fuhr der Rechner unmotiviert runter und wieder hoch und die Icons im Traybar verschwanden wieder bei Mouseover bzw. erschienen erst gar nicht. Wieder kann ich kein Diagnosetool starten. Ich bin etwas verwundert, weil bis zu dem Punkt, an dem der Rechner während der Installation neu startete, lief alles und das Programm, welches ich gerade installierte eigentlich vertrauenswürdig ist. Außerdem irritiert mich, daß Avira nicht gemeckert hat. Und dies ja auch nicht bei meinem vorherigen System, das ich platt gemacht habe. Avira sollte mich doch eigentlich schützen. Ich habe jetzt mal "Resolve 1.07, Datenstand 1.13" für W32/Bagle von sophos laufen lassen: kein Fund. Da Hijackthis nicht läuft, habe ich "Silent Runners.vbs", revision 60 laufen lassen. Kann da aber nichts verdächtiges finden.
Was kann ich jetzt machen? Irgendwas läuft auf dem System ja wohl schief, aber kein Tool findet was. Code:
"Silent Runners.vbs", revision 60, http://www.silentrunners.org/
Operating System: Windows XP SP3
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"H/PC Connection Agent" = ""D:\tools\activesync\Wcescomm.exe"" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avgnt" = ""E:\tools\Avira\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"]
"ZoneAlarm Client" = ""D:\zip\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"StartCCC" = ""C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun" ["Advanced Micro Devices, Inc."]
"SystemTray" = "SysTray.Exe" [MS]
"Adobe Reader Speed Launcher" = ""D:\tools\acrobat\reader9\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"Adobe ARM" = ""C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"" ["Adobe Systems Incorporated"]
"RemoteControl" = "E:\tools\powerdvd\PDVDServ.exe" ["Cyberlink Corp."]
"(Default)" = "(empty string)" [file not found]
"ISTray" = ""E:\tools\Spyware Doctor\pctsTray.exe"" ["PC Tools"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub"
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "E:\tools\Avira\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "D:\zip\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "D:\office07\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "D:\office07\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\office07\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobiles Gerät"
\InProcServer32\(Default) = "D:\tools\ACTIVE~1\Wcesview.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\tools\packer\winrar\rarext.dll" [null data]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu Extension"
\InProcServer32\(Default) = "D:\tools\packer\winace\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 DragDrop Shell Extension"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "D:\tools\packer\winace\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "D:\tools\packer\winace\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Property Sheet Shell Extension"
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
\InProcServer32\(Default) = "D:\tools\packer\winace\arcext.dll" ["e-merge GmbH"]
"{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook"
-> {HKLM...CLSID} = "VPCHostCopyHook"
\InProcServer32\(Default) = "D:\virtualpc2004\VPCShExH.DLL" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\GEMEIN~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\
<<!>> ms-help\CLSID = "{314111c7-a502-11d2-bbca-00c04f8ec294}"
-> {HKLM...CLSID} = "HxProtocol Class"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Help\hxds.dll" [MS]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
SDContextExt\(Default) = "{70F8E90E-353A-47AB-B297-C576345EE693}"
-> {HKLM...CLSID} = "PC Tools Context Menu Extension"
\InProcServer32\(Default) = "E:\tools\SPYWAR~1\SDCONT~1.DLL" ["PC Tools"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "E:\tools\Avira\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\tools\packer\winrar\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "D:\tools\packer\winace\arcext.dll" ["e-merge GmbH"]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "D:\zip\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\tools\packer\winrar\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "D:\tools\packer\winace\arcext.dll" ["e-merge GmbH"]
HKLM\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\
VPCHostCopyHook\(Default) = "{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}"
-> {HKLM...CLSID} = "VPCHostCopyHook"
\InProcServer32\(Default) = "D:\virtualpc2004\VPCShExH.DLL" [MS]
HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\tools\packer\winrar\rarext.dll" [null data]
WinZip\(Default) = "{E0D79305-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFDragDrop\(Default) = "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "D:\tools\packer\winace\arcext.dll" ["e-merge GmbH"]
HKLM\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\
ACE\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
SDContextExt\(Default) = "{70F8E90E-353A-47AB-B297-C576345EE693}"
-> {HKLM...CLSID} = "PC Tools Context Menu Extension"
\InProcServer32\(Default) = "E:\tools\SPYWAR~1\SDCONT~1.DLL" ["PC Tools"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "E:\tools\Avira\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\tools\packer\winrar\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "D:\zip\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\tools\packer\winrar\rarext.dll" [null data]
WinZip\(Default) = "{E0D79305-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "D:\TOOLS\PACKER\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ZFDragDrop\(Default) = "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "D:\tools\packer\winace\arcext.dll" ["e-merge GmbH"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"EnableLUA" = (REG_DWORD) dword:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
PDVDPlayCDAudioOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "AudioCD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD\Command\(Default) = ""E:\tools\powerdvd\PowerDVD.exe" "%L"" ["CyberLink Corp."]
PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""E:\tools\powerdvd\PowerDVD.exe" "%l"" ["CyberLink Corp."]
PDVDPlayVCDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "VCD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD\Command\(Default) = ""E:\tools\powerdvd\PowerDVD.exe" "%l"" ["CyberLink Corp."]
Startup items in "florian" & "All Users" startup folders:
---------------------------------------------------------
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"Monitor Apache Servers" -> shortcut to: "E:\tools\apache\bin\ApacheMonitor.exe" ["Apache Software Foundation"]
"Monitor Switcher" -> shortcut to: "E:\tools\Monitor Switcher\MonitorSwitcher.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\office07\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "D:\tools\ACTIVE~1\INetRepl.dll" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Mobilen Favoriten erstellen..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "D:\tools\ACTIVE~1\INetRepl.dll" [MS]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Apache2.2, Apache2.2, ""E:\tools\apache\bin\httpd.exe" -k runservice" ["Apache Software Foundation"]
ProtexisLicensing, ProtexisLicensing, "C:\WINDOWS\system32\PSIService.exe" [null data]
USBMate, USBMate, "E:\tools\usv\usbmate.exe" ["Mega Corp."]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
FPR6:\Driver = "fpmon6.dll" ["FinePrint Software, LLC"]
HP Master Monitor\Driver = "HPBMMON.DLL" ["Hewlett-Packard"]
---------- (launch time: 2010-01-28 15:56:41)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 55 seconds, including 12 seconds for message boxes)
|
