Bagel-Entfernunsgversuch, bitte mal durchguggen

#1 Cheers,

wäre dankbar, wenn ihr hier mal rienguckt - ich habe mir irgendwie den berühmten Bagel (srosa.sys dingens) eingefangen und bin nun mit Avenger und diversen anderen Geschützen auf ihn losgegangen. Anschließend mit ATFCleaner UND CCleaner aufgeräumt, mir scheint das jetzt soweit sauber (Neuinst geht leider erst in ein paar Wochen), könntet ihr trotzdem nochmal drüber gucken?


Hier die Logs von Combiclean und Hijack:

ComboFix 07-09-20.1 - "bischo" 2007-09-20 13:07:06.2 - NTFS x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1031.18.539 [GMT 2:00]
.

((((((((((((((((((((((( Dateien erstellt von 2007-08-20 bis 2007-09-20 ))))))))))))))))))))))))))))))
.

2007-09-20 12:44 <DIR> d-------- C:\Programme\Avira
2007-09-20 12:44 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Avira
2007-09-20 12:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-19 20:48 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\MailFrontier
2007-09-19 20:47 75,932 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klick.dat
2007-09-19 20:47 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-09-19 20:47 74,396 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\klin.dat
2007-09-19 20:47 54,672 --a------ C:\WINDOWS\SYSTEM32\vsutil_loc0407.dll
2007-09-19 20:47 42,384 --a------ C:\WINDOWS\zllsputility_loc0407.dll
2007-09-19 20:47 21,904 --a------ C:\WINDOWS\SYSTEM32\imsinstall_loc0407.dll
2007-09-19 20:47 17,808 --a------ C:\WINDOWS\SYSTEM32\imslsp_install_loc0407.dll
2007-09-19 20:47 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2007-09-16 17:43 <DIR> d-------- C:\Programme\Guitar Pro 5
2007-09-15 14:47 <DIR> d-------- C:\Programme\AdvancedSubmitter
2007-09-14 18:43 <DIR> d-------- C:\DOKUME~1\ALLUSE~1\ANWEND~1\Last.fm
2007-08-23 18:39 <DIR> d-------- C:\DOKUME~1\bischo\ANWEND~1\GitarreroDemo
2007-08-23 18:36 <DIR> d-------- C:\Programme\GitarreroDemo
2007-08-22 18:28 <DIR> d-------- C:\Programme\GuitarVision

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-20 12:16 --------- d-------- C:\Programme\BitTorrent
2007-09-20 12:15 --------- d-------- C:\Programme\ThumbLoggerClient
2007-09-20 11:41 --------- d-------- C:\Programme\Oleco
2007-09-20 11:39 --------- d-------- C:\Programme\Last.fm
2007-09-20 11:08 --------- d-------- C:\Programme\Red Chair Software
2007-09-19 20:50 20512 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-19 20:50 1824 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-19 20:50 1316 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-19 20:50 1244 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-19 20:43 --------- d-------- C:\Programme\Elaborate Bytes
2007-09-19 20:42 --------- d-------- C:\Programme\Alcohol Soft
2007-09-19 20:26 --------- d-------- C:\Programme\eMule
2007-09-19 18:59 --------- d-------- C:\Programme\Traktor DJ Studio 2
2007-09-15 15:20 --------- d-------- C:\Programme\Thumbs7
2007-08-28 22:13 --------- d-------- C:\Programme\Google
2007-08-22 18:28 --------- d--h----- C:\Programme\InstallShield Installation Information
2007-08-17 10:19 --------- d-------- C:\Programme\Maxis
2007-08-17 10:05 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-17 07:26 --------- d-------- C:\DOKUME~1\bischo\ANWEND~1\BitTorrent
2007-08-16 16:02 --------- d-------- C:\DOKUME~1\bischo\ANWEND~1\dvdcss
2007-08-13 14:10 --------- d-------- C:\Programme\Microsoft Games
2007-08-13 11:46 --------- d-------- C:\DOKUME~1\bischo\ANWEND~1\OpenOffice.org2
2007-08-12 13:50 --------- d-------- C:\Programme\ICQ
2007-07-30 23:02 --------- d-------- C:\Programme\PCGen
2007-07-29 11:25 --------- d-------- C:\DOKUME~1\bischo\ANWEND~1\Opera
2007-07-20 21:22 --------- d-------- C:\Programme\MicroProse
2007-07-14 18:40 720896 --a------ C:\WINDOWS\iun6002.exe
2007-06-21 21:54 1086952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2005-06-27 12:39 560 --a------ C:\Programme\INSTALL.LOG
2000-04-19 23:00 6995 --a------ C:\WINDOWS\INF\RAMDISK.SYS
.

((((((((((((((((((((((((((((( snapshot_2007-09-20_123512.99 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,768 2007-08-09 11:04:05 C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys
----a-w 21,312 2007-07-18 12:22:13 C:\WINDOWS\SYSTEM32\DRIVERS\avgntmgr.sys
----a-w 62,016 2007-09-07 10:05:12 C:\WINDOWS\SYSTEM32\DRIVERS\avipbb.sys
----a-w 28,352 2007-03-01 08:34:30 C:\WINDOWS\SYSTEM32\DRIVERS\ssmdrv.sys
.
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.

*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Programme\Apoint\Apoint.exe" [2004-07-20 07:01]
"PRONoMgr.exe"="C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe" [2004-07-20 07:01]
"Dell QuickSet"="C:\Programme\Dell\QuickSet\quickset.exe" [2002-12-17 22:16]
"bascstray"="BascsTray.exe" []
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 12:18]
"avgnt"="C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25]

C:\DOKUME~1\ALLUSE~1\STARTM~1\PROGRA~1\AUTOST~1\
DESKTOP.INI [2002-09-11 13:22:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-06-20 09:03 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll

[color=red]SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\drivers\avgntmgr.sys
R0 Defrag32b;Defrag32Boot;C:\WINDOWS\System32\drivers\Defrag32b.sys
R1 Asapi;Asapi;C:\WINDOWS\System32\drivers\Asapi.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 Defrag32;Defrag32;C:\WINDOWS\System32\drivers\Defrag32.sys
R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;C:\WINDOWS\System32\DRIVERS\avmwan.sys
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINDOWS\System32\DRIVERS\enetnt.sys
R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter-Treiber;C:\WINDOWS\System32\DRIVERS\w70n51.sys
S0 d344bus;d344bus;C:\WINDOWS\System32\DRIVERS\d344bus.sys
S0 d344prt;d344prt;C:\WINDOWS\System32\Drivers\d344prt.sys
S2 NokiaSuite3;NokiaSuite3;C:\WINDOWS\System32\drivers\NokiaSuite3.sys
S3 Bulk;HDJBulk;C:\WINDOWS\System32\Drivers\HDJBulk.sys
S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\HanseNet\Alice\app\ENDETECT.SYS
S3 fpcmbase;AVM ISDN-Controller FRITZ!Card PCMCIA;C:\WINDOWS\System32\DRIVERS\fpcmbase.sys
S3 GSNDIS5;GSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\GSNDIS5.SYS
S3 HDJAsioK;HDJAsioK;C:\WINDOWS\System32\Drivers\HDJAsioK.sys
S3 HDJMidi;Hercules DJ Console MIDI;C:\WINDOWS\System32\DRIVERS\HDJMidi.sys
S3 ma763003;M-Audio Audiophile;C:\WINDOWS\System32\drivers\MA763003.sys
S3 MADFU003;MADFU003;C:\WINDOWS\System32\DRIVERS\MADFU003.sys
S3 MAUSBAP;Service for M-Audio Audiophile (WDM);C:\WINDOWS\System32\DRIVERS\mausbap.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\System32\DRIVERS\MSIRCOMM.sys
S3 nhcAcpi_driver;Notebook Hardware Control ACPI Driver;\??\C:\WINDOWS\System32\drivers\nhcAcpi.sys
S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\HanseNet\Alice\app\NTSTPL1.SYS
S3 NTSTPL2;NTSTPL2;\??\C:\PROGRA~1\HanseNet\Alice\app\NTSTPL2.SYS
S3 NTSTPL3;NTSTPL3;\??\C:\PROGRA~1\HanseNet\Alice\app\NTSTPL3.SYS
S3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\System32\DRIVERS\ozscr.sys
S3 PDSched;PDScheduler;C:\Programme\Raxco\PerfectDisk\PDSched.exe
S3 PFMPR5;PFMPR5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\PFMPR5.SYS
S3 PFNDIS5;PFNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\System32\PFNDIS5.SYS
S3 RAWESR;RAWESR;\??\C:\PROGRA~1\HanseNet\Alice\app\RAWESR.SYS
S3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\HanseNet\Alice\app\TAPBIND1.SYS
S3 USBNP4X4;M-Audio Audiophile USB Midi;C:\WINDOWS\System32\drivers\usbnp4x4.sys
S4 Ip6FwHlp;IPv6-Internetverbindungsfirewall;C:\WINDOWS\System32\svchost.exe -k netsvcs

.
Inhalt des "geplante Tasks" Ordners
"2007-05-28 12:39:30 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Programme\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-05-28 12:39:30 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Programme\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-20 13:10:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-20 13:11:56
C:\ComboFix-quarantined-files.txt ... 2007-09-20 13:11
C:\ComboFix2.txt ... 2007-09-20 12:36
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05, on 2007-09-20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Apoint\Apntex.exe
C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe
C:\Programme\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\rsvp.exe
C:\Programme\HanseNet\Alice\app\TangoService.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Dokumente und Einstellungen\bischo\Desktop\aaavvv\HiJackThis\aaa.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/de/deu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/de/deu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/de/deu/gen/default.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Programme\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Programme\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Programme\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: EmailImport - http://www.openbc.com/importtool/openBC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129553967128
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\Software\..\Telephony: DomainName = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E2207EA-56C0-4A02-A594-95938492F8F6}: NameServer = 172.16.10.105
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS8\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS9\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O17 - HKLM\System\CS10\Services\Tcpip\Parameters: Domain = CIMT-AG.cimt-ag.de
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Programme\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Programme\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Programme\Raxco\PerfectDisk\PDSched.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Unknown owner - C:\WINDOWS\System32\S24EvMon.exe (file missing)
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Programme\HanseNet\Alice\app\TangoService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe (file missing)

--
End of file - 6290 bytes

#2 Hi,

die typischen Dateien von srosa sind wohl weg, eigentlich ist aber
neu aufsetzten das Beste!

zur Sicherheit poste noch ein Log vom Silentrunner:
Ziparchive in ein Verzeichnis auspacken, mit Doppelklick starten, "ja" auswählen.
Die erstellte Datei findet sich im gleichen Verzeichnis wo das Script hinkopiert wurde, bitte in Editor laden und posten.
http://www.silentrunners.org/Silent%20Runners.zip


Kommst Du in den abgesicherten Modus?

Wenn nein:
Downloade SafeMode Repair.zip http://www.hijackthis-forum.de/attachment.php?attachmentid=2272&d=1187631899
entpacke es auf Deinen Desktop,
mach einen Doppelklick auf die neu entstandene RegDatei, um sie laufen zu lassen
Klicke auf 'ok' > starte deinen Rechner in den normalen Modus auf.

Chris

#3 Danke Chris...

Werde die beiden Sachen gleich mal per USB rüberziehen, ans Netz kommt der Rechner vorerst nicht. Neu insten ist leider grad nich drin, komme die nächsten Wochen nicht heim und somit nich an CDs... wird aber definitiv erledigt, is mir alles zu unsicher.... ach ja, doofes Phänomen: ich kann Antivir zwar manuell laufen lassen aber nicht den Dienst starten, da kommt eine wenig hilfreiche Fehlermeldung.

So, SafeMode Repair habsch gemacht, Silent Runners sagt folgendes:

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Programme\Apoint\Apoint.exe" [null data]
"PRONoMgr.exe" = "C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe" [null data]
"Dell QuickSet" = "C:\Programme\Dell\QuickSet\quickset.exe" [empty string]
"bascstray" = "BascsTray.exe" [file not found]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"avgnt" = ""C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Programme\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "PDBoot.exe" ["Raxco Software, Inc."]|"autocheck autochk *"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> Sebring\DLLName = "C:\WINDOWS\System32\LgNotify.dll" ["Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Programme\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
UltraEdit-32\(Default) = "{b5eedee0-c06e-11cf-8c56-444553540000}"
-> {HKLM...CLSID} = "UltraEdit-32"
\InProcServer32\(Default) = "C:\PROGRA~1\ULTRAE~1\ue32ctmn.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Programme\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
-> {HKLM...CLSID} = "ZLAVShExt Class"
\InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Scheduled Tasks:
------------------------

"Uniblue SpeedUpMyPC Nag" -> launches: "C:\Programme\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" [file not found]
"Uniblue SpeedUpMyPC" -> launches: "C:\Programme\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_11"
\InProcServer32\(Default) = "C:\Programme\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]

{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Tango Service, TangoService, "C:\Programme\HanseNet\Alice\app\TangoService.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]


---------- (launch time: 2007-09-20 14:17:29)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 1713 seconds, including 14 seconds for message boxes)








-----------------------------
Update: eScan Virusscanner hat einige Dateien gefunden die mit Trojan-Downloader.Win32.Bagle.ea infiziert sind - leider exes von denen ich vermute das ich sie durchaus noch brauch (apoint.exe, pronomgr.exe), krieg ich die irgendwie wieder los?

#4 Hi,

eine ungewöhnliche Sache, ein mit der Grafikkarte assozierter Treiber wird beim Logon-Notify geladen:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

der zweite Eintrag:
<<!>> Sebring\DLLName = "C:\WINDOWS\System32\LgNotify.dll" ["Intel Corporation"]

ist aber wahrscheinlich OK (beide mal online prüfen lassen).

Die infizierten EXEn wird man wahrscheinlich nicht sauber bekommen,
daher löschen/neu installieren (apoint.exe müsste was mit dem Touchpad zu tun haben)...
Beide werden bei Systemstart geladen, damit läuft dann der Trojaner wieder...
"Apoint" = "C:\Programme\Apoint\Apoint.exe" [null data]
-> Touchpad?

"PRONoMgr.exe" = "C:\Programme\Intel\NCS\PROSet\PRONoMgr.exe" [null data]

-> * "PRONoMgr.exe" wird beim Windows Start nicht benötigt. System Tray icon for Intel PRO series ethernet adapters giving access to the diagnostic features
* "PRONoMgrWired" kann beim Windows Start mit starten. Intel’s Pro 100 Ethernet card manager

Du könntest beide (um einen Fehlalarm ausschliessen zu können) online prüfen lassen und probeweise über den Taskmanager abschiessen und die exe umbenennen (*.exe.vir)...

Chris

#5 Thx.

Joa, das Touchpoint geht mir eh nur auf'n Sack und ProNoDingens ist WLAN, sowas brauch ich auch net, also vernichten.

Naja, immerhin weiss ich jetzt wo ich den her hatte, das Icon der beiden o.g. Exe's hat's mir verraten. Ich sach ma: eigene himmelschreiende Blödheit, selbst schuld ich bin.