AntiSpywareExpert - Web Technologies

#0
12.07.2008, 19:17
Member

Beiträge: 61
#1 Ich wollte mir letztens einen Player runterladen (Vista), aber es ging nicht, weil der Laptop sagte, dass ich ein Anti-Virenprogramm dafür bräuchte. er hat dann zwei programme angezeigt von denen ich "Windows Antivirus 2008" runtergeladen habe. Das ist aber jetzt anscheinend ein Virus.
Da ich nur eine Testversion von Kaspersky besitze kann ich die datei weder desinfizieren noch löschen. (Weil die Rechte zum Schreiben fehlen).
Daraufhin habe ich mal den ganzen Laptop überprüfen lassen und es sind noch einige gefährdete Dateien angefallen. Die konnte ich dann aber auch nicht löschen oder desinfizieren.
Da ich überhaupt keine Ahnung von PC's oder ähnlichem habe, bitte einfach antworten

Malwarebytes

Malwarebytes' Anti-Malware 1.20
Datenbank Version: 930
Windows 6.0.6000

17:27:16 12.07.2008
mbam-log-7-12-2008 (17-27-16).txt

Scan Art: Komplett Scan (C:\|D:\|)
Objekte gescannt: 120943
Scan Dauer: 32 minute(s), 46 second(s)

Infizierte Speicher Prozesse: 3
Infizierte Speicher Module: 0
Infizierte Registrierungsschlüssel: 13
Infizierte Registrierungswerte: 17
Infizierte Datei Objekte der Registrierung: 14
Infizierte Verzeichnisse: 3
Infizierte Dateien: 9

Infizierte Speicher Prozesse:
C:\Program Files\Web Technologies\iebtmm.exe (Trojan.Zlob) -> Unloaded process successfully.
C:\Program Files\Web Technologies\iebtm.exe (Trojan.Zlob) -> Unloaded process successfully.
C:\Program Files\WAV\wav.exe (Rogue.WindowsAntivirus2008) -> Unloaded process successfully.

Infizierte Speicher Module:
(Keine Malware Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\Software\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4937d5d1-2039-409a-bd83-fec9b39b2356} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AntiSpywareExpert (Rogue.AntiSpywareExpert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bhonew.bho.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEBrowse Tool (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warning Center (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.

Infizierte Datei Objekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Program Files\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\AAV (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\WAV (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Program Files\Web Technologies\iebtm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Web Technologies\iebtmm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav.cpl (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav.exe (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav.ooo (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav0.dat (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav1.dat (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\WAV\wav.exe (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\Users\Batteux\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AntiSpywareExpert.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.


Combofix

ComboFix 08-07-11.1 - Batteux 2008-07-12 18:30:04.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.1256 [GMT 2:00]
ausgeführt von:: C:\Users\Batteux\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Windows\system32\msiesetup.exe

.
((((((((((((((((((((((( Dateien erstellt von 2008-06-12 bis 2008-07-12 ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 16:27 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-07-12 16:25 352,288 --sha-w C:\Windows\system32\drivers\fidbox2.dat
2008-07-12 16:25 24,780 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-07-12 16:25 2,899,488 --sha-w C:\Windows\system32\drivers\fidbox.dat
2008-07-12 16:25 2,284 --sha-w C:\Windows\system32\drivers\fidbox2.idx
2008-07-12 15:33 --------- d-----w C:\Users\Batteux\AppData\Roaming\OpenOffice.org2
2008-07-12 14:52 --------- d-----w C:\Users\Batteux\AppData\Roaming\Malwarebytes
2008-07-12 14:52 --------- d-----w C:\ProgramData\Malwarebytes
2008-07-12 12:04 96,966 ----a-w C:\Windows\system32\drivers\klin.dat
2008-07-12 12:04 88,774 ----a-w C:\Windows\system32\drivers\klick.dat
2008-07-12 11:46 45,056 ----a-w C:\Windows\System32\acovcnt.exe
2008-07-12 11:45 --------- d-----w C:\Program Files\Google
2008-07-12 11:35 --------- d---a-w C:\ProgramData\TEMP
2008-07-12 11:32 --------- d-----w C:\ProgramData\Avira
2008-07-12 11:32 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-07-12 08:27 --------- d-----w C:\Program Files\Enigma Software Group
2008-07-12 00:52 --------- d-----w C:\Program Files\Kaspersky Lab
2008-07-12 00:17 --------- d-----w C:\Program Files\ICQToolbar
2008-07-11 23:54 --------- d-----w C:\ProgramData\Kaspersky Lab Setup Files
2008-07-11 23:15 --------- d-----w C:\Users\Batteux\AppData\Roaming\Azureus
2008-07-11 23:12 --------- d-----w C:\ProgramData\Azureus
2008-07-11 23:05 --------- d-----w C:\Users\Batteux\AppData\Roaming\BitSpirit
2008-07-11 23:04 --------- d-----w C:\Users\Batteux\AppData\Roaming\uTorrent
2008-07-09 01:08 174 --sha-w C:\Program Files\desktop.ini
2008-07-07 15:35 34,296 ----a-w C:\Windows\system32\drivers\mbamcatchme.sys
2008-07-07 15:35 17,144 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-07-05 11:22 --------- d-----w C:\Users\Batteux\AppData\Roaming\Zylom
2008-07-05 11:22 --------- d-----w C:\ProgramData\Vogue Tales
2008-07-05 11:18 --------- d-----w C:\ProgramData\Zylom
2008-07-05 11:11 --------- d-----w C:\Program Files\Alawar
2008-07-05 08:35 --------- d-----w C:\ProgramData\VirtualFarm
2008-07-04 18:40 --------- d-----w C:\Users\Batteux\AppData\Roaming\ICQ Toolbar
2008-07-04 16:43 --------- d-----w C:\Users\Batteux\AppData\Roaming\ICQ
2008-07-04 16:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 17:01 --------- d-----w C:\Program Files\EA GAMES
2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll
2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2008-04-25 16:22 206,088 ----a-w C:\Windows\System32\klogon.dll
2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-23 11:58 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2008-02-23 11:58 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-02-23 11:58 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@="{A8D448F4-0431-45AC-9F5E-E1B434AB2249}"
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 03:08 143360 --a------ C:\Program Files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-01 15:47 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-06-20 13:49 451872]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 11:31 630784]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 22:35 90112]
"ATKMEDIA"="C:\Program Files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 18:27 61440]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2006-09-12 03:22 155648]
"PowerForPhone"="C:\Program Files\PowerForPhone\PowerForPhone.exe" [2007-06-26 20:10 778240]
"ASUS Screen Saver Protector"="C:\Windows\ASScrPro.exe" [2007-11-07 18:49 33136]
"ASUS Camera ScreenSaver"="C:\Windows\ASScrProlog.exe" [2007-11-07 18:49 37232]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 16:57 153136]
"Flashget"="C:\Program Files\FlashGet\FlashGet.exe" [2007-09-25 11:29 2007088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
"Malwarebytes Anti-Malware Reboot"="C:\Downloads\Malwarebytes' Anti-Malware\mbam.exe" [2008-07-07 17:35 1175160]
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-03 12:39 4702208 C:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-08-03 07:22 1826816 C:\Windows\SkyTel.exe]

C:\Users\Batteux\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 22:57:56 393216]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 11:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 10:01:50 734872]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{04D571EC-6D31-495D-B3B8-524EF2E80A23}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{680A2BE8-06F7-4D6E-8DF7-C0337C9A7705}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{4345B08D-6B68-4001-8A3F-DF29495D9088}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{C7A42883-65D0-47FB-AE39-FE9FD47E565F}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{C5A17595-915B-4E7D-9E33-0BFE4B830535}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{E155315D-97EC-4D2D-8CAB-A04E12CE984C}C:\\users\\batteux\\documents\\icq\\icq6\\icq.exe"= UDP:C:\users\batteux\documents\icq\icq6\icq.exe:ICQ Library
"UDP Query User{F3C6BB7F-B623-4D80-AD83-B0BD40FD544B}C:\\users\\batteux\\documents\\icq\\icq6\\icq.exe"= TCP:C:\users\batteux\documents\icq\icq6\icq.exe:ICQ Library

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\Windows\system32\drivers\klbg.sys [2008-01-29 18:29]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2008-03-26 13:10]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-07-27 17:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{128a4bda-8d40-11dc-993d-806e6f6e6963}]
\shell\AutoRun\command - E:\KIS6.EXE

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-wblogon - C:\Windows\System32\ubpr01.exe
HKLM-Run-AntiSpywareExpert - C:\Program Files\AntiSpywareExpert\ase.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 18:49:42
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AntiSpywareExpert = C:\Program Files\AntiSpywareExpert\ase.exe?exe?????????????????????????????????????
??????????????????????????????
???????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????

Scanne versteckte Dateien...


C:\Windows\TEMP\TMP0000006642D1751E70F52139 524288 bytes
C:\ADSM_PData_0150

Scan erfolgreich abgeschlossen
versteckte Dateien: 2

**************************************************************************
.
Zeit der Fertigstellung: 2008-07-12 18:51:33
ComboFix-quarantined-files.txt 2008-07-12 16:51:29

Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
14 Verzeichnis(se), 58,630,303,744 Bytes frei

148 --- E O F --- 2008-07-09 01:01:09


Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:59:11, on 12.07.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\ASScrPro.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apvfb.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O1 - Hosts: ::1 localhost
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [PowerForPhone] C:\Program Files\PowerForPhone\PowerForPhone.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Downloads\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statistik für den Schutz des Web-Datenverkehrs - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Users\Batteux\Documents\ICQ\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Users\Batteux\Documents\ICQ\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll
O23 - Service: ADSM Service (ADSMService) - Unknown owner - C:\Program Files\ASUS\ASUS Data Security Manager\ADSMSrv.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe

--
End of file - 7498 bytes



datfind

Datentr„ger in Laufwerk C: ist VistaOS
Volumeseriennummer: 448C-46D0

Verzeichnis von C:\Windows\system32

12.07.2008 18:32 610.142 perfh009.dat
12.07.2008 18:32 103.924 perfc009.dat
12.07.2008 18:32 641.344 perfh007.dat
12.07.2008 18:32 116.706 perfc007.dat
12.07.2008 18:32 1.461.736 PerfStringBackup.INI
12.07.2008 18:26 3.072 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
12.07.2008 18:26 3.072 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
12.07.2008 13:46 45.056 acovcnt.exe
12.07.2008 01:41 66 c__3948.nls
12.07.2008 01:41 290 c__3482.nls
12.07.2008 01:41 98 c__3481.nls
12.07.2008 01:41 418 c__3480.nls
12.07.2008 01:41 658 c__3478.nls
12.07.2008 01:41 130 c__10983.nls
12.07.2008 01:41 48.882 c__0593.nls
12.07.2008 01:41 82 c__23732.nls
12.07.2008 01:41 930 c__374.nls
12.07.2008 01:41 178 c__34895.nls
12.07.2008 01:41 130 c__2303.nls
12.07.2008 01:41 3 amp.ini
05.07.2008 03:08 380.096 FNTCACHE.DAT
29.05.2008 16:35 17.486.968 mrt.exe
10.05.2008 05:30 14.848 wshrm.dll
Seitenanfang Seitenende
12.07.2008, 19:35
Moderator

Beiträge: 7805
#2 Ueberpruefe C:\Windows\System32\acovcnt.exe bei Virustotal und poste das komplette Ergebniss...
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
12.07.2008, 19:50
Member

Themenstarter

Beiträge: 61
#3 ich hoffe das ist das richtige



Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.7.11.0 2008.07.11 -
AntiVir 7.8.0.64 2008.07.11 -
Authentium 5.1.0.4 2008.07.11 -
Avast 4.8.1195.0 2008.07.12 -
AVG 7.5.0.516 2008.07.12 -
BitDefender 7.2 2008.07.12 -
CAT-QuickHeal 9.50 2008.07.11 -
ClamAV 0.93.1 2008.07.11 -
DrWeb 4.44.0.09170 2008.07.12 -
eSafe 7.0.17.0 2008.07.10 -
eTrust-Vet 31.6.5949 2008.07.12 -
Ewido 4.0 2008.07.12 -
F-Prot 4.4.4.56 2008.07.11 -
F-Secure 7.60.13501.0 2008.07.12 -
Fortinet 3.14.0.0 2008.07.12 -
GData 2.0.7306.1023 2008.07.12 -
Ikarus T3.1.1.26.0 2008.07.12 -
Kaspersky 7.0.0.125 2008.07.12 -
McAfee 5337 2008.07.11 -
Microsoft 1.3704 2008.07.12 -
NOD32v2 3263 2008.07.11 -
Norman 5.80.02 2008.07.11 -
Panda 9.0.0.4 2008.07.12 -
Prevx1 V2 2008.07.12 -
Rising 20.52.52.00 2008.07.12 -
Sophos 4.31.0 2008.07.12 -
Sunbelt 3.1.1536.1 2008.07.12 -
Symantec 10 2008.07.12 -
TheHacker 6.2.96.376 2008.07.10 -
TrendMicro 8.700.0.1004 2008.07.11 -
VBA32 3.12.6.9 2008.07.12 -
VirusBuster 4.5.11.0 2008.07.12 -
Webwasher-Gateway 6.6.2 2008.07.11 -
weitere Informationen
File size: 45056 bytes
MD5...: 6bcaf46e2b7fa9ace92b4d39f3037c5c
SHA1..: 6d5a81e3cf59832d73f28d6e87f51d073c3e4095
SHA256: aaf659e3d38ad04848a9c3ed6250b30dc13acc8ac9f527a11f0c14e6ec8735b2
SHA512: 03b62753530e1adba2af3feede5e3903d41d8b102289bb03f4ad2520ead6ec9c
aea29acae81846eb4484310c0bc1c0a69934a02fadb1a015383e0ebee7c007f3
PEiD..: Armadillo v1.71
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401613
timedatestamp.....: 0x425539fb (Thu Apr 07 13:47:39 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x4ee6 0x5000 6.60 f7aa46b67e4004a80db01ad39b5c4bd7
.rdata 0x6000 0xb32 0x1000 4.20 f3ceef6b97b6aad02714644497ad4da9
.data 0x7000 0x413c 0x3000 0.56 af4abe2835a3f5bf87330b627a696dbf
.rsrc 0xc000 0xc0 0x1000 0.14 c85d6206afcdfed0fe16bdc48441d945

( 5 imports )
> DDRAW.dll: DirectDrawCreateEx
> KERNEL32.dll: CreateEventA, SetEvent, CloseHandle, GetModuleFileNameA, SetHandleCount, GetStdHandle, GetEnvironmentStringsW, SetStdHandle, LoadLibraryA, GetProcAddress, HeapReAlloc, VirtualAlloc, GetOEMCP, GetACP, FlushFileBuffers, LCMapStringW, LCMapStringA, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, HeapDestroy, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetCPInfo, HeapFree, RtlUnwind, GetFileType, GetEnvironmentVariableA, GetVersionExA, MultiByteToWideChar, HeapCreate, VirtualFree, GetStringTypeA, WriteFile, SetFilePointer, GetLastError, GetStringTypeW, HeapAlloc
> USER32.dll: TranslateMessage, DispatchMessageA, CreateWindowExA, TranslateAcceleratorA, GetMessageA, LoadStringA, RegisterClassExA, DefWindowProcA, PostQuitMessage, LoadCursorA, LoadIconA
> ADVAPI32.dll: RegCloseKey, RegSetValueExA, RegDeleteValueA, RegCreateKeyA
> ole32.dll: CoInitializeEx, CoUninitialize

( 0 exports )
Seitenanfang Seitenende
12.07.2008, 20:24
Moderator

Beiträge: 7805
#4 Ja, das ist richtig. Schicke die Datei bitte an virus@protecus.de
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
12.07.2008, 21:24
Member

Themenstarter

Beiträge: 61
#5 meinst du jetzt das was ich überprüfen sollte?
ich schick einfach mal
Seitenanfang Seitenende
12.07.2008, 23:55
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#6 Kipcha

Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere in das weisse Feld:

Zitat

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|AntiSpywareExpert
Files to delete:
C:\Windows\System32\ubpr01.exe
C:\Windows\system32\acovcnt.exe
Folders to delete:
C:\Program Files\AntiSpywareExpert
C:\Program Files\Enigma Software Group
schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)

Klicke: Execute

bestätige, dass der Rechner neu gestartet wird - klicke "yes"

-----------
nach dem Neustart erscheint automatisch ein Log vom Avenger - (C:\avenger.txt),kopiere es ab - mit rechtem Mausklick - kopieren - einfügen
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.07.2008, 14:15
Member

Themenstarter

Beiträge: 61
#7 Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\Windows\System32\ubpr01.exe" not found!
Deletion of file "C:\Windows\System32\ubpr01.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\acovcnt.exe" deleted successfully.

Error: folder "C:\Program Files\AntiSpywareExpert" not found!
Deletion of folder "C:\Program Files\AntiSpywareExpert" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\Program Files\Enigma Software Group" deleted successfully.

Error: could not delete registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|AntiSpywareExpert"
Deletion of registry value "HKLM\Software\Microsoft\Windows\CurrentVersion\Run|AntiSpywareExpert" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
Seitenanfang Seitenende
13.07.2008, 14:21
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#8 von meiner Seite sollte alles wieder o.k. sein.
Gibt es noch Probleme mit dem Rechner ? Popups ?
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.07.2008, 14:31
Member

Themenstarter

Beiträge: 61
#9 kaspersky zeigt aber immer noch an das der Computer gefährdet sein soll. was könnte das sein?

ich kann trotzdem nichts desinfizieren oder löschen was wohl an der testversion liegt. kann ich das auch irgendwie anders machen.

es ist noch ein Problem aufgetreten. Seit ich diesen Avenger runtergeladen habe, ist ist mein Desktophintergrund rot und es lässt sich kein anderer einstellen außerdem werden die Symbole in der Miniaturansicht nicht angezeigt. und ich kann nichts mehr runterladen (download dauert nur wenige sekunden und ist unvollständig)
Dieser Beitrag wurde am 13.07.2008 um 17:03 Uhr von Kipcha editiert.
Seitenanfang Seitenende
13.07.2008, 18:03
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#10 scanne noch mal mit malwarebytes, am besten im abgesicherten modus + berichte
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.07.2008, 19:35
Member

Themenstarter

Beiträge: 61
#11 Malwarebytes' Anti-Malware 1.20
Datenbank Version: 930
Windows 6.0.6000

17:27:16 12.07.2008
mbam-log-7-12-2008 (17-27-16).txt

Scan Art: Komplett Scan (C:\|D:\|)
Objekte gescannt: 120943
Scan Dauer: 32 minute(s), 46 second(s)

Infizierte Speicher Prozesse: 3
Infizierte Speicher Module: 0
Infizierte Registrierungsschlüssel: 13
Infizierte Registrierungswerte: 17
Infizierte Datei Objekte der Registrierung: 14
Infizierte Verzeichnisse: 3
Infizierte Dateien: 9

Infizierte Speicher Prozesse:
C:\Program Files\Web Technologies\iebtmm.exe (Trojan.Zlob) -> Unloaded process successfully.
C:\Program Files\Web Technologies\iebtm.exe (Trojan.Zlob) -> Unloaded process successfully.
C:\Program Files\WAV\wav.exe (Rogue.WindowsAntivirus2008) -> Unloaded process successfully.

Infizierte Speicher Module:
(Keine Malware Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\Software\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4937d5d1-2039-409a-bd83-fec9b39b2356} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{caf9d798-c659-4b9b-8e19-ee27c3d04ee7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{15c7d7ad-a87a-4c0d-9d8b-637fcd3488ef} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AntiSpywareExpert (Rogue.AntiSpywareExpert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bhonew.bho (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bhonew.bho.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEBrowse Tool (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warning Center (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\start (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\searchassistant (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\default_search_url (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search page (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\search bar (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\searchmigrateddefaulturl (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Trojan.Zlob) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\searchurl (Trojan.Zlob) -> Delete on reboot.

Infizierte Datei Objekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\w\ (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q=%s) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar (Hijack.Search) -> Bad: (http://internetsearchservice.com/ie6.html) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchMigratedDefaultURL (Hijack.Search) -> Bad: (http://internetsearchservice.com/search?q={searchTerms}) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL (Hijack.Search) -> Bad: (http://internetsearchservice.com) Good: (http://www.google.com/) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Program Files\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\AAV (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\WAV (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Program Files\Web Technologies\iebtm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Web Technologies\iebtmm.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav.cpl (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav.exe (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav.ooo (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav0.dat (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\AAV\aav1.dat (Rogue.AdvancedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\WAV\wav.exe (Rogue.WindowsAntivirus2008) -> Quarantined and deleted successfully.
C:\Users\Batteux\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AntiSpywareExpert.lnk (Rogue.Antispyware) -> Quarantined and deleted successfully.
Seitenanfang Seitenende
13.07.2008, 20:53
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#12 nun poste bitte ein neues Log von Combofix
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.07.2008, 21:22
Member

Themenstarter

Beiträge: 61
#13 Combofix funktionert nicht mehr. das Programm lässt sich öffnen, aber dann bleibt es irgendwann hängen. was soll ich jetzt machen.
Seitenanfang Seitenende
13.07.2008, 21:24
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#14 lade sdfix
http://virus-protect.org/artikel/tools/sdfix.html

im normalmodus:
RunThis.bat doppelt klicken

schreibe rein: A
poste dann den systemreport
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
13.07.2008, 21:37
Member

Themenstarter

Beiträge: 61
#15 System Report
*************

Run on 2008-07-13 at 21:34

Microsoft Windows [Version 6.0.6000]

Current user is not an administrator

Running Processes:

C:\Windows\system32\Dwm.exe [284]
C:\Windows\Explorer.EXE [488]
C:\Windows\system32\taskeng.exe [432]
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [360]
C:\Windows\RtHDVCpl.exe [1216]
C:\Program Files\ASUS\ATK Media\DMedia.exe [2068]
C:\Program Files\Apoint2K\Apoint.exe [2076]
C:\Program Files\PowerForPhone\PowerForPhone.exe [2088]
C:\Windows\ASScrPro.exe [2104]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE [2140]
C:\Program Files\FlashGet\flashget.exe [2148]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2176]
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2196]
C:\Program Files\Windows Sidebar\sidebar.exe [2224]
C:\Windows\ehome\ehtray.exe [2232]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2240]
C:\Program Files\Windows Media Player\wmpnscfg.exe [2248]
C:\Windows\ehome\ehmsas.exe [2568]
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe [2752]
C:\Program Files\Mozilla Firefox\firefox.exe [2960]
C:\Program Files\Apoint2K\Apntex.exe [1448]
C:\Program Files\Apoint2K\HidFind.exe [1248]
C:\Program Files\Apoint2K\Apvfb.exe [3880]
C:\Windows\system32\conime.exe [1528]


Drivers - Running:

ACPI
AFD
AsDsm
ASMMAP
atapi
Beep
bowser
cdrom
CLFS
Compbatt
crcdisk
DfsC
disk
Ecache
FileInfo
FltMgr
ghaio
HTTP
i8042prt
kbdclass
kl1
klbg
KLIF
KLIM6
KSecDD
lltdio
luafv
mouclass
MountMgr
mpsdrv
MRxDAV
mrxsmb
mrxsmb10
mrxsmb20
Msfs
msisadrv
Mup
NativeWifiP
NDIS
Ndisuio
NetBIOS
netbt
Npfs
nsiproxy
Null
partmgr
pci
pciide
PEAUTH
PSched
RasAcd
rdbss
RDPCDD
RDPENCDD
rimmptsk
rimsptsk
rismxdp
rspndr
secdrv
Smb
spldr
srv
srv2
srvnet
Tcpip
tcpipreg
tdx
TermDD
VgaSave
volmgr
volmgrx
volsnap
Wanarpv6
Wdf01000


Drivers - Stopped:

adp94xx
adpahci
adpu160m
adpu320
agp440
aic78xx
aliide
amdagp
amdide
AmdK7
AmdK8
ApfiltrService
arc
arcsas
AsyncMac
athr
atikmdag
blbdrive
BrFiltLo
BrFiltUp
Brserid
BrSerWdm
BrUsbMdm
BrUsbSer
BthEnum
BTHMODEM
BthPan
BTHPORT
BTHUSB
cdfs
circlass
CmBatt
cmdide
Crusoe
drmkaud
DXGKrnl
E1G60
elxstor
fastfat
fdc
Filetrace
flpydisk
gagp30kx
HdAudAddService
HDAudBus
HidBth
HidIr
HidUsb
HpCISSs
i2omp
iaStorV
iirsp
IntcAzAudAddService
intelide
intelppm
IpFilterDriver
IpInIp
IPMIDRV
IPNAT
IRENUM
isapnp
iScsiPrt
iteatapi
iteraid
kbdhid
kbfiltr
LSI_FC
LSI_SAS
LSI_SCSI
megasas
Modem
MODEMCSA
monitor
mouhid
mpio
Mraid35x
msahci
msdsm
MSKSSRV
MSPCLOCK
MSPQM
MsRPC
mssmbios
MSTEE
MTsensor
NdisTapi
NdisWan
NDProxy
NETw3v32
nfrd960
Ntfs
ntrigdigi
nvlddmkm
nvraid
nvstor
nv_agp
NwlnkFlt
NwlnkFwd
ohci1394
Parport
Parvdm
pcmcia
PptpMiniport
Processor
ql2300
ql40xx
QWAVEdrv
Rasl2tp
RasPppoe
rdpdr
RDPWD
RFCOMM
RTL8169
sbp2port
sdbus
Serenum
Serial
sermouse
sffdisk
sffp_mmc
sffp_sd
sfloppy
sisagp
SiSRaid2
SiSRaid4
smserial
SNP2UVC
swenum
Symc8xx
Sym_hi
Sym_u3
Tcpip6
TDPIPE
TDTCP
TPM
tssecsrv
tunmp
tunnel
uagp35
udfs
uliagpkx
uliahci
UlSata
ulsata2
umbus
usbccgp
usbcir
usbehci
usbhub
usbohci
usbprint
USBSTOR
usbuhci
usbvideo
vga
viaagp
ViaC7
viaide
vsmraid
WacomPen
Wanarp
Wd
WmiAcpi
ws2ifsl
WUDFRd


Services - Running:

ADSMService
AeLookupSvc
Appinfo
ASLDRService
Ati
ATKGFNEXSrv
AudioEndpointBuilder
Audiosrv
AVP
BFE
BITS
Browser
BthServ
CryptSvc
DcomLaunch
Dhcp
DPS
EapHost
EMDMgmt
Eventlog
EventSystem
fdPHost
FDResPub
gpsvc
IKEEXT
iphlpsvc
KeyIso
KtmRm
LanmanServer
LanmanWorkstation
LightScribeService
lmhosts
MMCSS
MpsSvc
Netman
netprofm
NlaSvc
nsi
PcaSvc
PlugPlay
PolicyAgent
ProfSvc
RasMan
RpcSs
SamSs
Schedule
seclogon
SENS
ShellHWDetection
slsvc
spmgr
Spooler
SSDPSRV
stisvc
SysMain
TabletInputService
TapiSrv
TermService
Themes
TrkWks
upnphost
UxSms
W32Time
WdiSystemHost
WebClient
WerSvc
WinDefend
WinHttpAutoProxySvc
Winmgmt
Wlansvc
WMPNetworkSvc
WPDBusEnum
wscsvc
WSearch
wuauserv
wudfsvc


Services - Stopped:

ALG
CertPropSvc
clr_optimization_v2.0.50727_32
COMSysApp
DFSR
Dnscache
dot3svc
ehRecvr
ehSched
ehstart
FontCache3.0.0.0
hidserv
hkmsvc
idsvc
IPBusEnum
lltdsvc
Mcx2Svc
MSDTC
MSiSCSI
msiserver
napagent
Netlogon
NetTcpPortSharing
NMIndexingService
odserv
ose
p2pimsvc
p2psvc
pla
PNRPAutoReg
PNRPsvc
ProtectedStorage
QWAVE
RasAuto
RemoteAccess
RemoteRegistry
RpcLocator
SCardSvr
SCPolicySvc
SDRSVC
SessionEnv
SharedAccess
SLUINotify
SNMPTRAP
swprv
TBS
THREADORDER
TrustedInstaller
UI0Detect
vds
VSS
wcncsvc
WcsPlugInService
WdiServiceHost
Wecsvc
wercplsupport
WinRM
wmiApSrv
WPCSvc


Files Created/Modified - 60 Days:


C:\

13 Jul 2008 14:08:48 2.616 A.... "C:\avenger.txt"
13 Jul 2008 14:08:48 2.616 A.... "C:\avenger.txt"
13 Jul 2008 21:14:40 5.067 A.... "C:\Bug.txt"
13 Jul 2008 21:20:12 2.146.656.256 A.SH. "C:\hiberfil.sys"
13 Jul 2008 21:20:10 2.460.581.888 A.SH. "C:\pagefile.sys"


C:\Windows\

13 Jul 2008 21:20:16 67.584 A.S.. "C:\Windows\bootstat.dat"
13 Jul 2008 18:49:52 12 A.... "C:\Windows\bthservsdp.dat"
13 Jul 2008 14:09:34 256.437.154 A.... "C:\Windows\MEMORY.DMP"
12 Jul 2008 17:30:48 69 A.... "C:\Windows\NeroDigital.ini"
13 Jul 2008 19:20:02 126.484 A.... "C:\Windows\ntbtlog.txt"
13 Jul 2008 21:20:10 1.632 A.... "C:\Windows\PFRO.log"
12 Jul 2008 19:54:06 34 A.... "C:\Windows\setupact.log"
12 Jul 2008 19:54:06 0 A.... "C:\Windows\setuperr.log"
12 Jul 2008 18:49:38 215 A.... "C:\Windows\system.ini"
13 Jul 2008 21:15:58 1.964.001 A.... "C:\Windows\WindowsUpdate.log"
9 Jul 2008 3:08:48 749 A..HR "C:\Windows\WindowsShell.Manifest"
13 Jul 2008 21:20:16 0 A.... "C:\Windows\Debug\PASSWD.LOG"
5 Jul 2008 3:06:14 34.598 A.... "C:\Windows\inf\bth.inf"
5 Jul 2008 3:06:14 39.712 A.... "C:\Windows\inf\bth.PNF"
5 Jul 2008 3:06:14 665.600 A.... "C:\Windows\inf\drvindex.dat"
12 Jul 2008 13:54:30 1.803.648 A.... "C:\Windows\inf\INFCACHE.1"
12 Jul 2008 13:54:30 51.200 A.... "C:\Windows\inf\infpub.dat"
12 Jul 2008 13:54:30 86.016 A.... "C:\Windows\inf\infstor.dat"
12 Jul 2008 13:54:30 86.016 A.... "C:\Windows\inf\infstrng.dat"
12 Jul 2008 13:54:28 2.811 A.... "C:\Windows\inf\oem13.inf"
12 Jul 2008 13:54:34 8.620 A.... "C:\Windows\inf\oem13.PNF"
12 Jul 2008 19:54:04 13.968 A.... "C:\Windows\inf\setupapi.ev1"
12 Jul 2008 19:54:04 15.896 A.... "C:\Windows\inf\setupapi.ev2"
12 Jul 2008 19:54:04 86.016 A.... "C:\Windows\inf\setupapi.ev3"
13 Jul 2008 21:23:12 846.930 A.... "C:\Windows\inf\setupapi.app.log"
12 Jul 2008 19:54:06 7.772.423 A.... "C:\Windows\inf\setupapi.dev.log"
13 Jul 2008 21:20:26 3.072 A..H. "C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0"
13 Jul 2008 21:20:26 3.072 A..H. "C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0"
13 Jul 2008 21:20:26 3.072 A..H. "C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0"
13 Jul 2008 14:09:12 45.056 A.... "C:\Windows\System32\acovcnt.exe"
12 Jul 2008 1:41:14 3 A.... "C:\Windows\System32\amp.ini"
12 Jul 2008 1:41:18 48.882 A.... "C:\Windows\System32\c__0593.nls"
12 Jul 2008 1:41:18 130 A.... "C:\Windows\System32\c__10983.nls"
12 Jul 2008 1:41:18 130 A.... "C:\Windows\System32\c__2303.nls"
12 Jul 2008 1:41:18 82 A.... "C:\Windows\System32\c__23732.nls"
12 Jul 2008 1:41:18 658 A.... "C:\Windows\System32\c__3478.nls"
12 Jul 2008 1:41:18 418 A.... "C:\Windows\System32\c__3480.nls"
12 Jul 2008 1:41:18 98 A.... "C:\Windows\System32\c__3481.nls"
12 Jul 2008 1:41:18 290 A.... "C:\Windows\System32\c__3482.nls"
12 Jul 2008 1:41:18 178 A.... "C:\Windows\System32\c__34895.nls"
12 Jul 2008 1:41:18 930 A.... "C:\Windows\System32\c__374.nls"
12 Jul 2008 1:41:18 66 A.... "C:\Windows\System32\c__3948.nls"

5 Jul 2008 3:08:30 380.096 A.... "C:\Windows\System32\FNTCACHE.DAT"
29 May 2008 16:35:12 17.486.968 A.... "C:\Windows\System32\mrt.exe"
13 Jul 2008 21:25:54 116.706 A.... "C:\Windows\System32\perfc007.dat"
13 Jul 2008 21:25:54 103.924 A.... "C:\Windows\System32\perfc009.dat"
13 Jul 2008 21:25:54 641.344 A.... "C:\Windows\System32\perfh007.dat"
13 Jul 2008 21:25:54 610.142 A.... "C:\Windows\System32\perfh009.dat"
13 Jul 2008 21:25:54 1.461.736 A.... "C:\Windows\System32\PerfStringBackup.INI"
13 Jul 2008 21:20:22 6 A..H. "C:\Windows\Tasks\SA.DAT"
13 Jul 2008 18:49:52 32.624 A.... "C:\Windows\Tasks\SCHEDLGU.TXT"
13 Jul 2008 15:02:26 13.908 A.... "C:\Windows\TEMP\lpksetup-20080713-150213-0.log"
13 Jul 2008 15:02:28 624 A.... "C:\Windows\TEMP\lpksetup-20080713-150225-0.log"
13 Jul 2008 19:48:46 624 A.... "C:\Windows\TEMP\lpksetup-20080713-194843-0.log"
13 Jul 2008 19:48:44 13.908 A.... "C:\Windows\TEMP\lpksetup-20080713-194829-0.log"
12 Jul 2008 22:17:56 13.908 A.... "C:\Windows\TEMP\lpksetup-20080712-221736-0.log"
12 Jul 2008 22:17:58 624 A.... "C:\Windows\TEMP\lpksetup-20080712-221755-0.log"
13 Jul 2008 14:24:12 13.908 A.... "C:\Windows\TEMP\lpksetup-20080713-142359-0.log"
13 Jul 2008 14:24:12 624 A.... "C:\Windows\TEMP\lpksetup-20080713-142410-0.log"
9 Jul 2008 3:06:48 359 A.... "C:\Windows\winsxs\poqexec.log"
13 Jul 2008 21:11:56 0 A.... "C:\Windows\Debug\UserMode\ChkAcc.bak"
13 Jul 2008 21:20:18 0 A.... "C:\Windows\Debug\UserMode\ChkAcc.log"
13 Jul 2008 21:15:36 18.362.368 A.... "C:\Windows\erdnt\Hiv-backup\COMPON~1"
13 Jul 2008 21:15:34 159.744 A.... "C:\Windows\erdnt\Hiv-backup\DEFAULT"
13 Jul 2008 21:15:38 814 A.... "C:\Windows\erdnt\Hiv-backup\ERDNT.CON"
13 Jul 2008 21:15:38 1.051 A.... "C:\Windows\erdnt\Hiv-backup\ERDNT.INF"
13 Jul 2008 21:15:34 57.344 A.... "C:\Windows\erdnt\Hiv-backup\SAM"
13 Jul 2008 21:15:30 24.576 A.... "C:\Windows\erdnt\Hiv-backup\SECURITY"
13 Jul 2008 21:15:32 33.583.104 A.... "C:\Windows\erdnt\Hiv-backup\SOFTWARE"
13 Jul 2008 21:15:34 16.089.088 A.... "C:\Windows\erdnt\Hiv-backup\SYSTEM"
13 Jul 2008 21:25:18 3.953 A.... "C:\Windows\inf\WmiApRpl\WmiApRpl.h"
13 Jul 2008 19:58:32 5.212.171 A.... "C:\Windows\Logs\CBS\CBS.log"
7 Jul 2008 5:00:46 56.957.175 A....

Program Folders:

C:\Program Files\

Activation Assistant for the 2007 Microsoft Office suites
Adobe
Alawar
Apoint2K
ASUS
Atheros
ATI
ATI Technologies
ATK Hotkey
ATKGFNEX
ATKOSD2
Common Files
EA GAMES
FlashGet
Google
ICQToolbar
InstallShield Installation Information
Internet Explorer
Java
Kaspersky Lab
Microsoft Games
Microsoft Office
Microsoft Visual Studio
Microsoft Works
Microsoft.NET
Motorola
Movie Maker
Mozilla Firefox
MSBuild
MSN
MSXML 4.0
Nero
OpenOffice.org 2.3
P4G
Power4Gear eXtreme
PowerForPhone
Realtek
Reference Assemblies
ReflexiveArcade
Trend Micro
Uninstall Information
VideoLAN
Windows Calendar
Windows Collaboration
Windows Defender
Windows Journal
Windows Mail
Windows Media Player
Windows NT
Windows Photo Gallery
Windows Sidebar
WinRAR
Wireless Console 2
XMedia Recode

C:\Program Files\Common Files\

Adobe
Ahead
DESIGNER
InstallShield
Java
LightScribe
microsoft shared
Oberon Media
Panda Software
Services
SpeechEngines
Symantec Shared
System


Add/Remove Programs:

Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Asus_Camera_ScreenSaver
FlashGet 1.9.6.1073
Kaspersky Anti-Virus 2009
Mozilla Firefox (2.0.0.15)
2007 Microsoft Office system
Motorola SM56 Speakerphone Modem
USB 2.0 1.3M UVC WebCam
VideoLAN VLC media player 0.8.6e
WinRAR
XMedia Recode 1.0.1.1
Catalyst Control Center Localization Finnish
Catalyst Control Center Localization German
ATK Media
ASUS Data Security Manager
LifeFrame2
Skins
Atheros Driver Installation Program
Catalyst Control Center Localization Portuguese
Java(TM) 6 Update 3
Catalyst Control Center Localization Czech
CCC Help Spanish
Catalyst Control Center Localization Dutch
CCC Help Dutch
CCC Help Hungarian
CCC Help Chinese Traditional
MSXML 4.0 SP2 (KB927978)
ATK Hotkey
ATI Catalyst Install Manager
CCC Help Chinese Standard
Catalyst Control Center Localization Italian
CCC Help Japanese
Catalyst Control Center Graphics Full New
Catalyst Control Center Localization Spanish
neroxml
CCC Help Danish
ASUS InstantFun
CCC Help Turkish
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
ATKOSD2
Catalyst Control Center Localization Hungarian
ccc-core-static
CCC Help Russian
ICQ6
CCC Help Finnish
NB Probe
Kaspersky Anti-Virus 2009
Activation Assistant for the 2007 Microsoft Office suites
Catalyst Control Center Localization Polish
OpenOffice.org 2.3
Catalyst Control Center Graphics Light
CCC Help Czech
Catalyst Control Center Localization Turkish
Catalyst Control Center Localization Greek
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Graphics Full Existing
CCC Help Polish
Wireless Console 2
CCC Help Portuguese
CCC Help German
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Catalyst Control Center Localization French
Power4Gear eXtreme
Microsoft Office Access MUI (German) 2007
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (French) 2007
Microsoft Office Access MUI (Italian) 2007
Microsoft Office Access MUI (Dutch) 2007
Microsoft Office Excel MUI (German) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (French) 2007
Microsoft Office Excel MUI (Italian) 2007
Microsoft Office Excel MUI (Dutch) 2007
Microsoft Office PowerPoint MUI (German) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (French) 2007
Microsoft Office PowerPoint MUI (Italian) 2007
Microsoft Office PowerPoint MUI (Dutch) 2007
Microsoft Office Publisher MUI (German) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (French) 2007
Microsoft Office Publisher MUI (Italian) 2007
Microsoft Office Publisher MUI (Dutch) 2007
Microsoft Office Outlook MUI (German) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (French) 2007
Microsoft Office Outlook MUI (Italian) 2007
Microsoft Office Outlook MUI (Dutch) 2007
Microsoft Office Word MUI (German) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (French) 2007
Microsoft Office Word MUI (Italian) 2007
Microsoft Office Word MUI (Dutch) 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (German) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (French) 2007
Microsoft Office Proofing (Italian) 2007
Microsoft Office Proofing (Dutch) 2007
Microsoft Office Shared MUI (German) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (French) 2007
Microsoft Office Shared MUI (Italian) 2007
Microsoft Office Shared MUI (Dutch) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Need for Speed Underground 2
Microsoft Office Professional Hybrid 2007
Catalyst Control Center Localization Russian
CCC Help Greek
Catalyst Control Center Localization Chinese Traditional
ccc-utility
CCC Help Swedish
CCC Help French
ALPS Touch Pad Driver
Microsoft Visual C++ 2005 Redistributable
Catalyst Control Center Localization Danish
Catalyst Control Center Localization Chinese Standard
Adobe Reader 8
Catalyst Control Center Localization Thai
Nero 7 Essentials
MSXML 4.0 SP2 (KB936181)
ASUS Splendid Video Enhancement Technology
Catalyst Control Center Localization Korean
CCC Help Korean
Catalyst Control Center Localization Japanese
CCC Help Italian
LightScribe 1.8.13.1
Catalyst Control Center Core Implementation
ATK Generic Function Service
CCC Help English
WinFlash
CCC Help Norwegian
ASUS Live Update
Catalyst Control Center Localization Swedish
Realtek High Definition Audio Driver
CCC Help Thai
Catalyst Control Center Localization Norwegian
PowerForPhone
Vogue Tales Deluxe


Run Values:

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SMSERIAL"="C:\\Program Files\\Motorola\\SMSERIAL\\sm56hlpr.exe"
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
"RtHDVCpl"="RtHDVCpl.exe"
"Skytel"="Skytel.exe"
"ATKMEDIA"="C:\\Program Files\\ASUS\\ATK Media\\DMEDIA.EXE"
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"PowerForPhone"="C:\\Program Files\\PowerForPhone\\PowerForPhone.exe"
"ASUS Screen Saver Protector"="C:\\Windows\\ASScrPro.exe"
"ASUS Camera ScreenSaver"="C:\\Windows\\ASScrProlog.exe"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"Flashget"="C:\\Program Files\\FlashGet\\FlashGet.exe /min"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 2009\\avp.exe\""
"Malwarebytes Anti-Malware Reboot"="\"C:\\Downloads\\Malwarebytes' Anti-Malware\\mbam.exe\" /runcleanupscript"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Sidebar"="C:\\Program Files\\Windows Sidebar\\sidebar.exe /autoRun"
"ehTray.exe"="C:\\Windows\\ehome\\ehTray.exe"
"LightScribe Control Panel"="C:\\Program Files\\Common Files\\LightScribe\\LightScribeControlPanel.exe -hidden"
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"


Bot Check:

SERVICE_NAME: wscsvc
DISPLAY_NAME : Sicherheitscenter
START_TYPE : 2 AUTO_START

SERVICE_NAME: sharedaccess
DISPLAY_NAME : Gemeinsame Nutzung der Internetverbindung
START_TYPE : 3 DEMAND_START

SERVICE_NAME: wuauserv
DISPLAY_NAME : Windows Update
START_TYPE : 2 AUTO_START

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"disableregistrytools"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"AUOptions"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"AntiSpywareOverride"=dword:00000000
"FirewallOverride"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"WaitToKillServiceTimeout"="20000"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:00000000
"Shell"="Explorer.exe"
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"TransportBindName"="\\Device\\"


ShellExecuteHooks:


Environment:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
OS REG_SZ Windows_NT
Path REG_EXPAND_SZ %systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
USERNAME REG_SZ SYSTEM
windir REG_EXPAND_SZ %SystemRoot%
configsetroot REG_EXPAND_SZ %SystemRoot%\ConfigSetRoot

SecurityProviders:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders
SecurityProviders REG_SZ credssp.dll


Authentication Packages:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0


Subsystem Startup:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"


Midi Drivers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi"="wdmaud.drv"


Non-Default IFEO Debugger:


Non-Default Installed Components:


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880d85-aad9-4558-abdc-2ab1552d831f}
<NO NAME> REG_SZ LightScribe Control Panel
Version REG_SZ 1,8,13,1
StubPath REG_SZ "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"


Non-Default Safeboot Minimal:


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\appinfo
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\keyiso
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ntds
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\profsvc
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\psexesvc
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sacsvr
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\swprv
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\tabletinputservice
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\tbs
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\trustedinstaller
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgr.sys
<NO NAME> REG_SZ Driver


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\volmgrx.sys
<NO NAME> REG_SZ Driver


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\windefend
<NO NAME> REG_SZ Service


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{6bdd1fc1-810f-11d0-bec7-08002be2092f}
<NO NAME> REG_SZ IEEE 1394 Bus host controllers


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{d48179be-ec20-11d1-b6b8-00c04fa372a7}
<NO NAME> REG_SZ SBP2 IEEE 1394 Devices


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\{d94ee5d8-d189-4994-83d2-f68d7d41b0e6}
<NO NAME> REG_SZ SecurityDevices


File Associations:


[HKEY_CLASSES_ROOT\batfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\cmdfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\comfile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CLASSES_ROOT\htafile\shell\open\command]
@="C:\\Windows\\system32\\mshta.exe \"%1\" %*"

[HKEY_CLASSES_ROOT\http\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\htmlfile\shell\open\command]
@="\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" -nohome"

[HKEY_CLASSES_ROOT\regedit\shell\open\command]
@="regedit.exe %1"

[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@="regedit.exe \"%1\""

[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
@="\"%1\" /S"

[HKEY_CLASSES_ROOT\txtfile\shell\open\command]
@="%SystemRoot%\system32\NOTEPAD.EXE %1"


Finished!
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: