Home » Viren, Trojaner & Malware Forum » actxprxyr.exe und digiwet.dll -> genauere beschreibung?! » Themenansicht

actxprxyr.exe und digiwet.dll -> genauere beschreibung?!
#0
21.05.2009, 02:35
insayne
...neu hier

Beiträge: 6
#1 wollte heute in meiner regedit was ändern, plötzlich komm ich drauf, das ding öffnet sich nicht mehr. darüber hinaus hab ich festgestellt dass mein antivir nicht im systray war. antivir ließ sich auch nicht öffnen. ich habe erst vor kurzem neu aufgesetzt, deshalb war ich etwas erschrocken. malwarebytes' anti-malware spuckt dann folgendes ergebnis aus:

---------------------------------
Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArcaCheck.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arcavir.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashEnhcd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avadmin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcls.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avz_se.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\caavguiscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRWEB32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fpscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSTUB.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nvcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\preupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pskdr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SfFnUp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vba32arkit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vba32ldr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zoneband.dll (Security.Hijack) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINDOWS\system32\actxprxyr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\digiwet.dll (Trojan.Agent) -> Quarantined and deleted successfully.
---------------------------------

ich kann mir einfach nicht vorstellen woher ich mir das eingefangen haben sollte. ich verwende seit ewigkeiten immer die selben programme und bin sehr vorsichtig in dem bereich. vielleicht kann mir wer auskunft darüber geben, ob mittels dieser trojaner jemand bereits an sensitive informationen von mir gekommen sein könnte bzw. welchen schaden ich sonst noch davon getragen haben könnte?! kennt die dateien wer genauer und weiß welches programm sie mitschleppen könnte? das mit den ganzen reg-schlüssel, die verhindert haben, dass mein antivir einwandfrei läuft, ist ja auch etwas bedenklich. hab gelesen, dass das ein angriffsvektor auf windows sein kann, da man hier einstellen kann, dass sich beim öffnen der gewünschten datei eine ganz andere datei öffnen kann (malware!!!).

funktionieren tut jetzt jedenfalls wieder alles wie gewünscht. sollte ich mir noch weitere sorgen machen?

bezügl. der actxprxyr.exe gibt es auch noch eine actxprxy.exe (ohne dem "r" hinten) datei in meinem system32 ordner. diese scheint lt. fileinfo aber von microsoft zu sein und wurde auch von malwarebytes oda antivir selbst nicht bemängelt ... dürfte also ok sein oda?
Seitenanfang Seitenende
21.05.2009, 10:32
raman
Moderator

Beiträge: 7805
#2 Wenn du sicher gehen moechtest, nutze Combofix.
Das sollte in diesem Fall nicht schaden, da der REchner schon infiziert ist/war:
http://board.protecus.de/t23188.htm

Poste den Report.
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
21.05.2009, 14:36
insayne
...neu hier

Themenstarter

Beiträge: 6
#3 --------------------------
ComboFix 09-05-20.07 - *** 21.05.2009 0:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.43.1031.18.2046.1564 [GMT 2:00]
ausgeführt von:: c:\dokumente und einstellungen\***\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UPSIDSVC
-------\Service_UPSidsvc


((((((((((((((((((((((( Dateien erstellt von 2009-04-20 bis 2009-05-20 ))))))))))))))))))))))))))))))
.

2009-05-20 22:35 . 2009-05-20 22:35 -------- d-----r c:\dokumente und einstellungen\LocalService\Favoriten
2009-05-20 22:35 . 2009-05-20 22:35 -------- d-sh--w c:\dokumente und einstellungen\LocalService\IETldCache
2009-05-20 22:09 . 2009-05-20 22:09 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\Malwarebytes
2009-05-20 22:09 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-20 22:09 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-20 22:09 . 2009-05-20 22:09 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-05-20 22:09 . 2009-05-20 22:09 -------- d-----w c:\programme\Malwarebytes' Anti-Malware
2009-05-20 21:34 . 2009-05-20 21:34 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-05-20 21:34 . 2009-05-20 21:34 -------- d-----w c:\programme\Avira
2009-05-20 21:15 . 2009-05-20 22:16 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\Free Download Manager
2009-05-20 21:15 . 2009-05-20 21:15 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\FreeDownloadManager.ORG
2009-05-20 21:15 . 2009-05-20 21:15 -------- d-----w c:\programme\Free Download Manager
2009-05-20 19:19 . 2009-05-20 19:19 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\AdobeUM
2009-05-19 21:48 . 2005-02-11 08:19 5744 ----a-w c:\windows\system32\drivers\k750wh.sys
2009-05-19 21:48 . 2005-02-11 08:19 5744 ----a-w c:\windows\system32\drivers\k750whnt.sys
2009-05-19 21:48 . 2005-02-11 08:24 79488 ----a-w c:\windows\system32\drivers\k750obex.sys
2009-05-19 21:48 . 2005-02-11 08:22 81728 ----a-w c:\windows\system32\drivers\k750mgmt.sys
2009-05-19 21:48 . 2005-02-11 08:21 89872 ----a-w c:\windows\system32\drivers\k750mdm.sys
2009-05-19 21:48 . 2005-02-11 08:21 6576 ----a-w c:\windows\system32\drivers\k750mdfl.sys
2009-05-19 21:48 . 2005-02-11 08:24 6144 ----a-w c:\windows\system32\drivers\k750cm.sys
2009-05-19 21:48 . 2005-02-11 08:24 6144 ----a-w c:\windows\system32\drivers\k750cmnt.sys
2009-05-19 21:48 . 2005-02-11 08:19 55216 ----a-w c:\windows\system32\drivers\k750bus.sys
2009-05-18 23:12 . 2009-05-18 23:12 32 --s-a-w c:\windows\system32\343980751.dat
2009-05-18 22:52 . 2009-05-18 22:52 -------- d--h--w c:\windows\PIF
2009-05-18 21:15 . 2009-05-18 21:15 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\Media Player Classic
2009-05-18 20:44 . 2009-05-18 22:10 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\dvdcss
2009-05-18 13:26 . 2009-05-18 13:26 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Adobe Systems
2009-05-18 13:25 . 2009-05-18 13:26 -------- d-----w c:\dokumente und einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Adobe
2009-05-18 13:25 . 2009-05-18 13:25 -------- d-----w c:\programme\Gemeinsame Dateien\Adobe Systems Shared
2009-05-18 13:23 . 2009-05-18 13:25 -------- d-----w c:\programme\Gemeinsame Dateien\Adobe
2009-05-18 09:55 . 2009-05-18 09:55 -------- d-----w c:\programme\Gemeinsame Dateien\DivX Shared
2009-05-18 09:55 . 2009-05-18 09:55 -------- d-----w c:\programme\DivX
2009-05-17 11:26 . 2009-05-17 11:30 -------- d-----w c:\programme\WinAce
2009-05-16 19:18 . 2009-05-16 19:18 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\InfraRecorder
2009-05-16 16:25 . 2009-05-16 19:36 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\vlc
2009-05-16 15:01 . 2009-05-16 15:01 56 ---ha-w c:\windows\system32\ezsidmv.dat
2009-05-16 15:01 . 2009-05-20 20:56 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\skypePM
2009-05-16 14:57 . 2009-05-20 20:57 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\Skype
2009-05-16 14:57 . 2009-05-16 14:57 -------- d-----w c:\programme\Gemeinsame Dateien\Skype
2009-05-16 14:57 . 2009-05-16 14:57 -------- d-----r c:\programme\Skype
2009-05-16 14:57 . 2009-05-16 14:57 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
2009-05-16 14:54 . 2009-05-20 20:56 -------- d-----w c:\dokumente und einstellungen\***\Tracing
2009-05-16 14:52 . 2009-05-20 22:36 -------- d-----w C:\downloads
2009-05-16 14:51 . 2009-05-16 14:51 -------- d-----w c:\programme\uTorrent
2009-05-16 14:50 . 2009-05-20 22:57 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\uTorrent
2009-05-16 14:50 . 2009-05-16 14:50 -------- d-----w c:\programme\Microsoft
2009-05-16 14:50 . 2009-05-16 14:50 -------- d-----w c:\programme\Windows Live SkyDrive
2009-05-16 14:49 . 2009-05-16 14:50 -------- d-----w c:\programme\Windows Live
2009-05-16 14:43 . 2009-05-16 14:43 -------- d-----w c:\programme\Gemeinsame Dateien\Windows Live
2009-05-16 14:18 . 2009-05-16 14:18 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\gnupg
2009-05-16 14:18 . 2009-05-16 14:18 -------- d-----w c:\programme\GNU
2009-05-16 14:07 . 2009-05-16 14:07 -------- d-----w c:\programme\Microsoft Visual C++ 2008 Redistributable Package
2009-05-16 14:05 . 2009-05-16 14:05 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\Talkback
2009-05-16 14:05 . 2009-05-16 14:05 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\Thunderbird
2009-05-16 14:05 . 2009-05-16 14:05 -------- d-----w c:\dokumente und einstellungen\***\Lokale Einstellungen\Anwendungsdaten\Thunderbird
2009-05-16 14:04 . 2009-05-20 21:41 -------- d-----w c:\programme\Mozilla Thunderbird
2009-05-16 13:49 . 2009-03-26 19:20 200704 ----a-w c:\windows\system32\libssl32.dll
2009-05-16 13:49 . 2009-03-26 19:20 1017344 ----a-w c:\windows\system32\libeay32.dll
2009-05-16 13:49 . 2009-03-26 19:20 200704 ----a-w c:\windows\system32\ssleay32.dll
2009-05-16 13:49 . 2009-05-16 13:49 -------- d-----w c:\programme\OpenSSL
2009-05-16 13:45 . 2009-05-18 22:01 -------- d-----w c:\programme\_***
2009-05-13 22:28 . 2009-05-13 22:28 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\Realtime Soft
2009-05-13 22:28 . 2009-05-13 22:28 -------- d-----w c:\programme\Gemeinsame Dateien\Realtime Soft
2009-05-13 22:28 . 2009-05-13 22:28 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Realtime Soft
2009-05-13 22:28 . 2009-05-13 22:28 -------- d-----w c:\programme\UltraMon
2009-05-04 22:06 . 2009-05-04 22:06 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Hagel Technologies
2009-05-04 22:05 . 2009-05-04 22:05 -------- d-----w c:\programme\DU Meter
2009-05-03 22:25 . 2009-05-03 22:25 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Acronis
2009-05-03 22:22 . 2009-05-03 22:22 44384 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-05-03 22:22 . 2009-05-03 22:22 441760 ----a-w c:\windows\system32\drivers\timntr.sys
2009-05-03 22:22 . 2009-05-03 22:22 134272 ----a-w c:\windows\system32\drivers\snman380.sys
2009-05-03 22:22 . 2009-05-03 22:24 -------- d-----w c:\programme\Gemeinsame Dateien\Acronis
2009-05-03 22:22 . 2009-05-03 22:22 -------- d-----w c:\programme\Acronis
2009-05-03 21:02 . 2009-03-24 14:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-03 20:39 . 2009-05-03 20:39 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\Avaya
2009-05-03 19:56 . 2009-05-03 20:52 607744 ----a-w c:\dokumente und einstellungen\LocalService\Lokale Einstellungen\Anwendungsdaten\FontCache3.0.0.0.dat
2009-05-03 19:55 . 2009-02-27 07:52 292152 ----a-w c:\windows\system32\tvt_gina_api.dll
2009-05-03 19:55 . 2003-02-21 19:42 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-05-03 19:55 . 2003-03-19 11:14 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-05-03 16:39 . 2003-06-25 14:05 266360 ----a-w c:\windows\system32\TweakUI.exe
2009-05-03 16:36 . 2008-04-13 18:45 6272 -c--a-w c:\windows\system32\dllcache\splitter.sys
2009-05-03 16:36 . 2008-04-13 18:45 6272 ----a-w c:\windows\system32\drivers\splitter.sys
2009-05-03 16:36 . 2008-04-13 19:17 83072 -c--a-w c:\windows\system32\dllcache\wdmaud.sys
2009-05-03 16:36 . 2008-04-13 19:17 83072 ----a-w c:\windows\system32\drivers\wdmaud.sys
2009-05-03 09:18 . 2007-04-09 11:23 28040 ----a-w c:\windows\system32\mdimon.dll
2009-05-03 09:17 . 2009-05-03 09:17 -------- d-----w c:\windows\SHELLNEW
2009-05-03 09:17 . 2009-05-03 09:17 -------- d-----w c:\programme\Microsoft.NET
2009-05-03 09:16 . 2009-05-03 09:16 -------- d--h--r C:\MSOCache
2009-05-03 09:11 . 2009-05-20 20:53 19216 ----a-w c:\dokumente und einstellungen\***\Lokale Einstellungen\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2009-05-03 09:11 . 2009-05-03 09:11 -------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\ATI
2009-05-03 09:11 . 2009-05-03 09:11 -------- d-----w c:\dokumente und einstellungen\***\Anwendungsdaten\ATI
2009-05-03 09:11 . 2009-05-03 09:11 -------- d-----w c:\dokumente und einstellungen\***\Lokale Einstellungen\Anwendungsdaten\ATI
2009-05-03 08:48 . 2009-05-03 08:48 0 ----a-w c:\windows\ativpsrm.bin
2009-05-03 08:45 . 2009-05-03 08:46 -------- d-----w c:\programme\ATI Technologies
2009-05-03 08:45 . 2009-05-03 19:55 -------- d--h--w c:\programme\InstallShield Installation Information
2009-05-03 08:27 . 2006-06-29 11:07 14048 ------w c:\windows\system32\spmsg2.dll
2009-05-03 08:24 . 2009-05-03 08:24 -------- d-----w c:\windows\system32\XPSViewer
2009-05-03 08:24 . 2009-05-03 08:24 -------- d-----w c:\programme\MSBuild
2009-05-03 08:24 . 2009-05-03 08:24 -------- d-----w c:\programme\Reference Assemblies
2009-05-03 08:23 . 2008-07-06 12:06 117760 ------w c:\windows\system32\prntvpt.dll
2009-05-03 08:23 . 2008-07-06 12:06 89088 -c----w c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-03 08:23 . 2008-07-06 10:50 597504 -c----w c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-03 08:23 . 2008-07-06 12:06 575488 ------w c:\windows\system32\xpsshhdr.dll
2009-05-03 08:23 . 2008-07-06 12:06 575488 -c----w c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-03 08:23 . 2008-07-06 12:06 1676288 ------w c:\windows\system32\xpssvcs.dll
2009-05-03 08:23 . 2008-07-06 12:06 1676288 -c----w c:\windows\system32\dllcache\xpssvcs.dll
2009-05-03 08:06 . 2009-05-03 08:06 -------- d-sh--w c:\dokumente und einstellungen\***\IECompatCache
2009-05-03 08:03 . 2009-05-03 08:03 -------- d-sh--w c:\dokumente und einstellungen\***\PrivacIE
2009-05-03 08:03 . 2009-05-03 08:03 -------- d-sh--w c:\dokumente und einstellungen\***\IETldCache
2009-05-03 08:01 . 2009-05-03 08:01 -------- d-----w c:\windows\ie8updates
2009-05-03 08:01 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-03 08:00 . 2009-05-03 08:01 -------- dc-h--w c:\windows\ie8
2009-05-03 07:54 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-03 07:54 . 2009-02-09 11:21 2191360 -c----w c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-03 07:54 . 2009-03-06 14:19 286720 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-03 07:54 . 2009-02-09 11:21 111104 -c----w c:\windows\system32\dllcache\services.exe
2009-05-03 07:54 . 2009-02-09 10:51 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-03 07:54 . 2009-02-09 10:51 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-03 07:54 . 2009-02-09 10:51 678400 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-03 07:54 . 2009-02-09 10:51 736768 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-05-03 07:54 . 2009-02-09 10:51 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-03 07:54 . 2009-02-09 10:51 740352 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-03 07:54 . 2009-02-09 11:21 2147840 -c----w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-03 07:54 . 2009-02-09 11:21 2026496 -c----w c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-03 07:53 . 2008-04-21 21:13 217600 -c----w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 19:55 . 2001-08-23 12:00 80494 ----a-w c:\windows\system32\perfc007.dat
2009-05-03 19:55 . 2001-08-23 12:00 448964 ----a-w c:\windows\system32\perfh007.dat
2009-05-03 19:55 . 2009-05-03 19:35 -------- d-----w c:\programme\ThinkPad
2009-05-03 19:54 . 2009-05-03 19:54 -------- d-----w c:\programme\Intel
2009-05-03 16:35 . 2009-05-03 16:35 -------- d-----w c:\programme\Analog Devices
2009-05-03 07:42 . 2009-05-03 06:40 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-03 06:41 . 2009-05-03 06:41 -------- d-----w c:\programme\microsoft frontpage
2009-05-03 06:40 . 2001-08-23 12:00 67 --sha-w c:\windows\Fonts\desktop.ini
2009-05-03 06:39 . 2009-05-03 06:39 -------- d-----w c:\programme\Gemeinsame Dateien\Dienste
2009-05-03 06:37 . 2009-05-03 06:37 21740 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-22 23:54 . 2009-05-03 19:35 28672 ------w c:\windows\PWMBTHLP.EXE
2009-03-22 23:54 . 2009-05-03 19:35 4442 ------w c:\windows\system32\drivers\TPPWRIF.SYS
2009-03-08 02:34 . 2004-08-03 22:57 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2004-08-03 22:57 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2004-08-03 22:57 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2004-08-03 22:57 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2004-08-03 22:57 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2004-08-03 22:57 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2004-08-03 22:57 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2004-08-03 22:55 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2004-08-03 22:58 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2001-08-23 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:19 . 2004-08-03 22:57 286720 ----a-w c:\windows\system32\pdh.dll
2009-03-04 08:31 . 2009-05-03 19:54 4202496 ----a-w c:\windows\system32\drivers\NETw5x32.sys
2009-02-26 16:36 . 2009-05-03 19:55 582968 ----a-w c:\windows\system32\tvt_gina.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\programme\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\programme\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"UltraMon"="c:\programme\UltraMon\UltraMon.exe" [2006-10-12 304640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SoundMAXPnP"="c:\programme\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2009-03-22 389120]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2009-03-22 208896]
"TrueImageMonitor.exe"="c:\programme\Acronis\TrueImageEchoWorkstation\TrueImageMonitor.exe" [2009-01-18 1285504]
"AcronisTimounterMonitor"="c:\programme\Acronis\TrueImageEchoWorkstation\TimounterMonitor.exe" [2009-01-18 884928]
"Acronis Scheduler2 Service"="c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe" [2009-01-18 140568]
"DU Meter"="c:\programme\DU Meter\DUMeter.exe" [2006-01-18 1480192]
"Acrobat Assistant 7.0"="c:\programme\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\dokumente und einstellungen\***\Startmen\Programme\Autostart\
rainlendar.lnk - c:\programme\_***\Rainlendar2\Rainlendar2.exe [2009-5-4 1365504]

c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Adobe Acrobat - Schnellstart.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe [2009-5-18 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLogoff"= 01000000
"NoSMHelp"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Acronis\\TrueImageEchoWorkstation\\TrueImage.exe"=
"c:\\Programme\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programme\\uTorrent\\uTorrent.exe"=
"c:\\Programme\\_***\\Miranda\\miranda32.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1983:TCP"= 1983:TCP:RDP

R0 snapman380;Acronis Snapshots Manager (Build 380);c:\windows\system32\drivers\snman380.sys [04.05.2009 00:22 134272]
R1 TPPWRIF;TPPWRIF;c:\windows\system32\drivers\TPPWRIF.SYS [03.05.2009 21:35 4442]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\Avira\AntiVir Desktop\sched.exe [20.05.2009 23:34 108289]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\programme\ThinkPad\Utilities\PWMDBSVC.exe [03.05.2009 21:35 53248]
R2 UltraMonUtility;UltraMon Utility Driver;c:\programme\Gemeinsame Dateien\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [24.09.2006 21:22 11776]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [24.09.2006 21:23 3584]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Inhalt des "geplante Tasks" Ordners

2009-05-20 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2009-05-03 23:54]

2009-05-20 c:\windows\Tasks\User_Feed_Synchronization-{ADCDDC61-69A0-47C4-8F33-AD768A9B2579}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 02:31]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.at/
IE: Alles mit FDM herunterladen - file://c:\programme\Free Download Manager\dlall.htm
IE: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Auswahl in Adobe PDF konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Auswahl in vorhandene PDF-Datei konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Auswahl mit FDM herunterladen - file://c:\programme\Free Download Manager\dlselected.htm
IE: Datei mit FDM herunterladen - file://c:\programme\Free Download Manager\dllink.htm
IE: In Adobe PDF konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: In vorhandene PDF-Datei konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Verknüpfungsziel in Adobe PDF konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - c:\programme\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Videos mit FDM herunterladen - file://c:\programme\Free Download Manager\dlfvideo.htm
TCP: {88605661-7B65-4B5B-9DA0-BFBA61C25302} = 195.34.133.20,4.2.2.1
TCP: {8B165303-9E34-459A-9D8B-F73920FF8694} = 195.34.133.20,4.2.2.1
FF - ProfilePath - c:\dokumente und einstellungen\***\Anwendungsdaten\Mozilla\Firefox\Profiles\vj7mgvgb.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (de)
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\programme\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 00:58
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Gesperrte Registrierungsschluessel ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\€–€|ÿÿÿÿÀ•€|ù•6~*]
"7040110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(836)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1872)
c:\programme\UltraMon\RTSUltraMonHook.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
c:\programme\Avira\AntiVir Desktop\avguard.exe
c:\programme\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\rundll32.exe
c:\programme\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
c:\programme\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\system32\wscntfy.exe
c:\programme\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-05-20 0:59 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-05-20 22:59

Vor Suchlauf: 3.468.967.936 Bytes frei
Nach Suchlauf: 3.426.799.616 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

305
--------------------------
ComboFix-quarantined-files.txt
2009-05-20 22:57:08 . 2009-05-20 22:57:08 2,646 ----a-w C:\Qoobox\Quarantine\Registry_backups\Service_UPSidsvc.reg.dat
2009-05-20 22:57:08 . 2009-05-20 22:57:08 878 ----a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_UPSIDSVC.reg.dat
2009-05-20 22:57:03 . 2009-05-20 22:57:03 5,858 ----a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-05-20 22:53:48 . 2009-05-20 22:54:38 102 ----a-w C:\Qoobox\Quarantine\catchme.log
Seitenanfang Seitenende
21.05.2009, 14:49
raman
Moderator

Beiträge: 7805
#4 Obwohl das ganze recht gut aussieht, koenntest du wohl besser ein sauberes Image von True Image zurueckspielen, wenn du eines bei der Installation erstellt haben solltest...
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
21.05.2009, 15:14
insayne
...neu hier

Themenstarter

Beiträge: 6
#5 danke für den ratschlag, aber den ganzen status quo wieder aufzubauen ist sehr viel arbeit. möchte das eher versuchen zu vermeiden. so wie es aussieht sollte doch die gefahr beseitigt sein oder? ich frag mich imma noch welche programme diese 2 dll dateien bei mir eingeschleust haben sollen ...
Seitenanfang Seitenende
21.05.2009, 15:24
raman
Moderator

Beiträge: 7805
#6 Es liegt an dir.
Du solltest noch combofix ueber start/ausfuehren und eingabe durch
combofix /u
deinstallieren. Ein paar kontrollscans mit z.B. F-secure oder Kaspersky koennen auch nicht schlagen.
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
21.05.2009, 19:03
insayne
...neu hier

Themenstarter

Beiträge: 6
#7 ok, combofix wurde erfolgreich deinstalliert. wusste gar nicht dass sich das installiert ;). kontrollscans hab ich mit avira antivir durchgeführt. extra einen zusätzlichen antivirus zu installieren find ich nicht gut, aber ich seh grad dass f-secure einen online check anbietet, den werd ich machen.

woher diese 2 dll dateien kommen könnten bzw. wie gefährlich sie für die zeit der infektion waren ist nicht klar oder?
Seitenanfang Seitenende
21.05.2009, 22:25
raman
Moderator

Beiträge: 7805
#8 Das kann man leider nicht mehr genau sagen....;)
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1