Biene - Antivirus Gold ? vcodec.com infizierung

#1 Datentr„ger in Laufwerk C: ist Windows
Volumeseriennummer: CCF5-5ACE

Verzeichnis von C:\WINDOWS\system32

( Log Version 1 )

18.12.2005 23:10 2.321.408 TUKernel.exe

( Log Version 2 )

18.12.2005 22:16 24.064 ldB239.tmp
18.12.2005 22:16 14.624 mscornet.exe

Zitat

Hi,
das scheint von den „TuneUp Utilities 2004 > TuneUp WinStyler“ zu kommen. Die Datei enthält den aktuellen Bootscreen

http://www.neowin.net/forum/lofiversion/in...hp/t387432.html

Code

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Skype" = ""C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WebDriveTray" = "C:\Programme\NetDrive\netdrive.exe /trayicon" [null data]
"DiskeeperSystray" = ""C:\Programme\Executive Software\Diskeeper\DkIcon.exe"" ["Executive Software International, Inc."]
"CoolSwitch" = "C:\WINDOWS\System32\taskswitch.exe" [null data]
"Acrobat Assistant 7.0" = ""C:\Programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SunJavaUpdateSched" = "C:\Programme\Java\jre1.5.0_05\bin\jusched.exe" ["Sun Microsystems, Inc."]
"gcasServ" = ""C:\Programme\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"SmcService" = "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui" ["Sygate Technologies, Inc."]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NeroFilterCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]
"type32" = ""C:\Programme\Microsoft IntelliType Pro\type32.exe"" [MS]
"IntelliPoint" = ""C:\Programme\Microsoft IntelliPoint\point32.exe"" [MS]
"(Default)" = (empty string)
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"TrueImageMonitor.exe" = "C:\Programme\Acronis\TrueImage\TrueImageMonitor.exe" ["Acronis"]
"Acronis Scheduler2 Service" = ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]
"KAV50" = ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = "HelperObject Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 7\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\SpywareGuard\dlprotect.dll" [null data]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 7\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 7\SnagItShellExt.dll" ["TechSmith Corporation"]
"{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}" = "TuneUp Shredder Shell Context Menu Extension"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
"{04466240-beb3-11d1-be1c-00aa006b77f4}" = "WebDrive Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "rfshext.dll" [null data]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
"{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
"{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplact.dll"" [MS]
"{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\SpywareGuard\spywareguard.dll" [null data]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
Kaspersky Anti-Virus\(Default) = "{DD230880-495A-11D1-B064-008048EC2FC5}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\ShellEx.dll" ["Kaspersky Lab"]
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 7\SnagItShellExt.dll" ["TechSmith Corporation"]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}"
  -> {CLSID}\InProcServer32\(Default) = "rfshext.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 7\SnagItShellExt.dll" ["TechSmith Corporation"]
TuneUp Shredder\(Default) = "{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}"
  -> {CLSID}\InProcServer32\(Default) = ""C:\Programme\TuneUp Utilities 2006\sdshelex.dll"" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{DD230880-495A-11D1-B064-008048EC2FC5}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\ShellEx.dll" ["Kaspersky Lab"]
WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}"
  -> {CLSID}\InProcServer32\(Default) = "rfshext.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\Yourhighness.BETZI\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Startup items in "Yourhighness" & "All Users" startup folders:
--------------------------------------------------------------

C:\Dokumente und Einstellungen\Yourhighness.BETZI\Startmenü\Programme\Autostart
"SpywareGuard" -> shortcut to: "C:\Programme\SpywareGuard\sgmain.exe" [null data]

C:\Dokumente und Einstellungen\All Users.WINDOWS\Startmenü\Programme\Autostart
"Adobe Acrobat - Schnellstart" -> shortcut to: "C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe" [null data]
"Adobe Gamma Loader.exe" -> shortcut to: "C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"ScanPanel" -> shortcut to: "C:\ScanPanel\ScnPanel.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\System32\dcsws2.dll ["DiamondCS"], 01 - 03
%SystemRoot%\system32\mswsock.dll [MS], 04 - 07, 10 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 7\SnagItIEAddin.dll" ["TechSmith Corporation"]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Recherchieren"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_05\bin\npjpi150_05.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Recherchieren"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "TuneUp" = "file://C|/Dokumente und Einstellungen/All Users.WINDOWS/Anwendungsdaten/TuneUp Software/Common/base.css" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
AntiVir Update Manager, AVUpdateManager, "C:\Programme\Internet Update Manager\UPDMGR.EXE" ["H+BEDV Datentechnik GmbH, Germany"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Diskeeper, Diskeeper, ""C:\Programme\Executive Software\Diskeeper\DkService.exe"" ["Executive Software International, Inc."]
KLBLMain, KLBLMain, ""C:\Programme\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000" ["Kaspersky Lab"]
Machine Debug Manager, MDM, ""C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Sygate Personal Firewall Pro, SmcService, "C:\Programme\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
TuneUp WinStyler Theme Service, TUWinStylerThemeSvc, "C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe" ["TuneUp Software GmbH"]
WebDrive Service, WebDriveService, "C:\Programme\NetDrive\wdservice.exe" [null data]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\System32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 50 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
  took 17 seconds.
---------- (total run time: 114 seconds)

__________
Yourhighness
Yourhighness' Seite / Mein Blog (Englisch)

#2 Einige Spyaxe instgaller melden sich beim Start mit der meldung, das sie diesen vcodec installieren wollen. Du kannst dir diese Dateien schicken, bzw bei Jotti pruefen lassen:

( Log Version 1 )

18.12.2005 23:10 2.321.408 TUKernel.exe --> installer fuer Spyaxe oder aehnlicher fake AS

( Log Version 2 )

18.12.2005 22:16 24.064 ldB239.tmp
18.12.2005 22:16 14.624 mscornet.exe

Obige sind Standardnamen fuer Zlob(Spyaxe downloader)
__________
MfG Ralf
SEO-Spam Hunter

#3 was mich interessiert:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"(Default)" = (empty string)

-------------------

hier eine andere Verseuchung:

Verzeichnis von C:\WINDOWS\system32

12.12.2005 15:02 5.088 ncompat.tlb
12.12.2005 14:56 6.144 msvol.tlb
12.12.2005 14:56 24.064 ld49FD.tmp
12.12.2005 14:56 9.932 hp45D7.tmp
12.12.2005 14:49 9.780 mssearchnet.exe
12.12.2005 14:47 9.932 hp9B17.tmp
12.12.2005 14:47 24.064 ld9A6B.tmp
12.12.2005 13:57 2.184 wpa.dbl
10.12.2005 22:04 15.484 nvctrl.exe
07.12.2005 19:13 14.396 mscornet.exe
10.11.2005 21:17 2.377.568 MRT.exe
08.11.2005 17:01 1.140 qtplugin.log
30.10.2005 09:47 2.116.992 TUKernel.exe

Verzeichnis von C:\WINDOWS
12.12.2005 14:34 28.199 xpsp1hfm.log

findest du diese log?
xpsp1hfm.log
__________
MfG Sabina

rund um die PC-Sicherheit

#4

Zitat

raman postete
Einige Spyaxe instgaller melden sich beim Start mit der meldung, das sie diesen vcodec installieren wollen. Du kannst dir diese Dateien schicken, bzw bei Jotti pruefen lassen:

( Log Version 1 )

18.12.2005 23:10 2.321.408 TUKernel.exe --> installer fuer Spyaxe oder aehnlicher fake AS

( Log Version 2 )

18.12.2005 22:16 24.064 ldB239.tmp
18.12.2005 22:16 14.624 mscornet.exe

Obige sind Standardnamen fuer Zlob(Spyaxe downloader)

Hallo Raman,

dies sind Auszuege aus meinem Log nach dem ich mich absichtlich mit Vcodec infiziert hatte. Die Dateien befinden sich nicht mehr auf dem Pc, da mir bewusst war das es spyaxe ist. Der TUKernel ist Tuneup.

@Biene

Zitat

Verzeichnis von C:\WINDOWS
12.12.2005 14:34 28.199 xpsp1hfm.log

Dieses Log habe ich dir nie gepostet. Dementsprechend habe ich es auch nicht auf dem PC.

BTW: Den angeblich installierten Vcodec habe ich immer noch nicht auf dem PC gefunden.
__________
Yourhighness
Yourhighness' Seite / Mein Blog (Englisch)

#5 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
(Default)" = (empty string)

kann das der SpyAxe sein, nur eben "versteckt" ?
Im Log vom HijackThis findet man ihn nicht.
(Der Eintrag ist mir frueher schon aufgefallen..... )
__________
MfG Sabina

rund um die PC-Sicherheit