Home » Spyware & Browser Hijacker Support Forum » Internet und Computer langsam » Themenansicht

Internet und Computer langsam
#0
20.03.2009, 10:14
Sleg
Member

Beiträge: 47
#1 Hallo liebe Gemeinde,
01. Seit einiger zeit ist mein Internet und PC langsam.
02. Internet Seiten brauch langer als sonst um zuladen
03. Mein PC brauch auch lange bei laden der Programme wenn ich den PC z.B. neue starte. Auch bleibt einfach der PC hängen wenn ich ihn Neustarte oder auch einfach nur so.

Ich habe auch schon log von den verschiedenen Programm gemacht. Beim ComboFix ist leider der PC stehen geblieben als das Programm den Log vorbereiten wollte. Kann ich den log noch irgendwo auf dem PC finden?

Zitat

HijackThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:58, on 2009-03-20
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Microsoft IntelliType Pro\itype.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Messenger\msmsgs.exe
C:\Programme\avmwlanstick\WlanNetService.exe
c:\Programme\Microsoft IntelliType Pro\dpupdchk.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\ICQ6Toolbar\ICQ Service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Andere Dinge\Programme\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: {E1A7ADA0-256A-11d3-9F09-00A0C98E9EA4} - - (no file)
R3 - URLSearchHook: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: ICQToolBar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQ6Toolbar\ICQToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [itype] "c:\Programme\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Bilder mit PicnickerPro laden... - C:\Dokumente und Einstellungen\JuLeZ\Desktop\PicnickerPro\GetCode.htm
O8 - Extra context menu item: Hinzufügen zu Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Statistik für den Schutz des Web-Datenverkehrs - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Programme/Jojo's%20Fashion%20Show/Images/stg_drm.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203496686359
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.ak.studivz.net/photouploader/ImageUploader4.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1206802374
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Programme/Jojo's%20Fashion%20Show/Images/armhelper.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Programme\avmwlanstick\WlanNetService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ICQ Service - Unknown owner - C:\Programme\ICQ6Toolbar\ICQ Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8053 bytes

Zitat

Open Uninstall Manager
4Story 1.2
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.3 - Deutsch
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5
AVM FRITZ!WLAN
Big City Adventure: Sydney, Australia
Big Fish Games Client
CCleaner (remove only)
Choice Guard
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EVEREST Home Edition v2.20
Farm Frenzy - Pizza Party!
FormatFactory
Free Video to Mp3 Converter version 3.1
GetPicturesList
Go-Go Gourmet 2 - Chef of the Year
Hervorhebe-Funktion (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix für Windows Internet Explorer 7 (KB947864)
ICQ Toolbar
ICQ6.5
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 6
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
Last.fm 1.5.2.38918
Malwarebytes' Anti-Malware
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 German Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional mit FrontPage
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIRC
Mozilla Firefox (3.0.5)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero Suite
NVIDIA Drivers
Office Program Selector 6.0
PDF Settings
picture-shark 1.0
ProtectDisc Driver, Version 11
PSFtp Free
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Scribe! 1.6
Segoe UI
Sicherheitsupdate für Windows Internet Explorer 7 (KB938127)
Sicherheitsupdate für Windows Internet Explorer 7 (KB939653)
Sicherheitsupdate für Windows Internet Explorer 7 (KB942615)
Sicherheitsupdate für Windows Internet Explorer 7 (KB944533)
Sicherheitsupdate für Windows Internet Explorer 7 (KB950759)
Sicherheitsupdate für Windows Internet Explorer 7 (KB953838)
Sicherheitsupdate für Windows Internet Explorer 7 (KB956390)
Sicherheitsupdate für Windows Internet Explorer 7 (KB958215)
Sicherheitsupdate für Windows Internet Explorer 7 (KB960714)
Sicherheitsupdate für Windows Internet Explorer 7 (KB961260)
Smart Menus (Windows Live Toolbar)
SmartFTP Client
SmartFTP Client 3.0 Setup Files (remove only)
Soft Data Fax Modem with SmartCP
ThumbsPlus 7x (deutsch)
TuneUp Utilities 2008
Ulead PhotoImpact 12
Uninstall 1.0.0.1
UseNeXT
Viewpoint Media Player
VLC media player 0.9.8a
Windows Imaging Component
Windows Live Anmelde-Assistent
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live-Uploadtool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR
Zattoo 3.3.1 Beta

Zitat

Malwarebytes
Malwarebytes' Anti-Malware 1.34
Datenbank Version: 1876
Windows 5.1.2600 Service Pack 3

20.03.2009 09:02:03
mbam-log-2009-03-20 (09-02-03).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 66768
Laufzeit: 10 minute(s), 25 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Seitenanfang Seitenende
20.03.2009, 11:00
Swisstreasure
Moderator

Beiträge: 5694
#2 >>
Update Dein Java:
http://board.protecus.de/t32385-1.htm

>>
Danach entferne unter Start --> Systemsteuerung --> Software:
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 2
Java(TM) 6 Update 6

>>
Du findest das Log von Combofix unter C:\ComboFix.txt
Poste es.

Gruss Swiss
Seitenanfang Seitenende
20.03.2009, 11:19
Sleg
Member

Themenstarter

Beiträge: 47
#3 okay habe ich gemacht

unter C finde ich nur ein ordner Combofix aber keine ComboFix.txt datei. In dem Ordner befindet sich aber diese datei

Zitat

ComboFix 09-03-18.01 - JuLeZ 2009-03-20 9:05:13.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.1023.596 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\JuLeZ\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Neuer Wiederherstellungspunkt wurde erstellt
Ist der log vollständig?
Soll ich es noch mal machen?
Wie lange dauert es eigentlich bis der log erstellt wird?
Seitenanfang Seitenende
20.03.2009, 11:25
Swisstreasure
Moderator

Beiträge: 5694
#4 Nein, das ist nur der Kopf des Logs. Ist das alles was erscheinnt??
Ja mach nochmals COmbofix und poste das neue Log. Während dem Scan darfst DU nicht am PC arbeiten!!

Gruss Swiss
Seitenanfang Seitenende
20.03.2009, 11:30
Sleg
Member

Themenstarter

Beiträge: 47
#5 ja das ist alles was drin ist. okay ich mache ein neuen log
Seitenanfang Seitenende
20.03.2009, 17:53
Sleg
Member

Themenstarter

Beiträge: 47
#6 so hier der Combofix Log

Zitat

ComboFix 09-03-19.01 - JuLeZ 2009-03-20 11:35:14.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.1023.650 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\JuLeZ\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Vorheriger Suchlauf -------
.
c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\.#
c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\.#\MBX@11BC@384150.###
c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\.#\MBX@11BC@384180.###
c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\.#\MBX@11BC@3841B0.###
c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\.#\MBX@1714@384150.###
c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\.#\MBX@1714@384180.###
c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\.#\MBX@1714@3841B0.###

.
((((((((((((((((((((((( Dateien erstellt von 2009-02-20 bis 2009-03-20 ))))))))))))))))))))))))))))))
.

2009-03-20 11:14 . 2009-03-20 11:13 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-20 11:14 . 2009-03-20 11:13 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-20 07:33 . 2009-03-20 07:47 101,287 --a------ c:\windows\system32\drivers\klin.dat
2009-03-20 07:33 . 2009-03-20 07:47 89,601 --a------ c:\windows\system32\drivers\klick.dat
2009-03-20 07:32 . 2009-03-20 09:55 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2009-03-20 07:32 . 2009-03-20 11:26 4,526,624 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-03-20 07:32 . 2009-03-20 11:12 491,552 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2009-03-20 07:32 . 2009-03-20 11:26 38,540 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-03-20 07:32 . 2009-03-20 11:12 3,808 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2009-03-18 07:32 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-03-17 10:27 . 2009-03-17 19:59 <DIR> d-------- c:\programme\Windows Live Safety Center
2009-03-16 20:11 . 2009-03-16 20:11 <DIR> d-------- c:\programme\ICQ6Toolbar
2009-03-16 20:10 . 2009-03-16 20:11 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\ICQ
2009-03-16 19:57 . 2009-03-16 20:24 <DIR> d-------- c:\programme\ICQ6.5
2009-03-12 09:06 . 2009-03-12 09:14 <DIR> d-------- c:\programme\eMule
2009-03-10 08:25 . 2009-03-19 10:19 <DIR> d-------- c:\dokumente und einstellungen\JuLeZ\Tracing
2009-03-10 08:24 . 2009-03-10 08:24 <DIR> d-------- c:\programme\Windows Live SkyDrive
2009-03-10 08:24 . 2009-03-10 08:24 <DIR> d-------- c:\programme\Microsoft
2009-03-10 08:17 . 2009-03-10 08:17 <DIR> d-------- c:\programme\Gemeinsame Dateien\Windows Live
2009-02-28 14:52 . 2009-02-28 14:53 <DIR> d-------- c:\programme\QuickTime
2009-02-24 23:30 . 2009-02-24 23:31 <DIR> d-------- c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\vlc
2009-02-21 21:32 . 2009-02-21 21:32 <DIR> d-------- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 10:13 --------- d-----w c:\programme\Java
2009-03-20 08:53 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-03-20 06:47 33,808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-20 06:32 --------- d-----w c:\programme\Kaspersky Lab
2009-03-20 06:31 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Kaspersky Lab Setup Files
2009-03-19 20:31 --------- d-----w c:\programme\PSFtp Free
2009-03-19 19:16 --------- d-----w c:\programme\ThumbsPlus 7x deutsch
2009-03-16 19:09 --------- d-----w c:\programme\ICQ6
2009-03-13 13:03 --------- d-----w c:\programme\Malwarebytes' Anti-Malware
2009-03-10 07:23 --------- d-----w c:\programme\Windows Live
2009-02-24 22:10 --------- d-----w c:\programme\KMPlayer
2009-02-22 09:49 --------- d-----w c:\programme\mIRC
2009-02-17 18:59 --------- d-----w c:\programme\Stripper
2009-02-12 19:59 --------- d-----w c:\programme\Messenger Plus! Live
2009-02-11 09:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 09:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 18:32 --------- d-----w c:\programme\Sat1 Spiele
2009-02-09 14:04 1,846,912 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 06:59 --------- d-----w c:\programme\BFG
2009-01-30 20:34 --------- d-----w c:\programme\Gemeinsame Dateien\Apple
2009-01-29 07:59 --------- d-----w c:\programme\Gameforge4D
2008-12-20 22:31 826,368 ----a-w c:\windows\system32\wininet.dll
2008-11-22 06:11 279,144 ----a-w c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2008-04-28 17:26 156,154 ----a-w c:\dokumente und einstellungen\All Users\Anwendungsdaten\firstlsp.reg.dat
2008-02-26 22:53 0 ----a-w c:\programme\temp01
2007-10-23 14:15 396 ----a-w c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\wklnhst.dat
2008-06-21 10:30 32,768 --sha-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008062120080622\index.dat
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\programme\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"itype"="c:\programme\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-03-20 148888]
"nwiz"="nwiz.exe" [2007-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe
"MSMSGS"="c:\programme\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Programme\\Steam\\SteamApps\\xxjulezxx\\counter-strike source\\hl2.exe"=
"c:\\Programme\\Steam\\SteamApps\\xxjulezxx\\counter-strike\\hl.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programme\\mIRC\\mirc.exe"=
"c:\\Programme\\Zattoo\\zattood.exe"=
"c:\\Programme\\Zattoo\\Zattoo2.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Programme\\Zattoo\\Zattoo.exe"=
"c:\\Programme\\Java\\jre1.6.0_06\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Programme\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programme\\ICQ6.5\\ICQ.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 33808]
R0 Si3112r;ATI-437A Serial ATA Controller;c:\windows\system32\drivers\SI3112r.sys [2005-05-04 97920]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-01-23 501560]
R2 ICQ Service;ICQ Service;c:\programme\ICQ6Toolbar\ICQ Service.exe [2009-03-16 222456]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
S2 P0250BUK;Creative PC-CAM 550 (Still);c:\windows\system32\Drivers\p0250Buk.sys --> c:\windows\system32\Drivers\p0250Buk.sys [?]
S3 avmeject;AVM Eject;c:\windows\system32\drivers\avmeject.sys [2007-12-30 4352]
S3 FWLANUSB;AVM FRITZ!WLAN;c:\windows\system32\drivers\fwlanusb.sys [2007-12-30 265088]
S3 HIDKbFlt;Dritek USB Keyboard HID Filter;c:\windows\system32\drivers\HIDKbFlt.sys [2004-12-14 21120]
S3 P0250VID;Creative PC-CAM 550 (Video);c:\windows\system32\DRIVERS\p0250v2k.sys --> c:\windows\system32\DRIVERS\p0250v2k.sys [?]
S3 RTLWUSB;802.11g USB2.0 WLAN Dongle;c:\windows\system32\DRIVERS\RTL8187.sys --> c:\windows\system32\DRIVERS\RTL8187.sys [?]
S3 SjyPkt;SjyPkt;\??\c:\windows\System32\Drivers\SjyPkt.sys --> c:\windows\System32\Drivers\SjyPkt.sys [?]
S3 w200bus;Sony Ericsson W200 driver (WDM);c:\windows\system32\drivers\w200bus.sys [2008-07-26 61504]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;c:\windows\system32\drivers\w200mdfl.sys [2008-07-26 9328]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;c:\windows\system32\drivers\w200mdm.sys [2008-07-26 97056]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w200mgmt.sys [2008-07-26 88560]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;c:\windows\system32\drivers\w200obex.sys [2008-07-26 86368]
S4 Contoxpmmnpv;Contoxpmmnpv; [x]

--- Andere Dienste/Treiber im Speicher ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c1b46972-b8b1-11dd-a62f-00055d4f6abf}]
\Shell\AutoRun\command - M:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EA0FCA4F-891F-6CBF-DFE2-8A56A5DC5CFE}]
c:\windows\system32:wupdate.exe
.
Inhalt des "geplante Tasks" Ordners

2009-02-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = local
IE: Bilder mit PicnickerPro laden... - c:\dokumente und einstellungen\JuLeZ\Desktop\PicnickerPro\GetCode.htm
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1206802374
FF - ProfilePath - c:\dokumente und einstellungen\JuLeZ\Anwendungsdaten\Mozilla\Firefox\Profiles\mvh1qcbm.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\dokumente und einstellungen\All Users\Anwendungsdaten\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\programme\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\programme\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX Richtlinien ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 11:39:24
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_USERS\S-1-5-21-2000478354-839522115-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ae,02,97,c0,ea,51,ee,62,d7,11,2c,bf,86,8d,83,5a,58,3d,db,ce,3b,0c,fc,
ac,8a,8f,08,5a,40,ba,32,a4,e9,12,4e,46,03,a1,d2,7a,d2,52,fb,03,16,02,0f,54,\
"??"=hex:7c,d4,c3,02,51,af,67,b9,80,64,c1,81,e9,24,cf,ac

[HKEY_USERS\S-1-5-21-2000478354-839522115-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:25,6a,64,30,1c,8f,66,9f,a9,c1,1f,5c,f6,e9,6c,e2,03,c2,71,99,7a,
5e,cf,f5,93,07,67,2f,78,04,72,a7,69,e7,46,0c,5f,5c,a8,46,39,f8,50,d3,7f,92,\
"rkeysecu"=hex:f6,75,65,7b,f9,f3,97,26,78,31,e9,4c,ef,4e,4d,28
.
Zeit der Fertigstellung: 2009-03-20 11:42:49
ComboFix-quarantined-files.txt 2009-03-20 10:42:45
ComboFix2.txt 2008-11-28 18:23:57

Vor Suchlauf: 22 Verzeichnis(se), 66,076,917,760 Bytes frei
Nach Suchlauf: 22 Verzeichnis(se), 66,101,669,888 Bytes frei

203 --- E O F --- 2009-03-15 14:04:08
Seitenanfang Seitenende
20.03.2009, 22:46
Swisstreasure
Moderator

Beiträge: 5694
#7 >>
Versteckte Dateien sichtbar machen:
1. Klicke unter Start auf Arbeitsplatz.
2. Klicke im Menü Extras auf Ordneroptionen.
3. Dateien und Ordner/Erweiterungen bei bekannten Dateitypen ausblenden --> Haken entfernen
4. Geschützte und Systemdateien ausblenden --> Haken entfernen
5. Versteckte Dateien und Ordner/Alle Dateien und Ordner anzeigen --> Haken setzen.

Bei "Geschützte Systemdateien ausblenden" darf kein Häkchen sein und "Alle Dateien und Ordner anzeigen" muss aktiviert sein.
http://virus-protect.org/invisible.html

>>
Lasse folgende Datei bei www.VIRUSTOTAL.com/e prüfen und poste das Ergebnis:

c:\windows\system32\wupdate.exe

Auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren mit Strg V) --> Klick auf die zu prüfende Datei und öffnen--> klick auf "Senden der Datei"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> hier kopieren

>>
Lade Dir Registry Search by Bobbi Flekman

und doppelklicken, um zu starten.
in das Feld: "Enter search strings" (reinschreiben oder reinkopieren)

Contoxpmmnpv

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

das gleiche mit

wupdate

Gruss Swiss
Seitenanfang Seitenende
20.03.2009, 23:50
Sleg
Member

Themenstarter

Beiträge: 47
#8 okay alles gemacht. Ich konnte die datei im system32 nicht finden

VIRUSTOTAL
0 bytes size received / Se ha recibido un archivo vacio


Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Contoxpmmnpv" 20.03.2009 23:42:38

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Contoxpmmnpv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Contoxpmmnpv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Contoxpmmnpv]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Contoxpmmnpv\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Contoxpmmnpv]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Contoxpmmnpv\Security]

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "wupdate" 20.03.2009 23:46:15

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{037FB476-15E0-4ED1-B11A-E420B750B1A8}]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{037FB476-15E0-4ED1-B11A-E420B750B1A8}\ProgID]
@="DWUpdateService.ProfileManager.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{037FB476-15E0-4ED1-B11A-E420B750B1A8}\VersionIndependentProgID]
@="DWUpdateService.ProfileManager"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AFAFE48-7107-4FE5-B21A-86A4254541DD}]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AFAFE48-7107-4FE5-B21A-86A4254541DD}\ProgID]
@="DWUpdateService.Instance.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AFAFE48-7107-4FE5-B21A-86A4254541DD}\VersionIndependentProgID]
@="DWUpdateService.Instance"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E42CE23D-69F9-480A-A15F-BFF5E4D170C3}]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E42CE23D-69F9-480A-A15F-BFF5E4D170C3}\ProgID]
@="DWUpdateService.InstanceList.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E42CE23D-69F9-480A-A15F-BFF5E4D170C3}\VersionIndependentProgID]
@="DWUpdateService.InstanceList"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1522EC1-F84F-4CE2-A38C-F9384B0DFD41}]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1522EC1-F84F-4CE2-A38C-F9384B0DFD41}\ProgID]
@="DWUpdateService.ActivityLog.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1522EC1-F84F-4CE2-A38C-F9384B0DFD41}\VersionIndependentProgID]
@="DWUpdateService.ActivityLog"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFF2D28F-E4EE-44D9-8104-8E71556757F6}]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFF2D28F-E4EE-44D9-8104-8E71556757F6}\ProgID]
@="DWUpdateService.Agent.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FFF2D28F-E4EE-44D9-8104-8E71556757F6}\VersionIndependentProgID]
@="DWUpdateService.Agent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ActivityLog]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ActivityLog]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ActivityLog\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ActivityLog.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ActivityLog.1]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ActivityLog.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Agent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Agent]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Agent\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Agent.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Agent.1]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Agent.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Instance]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Instance]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Instance\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Instance.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Instance.1]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.Instance.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.InstanceList]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.InstanceList]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.InstanceList\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.InstanceList.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.InstanceList.1]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.InstanceList.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ProfileManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ProfileManager]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ProfileManager\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ProfileManager.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ProfileManager.1]
@="DWUpdateService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DWUpdateService.ProfileManager.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A681F238-74BB-4807-B940-A80197ECBBE6}\1.0]
@="DWUpdateService 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EA0FCA4F-891F-6CBF-DFE2-8A56A5DC5CFE}]
"StubPath"="C:\\WINDOWS\\system32:wupdate.exe"

[HKEY_USERS\S-1-5-21-2000478354-839522115-725345543-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="wupdate"

[HKEY_USERS\S-1-5-21-2000478354-839522115-725345543-1004\Software\Microsoft\Windows\CurrentVersion\App Management]
"ShowUpdates"=dword:00000000
Seitenanfang Seitenende
21.03.2009, 18:44
Swisstreasure
Moderator

Beiträge: 5694
#9 >>
Scanne mit Silentrunner und poste das Log:
http://virus-protect.org/silentrunner.html

Gruss Swiss

Für mich:

Zitat

KILLALL:

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Contoxpmmnpv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Contoxpmmnpv]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Contoxpmmnpv]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EA0FCA4F-891F-6CBF-DFE2-8A56A5DC5CFE}]

"StubPath"="C:\\WINDOWS\\system32:wupdate.exe"
Seitenanfang Seitenende
21.03.2009, 19:05
Sleg
Member

Themenstarter

Beiträge: 47
#10 danke! habs gemacht

Zitat

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programme\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"itype" = ""c:\Programme\Microsoft IntelliType Pro\itype.exe"" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"TkBellExe" = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AVP" = ""C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"" ["Kaspersky Lab"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "RealPlayer Download and Record Plugin for Internet Explorer"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}\(Default) = "IEVkbdBHO"
-> {HKLM...CLSID} = "IEVkbdBHO Class"
\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll" ["Kaspersky Lab"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Anmelde-Hilfsprogramm"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
{E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl"
-> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class"
\InProcServer32\(Default) = "C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
-> {HKLM...CLSID} = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{1825D0FA-5B0C-4e20-A929-3EFD15B6DF71}" = "IntelliType Pro Touchpad Control Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Touchpad Control Property Page"
\InProcServer32\(Default) = ""c:\Programme\Microsoft IntelliType Pro\itcpltp.dll"" [MS]
"{A2569D1F-4E06-43EC-9825-0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Wireless Control Panel Property Page"
\InProcServer32\(Default) = ""c:\Programme\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{97FA8AA2-EE77-4FF2-9449-424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Zooming Property Page"
\InProcServer32\(Default) = ""c:\Programme\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120-25EB-4E1C-A4DF-C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Scrolling Property Page"
\InProcServer32\(Default) = ""c:\Programme\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6-8A83-43aa-8208-8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
-> {HKLM...CLSID} = "IntelliType Pro Key Settings Property Page"
\InProcServer32\(Default) = ""c:\Programme\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{39DD67E0-73B6-4a11-AF55-49E1EBBF72BE}" = "SmartFTP Favorites Namespace"
-> {HKLM...CLSID} = "SmartFTP FavoritesShellFolder Class"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFavoritesShellExtension.dll" ["SmartSoft Ltd."]
"{82AA9188-44E0-40B9-B956-43A10C315B4F}" = "SmartFTP Shell Namespace Extension"
-> {HKLM...CLSID} = "RootShellFolder Class"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{3B164627-7060-47BB-A1BE-DF5540B02821}" = "SmartFTP MultiUpload Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderMultiUploadSource Class"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{119310E6-5FB7-4eeb-BEDB-9E229E76B9B4}" = "SmartFTP MultiUpload Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderMultiUploadDestination Class"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{2ED7FD81-CBA6-45E5-A49A-5E84889A94E2}" = "SmartFTP Drop Handler"
-> {HKLM...CLSID} = "ShellFolderDragDropHandler Class"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{EB5EE1F3-041A-4c03-9D51-2BEC6715FB00}" = "SmartFTP Search Shell Namespace Extension"
-> {HKLM...CLSID} = "ShellFolderSearchRoot Class"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfFTPShellExtension.dll" ["SmartSoft Ltd."]
"{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}" = "SmartFTP ContextMenu"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{40FDFA48-5F4E-4627-A78E-6A49A3D4492F}" = "SmartFTP ShellDropHandler"
-> {HKLM...CLSID} = "SmartFTP ShellDropHandler Class"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}" = "SmartFTP Drop ShellIconOverlayHandler"
-> {HKLM...CLSID} = "SmartFTP Drop ShellIconOverlayHandler"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statistik für den Schutz des Web-Datenverkehrs"
-> {HKLM...CLSID} = "Statistik für den Schutz des Web-Datenverkehrs"
\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll" ["Kaspersky Lab"]
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
-> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
\InProcServer32\(Default) = "C:\Programme\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
-> {HKLM...CLSID} = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll" ["Kaspersky Lab"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\JuLeZ\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

AlcoholAutoPlayV2.BurnDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""C:\Programme\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

AlcoholAutoPlayV2.ReadDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "ReadDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command\(Default) = ""C:\Programme\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Programme\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /Dialog;)iscCopy /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Programme\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Programme\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]

RPCDBurningOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.CDBurn.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]

RPDeviceOnArrival\
"Provider" = "RealPlayer"
"ProgID" = "RealPlayer.HWEventHandler"
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"
-> {HKLM...CLSID} = "RealNetworks Scheduler"
\LocalServer32\(Default) = ""C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]

RPPlayCDAudioOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AudioCD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]

RPPlayDVDMovieOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.DVD.6"
"InvokeVerb" = "play"
HKCU\Software\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]

RPPlayMediaOnArrival\
"Provider" = "RealPlayer"
"InvokeProgID" = "RealPlayer.AutoPlay.6"
"InvokeVerb" = "open"
HKCU\Software\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda://%1" ["the VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd://%1" ["the VideoLAN Team"]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Programme\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}"
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Programme\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQToolBar"
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Programme\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{855F3B16-6D32-4FE6-8A56-BBB695989046}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Programme\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statistik für den Schutz des Web-Datenverkehrs"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statistik für den Schutz des Web-Datenverkehrs"

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{E59EB121-F339-4851-A3BA-FE49C35617C2}\
"ButtonText" = "ICQ6"
"MenuText" = "ICQ6"
"Exec" = "C:\Programme\ICQ6.5\ICQ.exe" ["ICQ, LLC."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{855F3B16-6D32-4fe6-8A56-BBB695989046}" = (no title provided)
-> {HKLM...CLSID} = "ICQToolBar"
\InProcServer32\(Default) = "C:\Programme\ICQ6Toolbar\ICQToolBar.dll" ["ICQ"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ICQ\ICQNewTab\newTab.html" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, "C:\Programme\Bonjour\mDNSResponder.exe" ["Apple Computer, Inc."]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
AVM WLAN Connection Service, AVM WLAN Connection Service, "C:\Programme\avmwlanstick\WlanNetService.exe" ["AVM Berlin"]
ICQ Service, ICQ Service, "C:\Programme\ICQ6Toolbar\ICQ Service.exe" [empty string]
Java Quick Starter, JavaQuickStarterService, ""C:\Programme\Java\jre6\bin\jqs.exe" -service -config "C:\Programme\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Kaspersky Internet Security, AVP, ""C:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r" ["Kaspersky Lab"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
StarWind iSCSI Service, StarWindService, "C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
TuneUp Designerweiterung, UxTuneUp, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]}
WMI-Leistungsadapter, WmiApSrv, "C:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]


---------- (launch time: 2009-03-21 19:04:33)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 473 seconds, including 2 seconds for message boxes)
Dieser Beitrag wurde am 21.03.2009 um 19:13 Uhr von Sleg editiert.
Seitenanfang Seitenende
22.03.2009, 11:03
Swisstreasure
Moderator

Beiträge: 5694
#11 >>
Das hier gefält mir nicht, aber komischd ass es von Silentrunner nicht erwähnt wurde:

Zitat

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EA0FCA4F-891F-6CBF-DFE2-8A56A5DC5CFE}]
"StubPath"="C:\\WINDOWS\\system32:wupdate.exe"
Ich denke an einen Wurm:
http://www.threatexpert.com/report.aspx?uid=ab5fa99f-21b0-45d2-a0e9-bd40785acc19

>>
Mach mal einen Escan nimmt mich wunder ob der was findet. Danach werden wir es entfernen:
http://virus-protect.org/artikel/tools/escan1.html

>>
Starte Registry Search by Bobbi Flekman

und doppelklicken, um zu starten.
in das Feld: "Enter search strings" (reinschreiben oder reinkopieren)

EA0FCA4F-891F-6CBF-DFE2-8A56A5DC5CFE

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.


Gruss Swiss
Dieser Beitrag wurde am 22.03.2009 um 11:12 Uhr von Tonstudio editiert.
Seitenanfang Seitenende
22.03.2009, 12:05
Sleg
Member

Themenstarter

Beiträge: 47
#12 soll ich nur den ordner windows scannen oder die ganze c platte?
Seitenanfang Seitenende
22.03.2009, 13:38
Swisstreasure
Moderator

Beiträge: 5694
#13 Lass alles scannen ;)

Gruss Swiss
Seitenanfang Seitenende
22.03.2009, 19:16
Sleg
Member

Themenstarter

Beiträge: 47
#14 okay hier der log von Registry Search by Bobbi Flekman

Zitat

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "EA0FCA4F-891F-6CBF-DFE2-8A56A5DC5CFE" 22.03.2009 19:13:37

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{EA0FCA4F-891F-6CBF-DFE2-8A56A5DC5CFE}]

[HKEY_USERS\S-1-5-21-2000478354-839522115-725345543-1004\Software\Microsoft\Active Setup\Installed Components\{EA0FCA4F-891F-6CBF-DFE2-8A56A5DC5CFE}]
bei Escan bin ich noch am scannen. nach 2std und 45min ist das programm immer noch nicht fertig. ich hoffe aber das es nicht mehr lange dauert.
Seitenanfang Seitenende
22.03.2009, 19:33
Swisstreasure
Moderator

Beiträge: 5694
#15 Jo dann warte wir mal ab ;)

Gruss Swiss
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 12