Wie entferne ich Virumonde

[EMIN3M]

Hallo.

Wie entferne ich Virumonde. Laut Aussage von S&D soll ich mich ans Forum wenden.

 

[spybotsandra]

Hallo,

Wir benötigen etwas mehr Informationen.
Welche Version von Spybot-S&D benutzen Sie?
Haben Sie auch die letzen Updates heruntergeladen?

Mit freundlichen Grüßen
Sandra
Team Spybot

 

[EMIN3M]

Habe die Version 1.5.1.15

Ja habe alle Updates runter geladen, sogar die Beta-Updates.

 

[MisterW]

Was wird denn genau gefunden von Virtumonde? VIelleicht einfach mal einen Bugreport erstellen:

Bitte starten Sie Spybot-S&D und wechseln Sie ueber den Menuepunkt
'Modus' in den 'Erweiterten Modus', gehen dann nach 'Werkzeuge ->
Bericht anzeigen', klicken auf den Knopf 'Bericht anzeigen' oben, und
kopieren dann den Bericht hier ins Forum

 

[EMIN3M]

Hier der Bericht nach dem letzten Fund:


--- Report generated: 2007-11-06 13:42 ---

Virtumonde: [SBI $42352499] Benutzereinstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-343818398-861567501-725345543-1003\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-343818398-861567501-725345543-1003\Software\Microsoft\aldd

FastClick: [SBI $2D4720C9] Verfolgender Cookie (Internet Explorer: Damian Wieczorek) (Cookie, fixed)


Common Dialogs: [SBI $2D4720C9] History (466 files) (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MS Office 9.0: [SBI $2D4720C9] Recently used files (86 files) (Verzeichnis, nothing done)
C:\Dokumente und Einstellungen\Damian Wieczorek\Anwendungsdaten\Microsoft\Office\Zuletzt verwendet\

Log: [SBI $2D4720C9] Activity: SchedLgU.Txt (Datei sichern, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: [SBI $2D4720C9] Activity: ntbtlog.txt (Datei sichern, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: [SBI $2D4720C9] Install: setupapi.log (Datei sichern, nothing done)
C:\WINDOWS\setupapi.log

Log: [SBI $2D4720C9] Shutdown: System32\wbem\logs\wbemess.log (Datei sichern, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: [SBI $2D4720C9] Shutdown: System32\wbem\logs\winmgmt.log (Datei sichern, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: [SBI $2D4720C9] Shutdown: System32\wbem\logs\wmiprov.log (Datei sichern, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Cookie: Cookie (60) (Cookie, nothing done)


Cache: Cache (133) (Cache, nothing done)


History: Verlauf (341) (Verlauf, nothing done)



--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-14 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-10-31 Includes\Beta.sbi (*)
2007-10-11 Includes\Beta.uti (*)
2007-10-31 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-10-31 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-10-31 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-10-31 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-10-24 Includes\Malware.sbi (*)
2007-10-31 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-10-31 Includes\PUPSC.sbi (*)
2007-10-31 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-10-31 Includes\SecurityC.sbi (*)
2007-10-24 Includes\Spybots.sbi (*)
2007-10-31 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-11-01 Includes\Trojans.sbi (*)
2007-10-31 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll

 

[EMIN3M]

Page 1

Hier noch ein aktueller Bericht nach einem Neustart:


--- Search result list ---
Virtumonde: [SBI $7342F9D9] Einstellungen (Registrierungsdatenbank-Schlüssel, fixed)
HKEY_USERS\S-1-5-21-343818398-861567501-725345543-1003\Software\Microsoft\aldd

LinkSynergy: [SBI $2D4720C9] Verfolgender Cookie (Internet Explorer: Damian Wieczorek) (Cookie, fixed)


Common Dialogs: [SBI $2D4720C9] History (466 files) (Registrierungsdatenbank-Schlüssel, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

MS Office 9.0: [SBI $2D4720C9] Recently used files (86 files) (Verzeichnis, nothing done)
C:\Dokumente und Einstellungen\Damian Wieczorek\Anwendungsdaten\Microsoft\Office\Zuletzt verwendet\

Log: [SBI $2D4720C9] Activity: SchedLgU.Txt (Datei sichern, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: [SBI $2D4720C9] Activity: ntbtlog.txt (Datei sichern, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: [SBI $2D4720C9] Install: setupapi.log (Datei sichern, nothing done)
C:\WINDOWS\setupapi.log

Log: [SBI $2D4720C9] Shutdown: System32\wbem\logs\wbemess.log (Datei sichern, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: [SBI $2D4720C9] Shutdown: System32\wbem\logs\winmgmt.log (Datei sichern, nothing done)
C:\WINDOWS\System32\wbem\logs\winmgmt.log

Log: [SBI $2D4720C9] Shutdown: System32\wbem\logs\wmiprov.log (Datei sichern, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Cookie: Cookie (69) (Cookie, nothing done)


Cache: Cache (508) (Cache, nothing done)


History: Verlauf (365) (Verlauf, nothing done)



--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-14 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-10-31 Includes\Beta.sbi (*)
2007-10-11 Includes\Beta.uti (*)
2007-10-31 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-10-31 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-10-31 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-10-31 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-10-24 Includes\Malware.sbi (*)
2007-10-31 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-10-31 Includes\PUPSC.sbi (*)
2007-10-31 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-10-31 Includes\SecurityC.sbi (*)
2007-10-24 Includes\Spybots.sbi (*)
2007-10-31 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-11-01 Includes\Trojans.sbi (*)
2007-10-31 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 1 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ Internet Explorer 6 / SP1: Windows XP-Hotfix - KB834707
/ Internet Explorer 6 / SP1: Windows XP-Hotfix - KB867282
/ Internet Explorer 6 / SP1: Windows XP-Hotfix - KB890923
/ Outlook Express 6 / SP1: Windows XP-Hotfix - KB887797
/ Windows Media Player: Windows Media Player-Hotfix [Weitere Informationen finden Sie in KB837272]
/ Windows Media Player / SP0: Windows Media Player-Hotfix [Weitere Informationen finden Sie in wm828026]
/ Windows Media Player: Windows Media Update 320920
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP1: Windows XP Hotfix - KB821253
/ Windows XP / SP1: Windows XP Hotfix - KB821557
/ Windows XP / SP1: Windows XP Hotfix - KB823182
/ Windows XP / SP1: Windows XP Hotfix - KB823980
/ Windows XP / SP1: Windows XP Hotfix - KB824105
/ Windows XP / SP1: Windows XP-Hotfix - KB824141
/ Windows XP / SP1: Windows XP-Hotfix - KB824146
/ Windows XP / SP1: Windows XP-Hotfix - KB828028
/ Windows XP / SP1: Windows XP-Hotfix - KB828035
/ Windows XP / SP1: Windows XP Service Pack 1a
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q328310
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329048 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q329170
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329390 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329441 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) [See Q329834 for more information]
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q331953
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q810577
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811493
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q811630
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q815021
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q817606
/ Windows XP / SP1: Windows XP Hotfix (SP1) Q819696
/ Windows XP / SP2: Windows XP-Hotfix - KB282010
/ Windows XP / SP2: Windows XP-Hotfix - KB821253
/ Windows XP / SP2: Windows XP-Hotfix - KB821557
/ Windows XP / SP2: Windows XP-Hotfix - KB822603
/ Windows XP / SP2: Windows XP-Hotfix - KB823182
/ Windows XP / SP2: Windows XP-Hotfix - KB823559
/ Windows XP / SP2: Windows XP-Hotfix - KB823980
/ Windows XP / SP2: Windows XP-Hotfix - KB824105
/ Windows XP / SP2: Windows XP-Hotfix - KB824141
/ Windows XP / SP2: Windows XP-Hotfix - KB824146
/ Windows XP / SP2: Windows XP-Hotfix - KB825119
/ Windows XP / SP2: Windows XP-Hotfix - KB826939
/ Windows XP / SP2: Windows XP-Hotfix - KB828028
/ Windows XP / SP2: Windows XP-Hotfix - KB828035
/ Windows XP / SP2: Windows XP-Hotfix - KB828741
/ Windows XP / SP2: Windows XP-Hotfix - KB829558
/ Windows XP / SP2: Windows XP-Hotfix - KB833987
/ Windows XP / SP2: Windows XP-Hotfix - KB835732
/ Windows XP / SP2: Windows XP-Hotfix - KB837001
/ Windows XP / SP2: Windows XP-Hotfix - KB838889
/ Windows XP / SP2: Windows XP-Hotfix - KB839645
/ Windows XP / SP2: Windows XP-Hotfix - KB840315
/ Windows XP / SP2: Windows XP-Hotfix - KB840374
/ Windows XP / SP2: Windows XP-Hotfix - KB840987
/ Windows XP / SP2: Windows XP-Hotfix - KB841356
/ Windows XP / SP2: Windows XP-Hotfix - KB841533
/ Windows XP / SP2: Windows XP-Hotfix - KB841873
/ Windows XP / SP2: Windows XP-Hotfix - KB842773
/ Windows XP / SP2: Windows XP-Hotfix - KB871250
/ Windows XP / SP2: Windows XP-Hotfix - KB873376
/ Windows XP / SP2: Windows XP-Hotfix - KB883357
/ Windows XP / SP2: Windows XP-Hotfix - KB891711
/ Windows XP / SP2: Windows XP-Hotfix - KB892944
/ Windows XP / SP2: Windows XP-Hotfixpaket [Weitere Informationen unter Q323255]
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q328310
/ Windows XP / SP2: Windows XP-Hotfixpaket [Weitere Informationen unter Q329048]
/ Windows XP / SP2: Windows XP-Hotfixpaket [Weitere Informationen unter Q329115]
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q329170
/ Windows XP / SP2: Windows XP-Hotfixpaket [Weitere Informationen unter Q329390]
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q329441
/ Windows XP / SP2: Windows XP-Hotfixpaket [Weitere Informationen unter Q329834]
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q331953
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q810577
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q811493
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q811630
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q815021
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q817606
/ Windows XP / SP2: Windows XP-Hotfix (SP2) Q819696
/ Windows XP / SP3: Windows XP-Hotfix - KB873333
/ Windows XP / SP3: Windows XP-Hotfix - KB873339
/ Windows XP / SP3: Windows XP-Hotfix - KB885250
/ Windows XP / SP3: Windows XP-Hotfix - KB885835
/ Windows XP / SP3: Windows XP-Hotfix - KB885836
/ Windows XP / SP3: Windows XP-Hotfix - KB888113
/ Windows XP / SP3: Windows XP-Hotfix - KB888302
/ Windows XP / SP3: Windows XP-Hotfix - KB890047
/ Windows XP / SP3: Windows XP-Hotfix - KB890175
/ Windows XP / SP3: Windows XP-Hotfix - KB890859
/ Windows XP / SP3: Windows XP-Hotfix - KB891781
/ Windows XP / SP3: Windows XP-Hotfix - KB893066
/ Windows XP / SP3: Windows XP-Hotfix - KB893086
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Hotfix for Windows XP (KB909394)
/ Windows XP / SP5: Windows Sasser Worm Removal Tool (KB841720)

 

[EMIN3M]

Page 2

--- Startup entries list ---
Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: E28D00EC675F5F5A5A0555E7A4523A6E

Located: HK_LM:Run, avgnt
command: "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
file: C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
size: 249896
MD5: 6E898F5959E7195D64594C30E9251938

Located: HK_LM:Run, C-Media Mixer
command: Mixer.exe /startup
file: C:\WINDOWS\Mixer.exe
size: 1818624
MD5: F83709D0BACBA84D297183825F089D98

Located: HK_LM:Run, etMonitor
command: C:\WINDOWS\etMon.exe
file: C:\WINDOWS\etMon.exe
size: 40960
MD5: D469068073D3C4ABA37778B1FC3BF3E3

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 9216
MD5: E10231C1C915598C11AA6D43DFB74CA0

Located: HK_LM:Run, MULTIMEDIA KEYBOARD
command: C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
file: C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
size: 163840
MD5: 6949E4786E44610595142578272163D0

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, NWEReboot
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, QuickTime Task
command: "C:\Programme\QuickTime\qttask.exe" -atboottime
file: C:\Programme\QuickTime\qttask.exe
size: 98304
MD5: 76A3A30B58405C2C6D833895253A51A9

Located: HK_LM:Run, Sunkist2k
command: C:\Programme\Multimedia Card Reader\shwicon2k.exe
file: C:\Programme\Multimedia Card Reader\shwicon2k.exe
size: 139264
MD5: CC5799AF3F7E8605DC2BFF75874E9E37

Located: HK_LM:Run, TkBellExe
command: "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
file: C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
size: 180269
MD5: B8E684DF9A97497EDD2F87444A6307FB

Located: HK_LM:Run, VGAUtil
command: C:\Programme\GigaByte\VGA Utility Manager\G-VGA.exe
file: C:\Programme\GigaByte\VGA Utility Manager\G-VGA.exe
size: 544768
MD5: 4B31471360A0CA510A5B42A1FE085341

Located: HK_LM:Run, Adobe Reader Speed Launcher (DISABLED)
command: "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: E28D00EC675F5F5A5A0555E7A4523A6E

Located: HK_LM:Run, CloneCDTray (DISABLED)
command: "C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
file: C:\Programme\SlySoft\CloneCD\CloneCDTray.exe
size: 57344
MD5: D7779335B0EBC0A7B9C7D0E1105EA078

Located: HK_LM:Run, InCD (DISABLED)
command: C:\Programme\Nero\Nero 7\InCD\InCD.exe
file: C:\Programme\Nero\Nero 7\InCD\InCD.exe
size: 1057328
MD5: 0FD0C380888A89ABEF7569841677FF2B

Located: HK_LM:Run, LanguageShortcut (DISABLED)
command: C:\Programme\CyberLink\PowerDVD\Language\Language.exe
file: C:\Programme\CyberLink\PowerDVD\Language\Language.exe
size: 54832
MD5: 405D6C6C1D5D255CB4EF1BFD1CE305E8

Located: HK_LM:Run, NeroFilterCheck (DISABLED)
command: C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
file: C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
size: 153136
MD5: 8112D0DACAE746290FC87B3A980FA719

Located: HK_LM:Run, QuickTime Task (DISABLED)
command: "C:\Programme\QuickTime\qttask.exe" -atboottime
file: C:\Programme\QuickTime\qttask.exe
size: 98304
MD5: 76A3A30B58405C2C6D833895253A51A9

Located: HK_LM:Run, RemoteControl (DISABLED)
command: C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
file: C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
size: 56928
MD5: 56F676060D70BA066459478824510BEA

Located: HK_LM:Run, SecurDisc (DISABLED)
command: C:\Programme\Nero\Nero 7\InCD\NBHGui.exe
file: C:\Programme\Nero\Nero 7\InCD\NBHGui.exe
size: 1628208
MD5: DFDAE315CA76A490F1BB3FD1C552C1C1

Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: "C:\Programme\Java\jre1.6.0_01\bin\jusched.exe"
file: C:\Programme\Java\jre1.6.0_01\bin\jusched.exe
size: 83608
MD5: 9C1C80BBF8E6044980890E2D2D91091C

Located: HK_LM:Run, TkBellExe (DISABLED)
command: "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
file: C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
size: 180269
MD5: B8E684DF9A97497EDD2F87444A6307FB

Located: HK_CU:Run, LDM
where: S-1-5-21-343818398-861567501-725345543-1003...
command: \Program\BackWeb-8876480.exe
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, Philips Intelligent Agent
where: S-1-5-21-343818398-861567501-725345543-1003...
command: "C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
file: C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe
size: 579760
MD5: DF71686B7BF89C6FA8A8D959175FCB87

Located: HK_CU:Run, Steam
where: S-1-5-21-343818398-861567501-725345543-1003...
command: "c:\programme\valve\steam\steam.exe" -silent
file: c:\programme\valve\steam\steam.exe
size: 1271032
MD5: 6A67C2CAA52F9254654E7498E22FC9D3

Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} (DISABLED)
where: S-1-5-21-343818398-861567501-725345543-1003...
command: "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
file: C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe
size: 153136
MD5: 59D9856CD1420E2AF778821B7E1B81D0

Located: HK_CU:Run, ctfmon.exe (DISABLED)
where: S-1-5-21-343818398-861567501-725345543-1003...
command: C:\WINDOWS\System32\ctfmon.exe
file: C:\WINDOWS\System32\ctfmon.exe
size: 13312
MD5: E5EE2F4700B6A85F0D45A18C67DA500F

Located: HK_CU:Run, Philips Intelligent Agent (DISABLED)
where: S-1-5-21-343818398-861567501-725345543-1003...
command: "C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
file: C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe
size: 579760
MD5: DF71686B7BF89C6FA8A8D959175FCB87

Located: HK_CU:Run, SoniqueQuickStart (DISABLED)
where: S-1-5-21-343818398-861567501-725345543-1003...
command: C:\Programme\Sonique\sqstart.exe -nostick
file: C:\Programme\Sonique\sqstart.exe
size: 44832
MD5: 18BAA69CF9F55B81DB63113E7866672E

Located: HK_CU:Run, updateMgr (DISABLED)
where: S-1-5-21-343818398-861567501-725345543-1003...
command: "C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:RunOnce, ICQ Lite (DISABLED)
where: S-1-5-21-343818398-861567501-725345543-1003...
command: C:\Programme\ICQ\ICQLite.exe -trayboot
file: C:\Programme\ICQ\ICQLite.exe
size: 3144800
MD5: C0F38029C013894B668AECA496F6DB50

Located: Startup (allgemein), DllCmd32.lnk
where: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart...
command: C:\Programme\Jetsuite\DLLCMD32.EXE
file: C:\Programme\Jetsuite\DLLCMD32.EXE
size: 25600
MD5: 02C8E840006AE3C04A3A352AD5358DD8

Located: Startup (allgemein), Jetsuite Pro Status.lnk
where: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart...
command: C:\Programme\Jetsuite\JETSTAT.EXE
file: C:\Programme\Jetsuite\JETSTAT.EXE
size: 104960
MD5: 0F6D0530FC62F8282CEBD2DD2315AE34

Located: Startup (allgemein), Logitech Desktop Messenger.lnk
where: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart...
command: C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
file: C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
size: 196608
MD5: 7FA15BFDAB8B76EC6E0F79A83666B48E

Located: Startup (allgemein), Logitech SetPoint.lnk
where: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart...
command: C:\Programme\Logitech\SetPoint\KEM.exe
file: C:\Programme\Logitech\SetPoint\KEM.exe
size: 573440
MD5: 13ECA568C95C7DD9C2F77DE7BA7355CD

Located: Startup (allgemein), Microsoft Office.lnk
where: C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart...
command: C:\Programme\Microsoft Office\Office10\OSA.EXE
file: C:\Programme\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5BC65464354A9FD3BEAA28E18839734A

Located: Startup (Benutzer), UMAX VistaAccess.lnk
where: C:\Dokumente und Einstellungen\Damian Wieczorek\Startmenü\Programme\Autostart...
command: C:\Programme\VSTASCAN\vsaccess.exe
file: C:\Programme\VSTASCAN\vsaccess.exe
size: 159744
MD5: ABE6D0982264A04CF97F81C44A7FAD35

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, tuvusrr
command: tuvusrr.dll
file: tuvusrr.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!


--- Browser helper object list ---
{063B9835-35FB-4861-8556-ADA8D60DF342} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: pmkjg.dll
Short name:
Date (created): 04.11.2007 19:56:18
Date (last access): 06.11.2007 15:30:10
Date (last write): 04.11.2007 19:56:20
Filesize: 319584
Attributes: archive
MD5: 314D421DEF5D84194F21CB4185586992
CRC32: C0D185BA

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 22.10.2006 22:08:42
Date (last access): 06.11.2007 15:57:30
Date (last write): 22.10.2006 22:08:42
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456

{30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0} (H)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: H
Path: C:\WINDOWS\System32\
Long name: coq.dll

{3ba43469-dc97-45cc-a71a-7e76f474e226} ({622e474f-67e7-a17a-cc54-79cd96434ab3})
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: {622e474f-67e7-a17a-cc54-79cd96434ab3}
CLSID name:
Path: C:\WINDOWS\System32\
Long name: jmcfyiud.dll
Short name:
Date (created): 06.11.2007 11:23:20
Date (last access): 06.11.2007 15:10:54
Date (last write): 06.11.2007 11:23:20
Filesize: 81472
Attributes: archive
MD5: C8DBC6935E4C06C8F269C6618889343C
CRC32: 0159A658

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 14.09.2007 20:32:38
Date (last access): 06.11.2007 16:12:36
Date (last write): 31.08.2007 15:46:14
Filesize: 1122128
Attributes: archive
MD5: B8958471DAA4481E93B03DF8F991DD6E
CRC32: 35E35F14
Version: 1.5.0.8

{5597409F-8C79-4367-951E-1BC8BD6672B5} (Flash Module)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Flash Module
Path:
Long name: btasv.dll

{634BBAB7-3F60-4426-944F-A62B9007F67F} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: tuvusrr.dll
Short name:
Date (created): 04.11.2007 19:51:16
Date (last access): 06.11.2007 15:28:30
Date (last write): 04.11.2007 19:51:16
Filesize: 36352
Attributes: archive
MD5: 7F86035CEDDAF3C9A843B7ADEC4A22F4
CRC32: 7E81EA05

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Programme\Java\jre1.6.0_01\bin\
Long name: ssv.dll
Short name:
Date (created): 01.05.2007 21:11:46
Date (last access): 06.11.2007 15:10:54
Date (last write): 14.03.2007 02:43:40
Filesize: 501400
Attributes: archive
MD5: 70FD57D6EDBED8D80C1995257C99D27E
CRC32: 3CE654AC
Version: 6.0.10.6

{7E853D72-626A-48EC-A868-BA8D5E23E045} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

 

[EMIN3M]

Page 3

--- ActiveX list ---
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
Installer: C:\WINDOWS\Downloaded Program Files\QTPlugin.inf
Codebase: http://www.apple.com/qtactivex/qtplugin.cab
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Programme\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 17.11.2004 18:28:06
Date (last access): 06.11.2007 15:32:34
Date (last write): 17.11.2004 18:28:06
Filesize: 360504
Attributes: archive
MD5: F88CD154B9627646E9DDA1679155E4E3
CRC32: 5B04FF79
Version: 6.5.1.17

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 14.01.2007 07:49:06
Date (last access): 06.11.2007 15:19:24
Date (last write): 07.08.2007 16:20:44
Filesize: 182248
Attributes: archive
MD5: 6C90714399BD3F1E7C0503A38EADBAC7
CRC32: D1E8C81D
Version: 10.2.0.23

{233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
description:
classification: Legitimate
known filename: SwDir.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 14.01.2007 07:49:06
Date (last access): 06.11.2007 15:19:24
Date (last write): 07.08.2007 16:20:44
Filesize: 182248
Attributes: archive
MD5: 6C90714399BD3F1E7C0503A38EADBAC7
CRC32: D1E8C81D
Version: 10.2.0.23

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Installer: C:\WINDOWS\Downloaded Program Files\opuc.inf
Codebase: http://office.microsoft.com/officeupdate/content/opuc.cab
description:
classification: Legitimate
known filename: opuc.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 27.08.2003 04:10:30
Date (last access): 06.11.2007 14:46:34
Date (last write): 27.08.2003 04:10:30
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 11.0.5626.0

{54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class)
DPF name:
CLSID name: EARTPatchX Class
Installer: C:\WINDOWS\Downloaded Program Files\EARTPX.inf
Codebase: http://www.ea.com/downloads/rtpatch/EARTPX.cab
description:
classification: Legitimate
known filename: EARTPX.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: EARTPX.dll
Short name:
Date (created): 26.10.2003 15:25:18
Date (last access): 06.11.2007 15:19:24
Date (last write): 26.10.2003 15:25:18
Filesize: 133712
Attributes: archive
MD5: B58365C0A1A1A1E94BFD07FD7CC9314C
CRC32: 9D644047
Version: 1.0.0.3

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096463517890
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\System32\
Long name: wuweb.dll
Short name:
Date (created): 03.08.2004 12:59:06
Date (last access): 06.11.2007 15:19:24
Date (last write): 03.08.2004 12:59:06
Filesize: 120288
Attributes: archive
MD5: 0CD6248038C70B4C688DBD315D90A97A
CRC32: 0EF7DE01
Version: 5.4.3790.2182

{67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object)
DPF name:
CLSID name: DivXBrowserPlugin Object
Installer: C:\WINDOWS\Downloaded Program Files\DivXPlugin.inf
Codebase: http://download.divx.com/player/DivXBrowserPlugin.cab
description:
classification: Legitimate
known filename: npdivx32.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Programme\DivX\DivX Web Player\
Long name: npdivx32.dll
Short name:
Date (created): 27.07.2007 00:03:34
Date (last access): 06.11.2007 15:19:24
Date (last write): 27.07.2007 00:03:34
Filesize: 717312
Attributes: archive
MD5: A13D7CD76E026BA041E9EBA4EEF1EBA0
CRC32: 5932665D
Version: 1.3.1.10

{88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0)
DPF name:
CLSID name: XML DOM Document 4.0
Installer: C:\WINDOWS\Downloaded Program Files\msxml4.inf
Codebase: https://homepage.t-online.de/app/static/activex/msxml4.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: %SystemRoot%\System32\
Long name: msxml4.dll

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_01
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Programme\Java\jre1.6.0_01\bin\
Long name: npjpi160_01.dll
Short name: NPJPI1~1.DLL
Date (created): 14.03.2007 01:04:46
Date (last access): 06.11.2007 15:32:36
Date (last write): 14.03.2007 02:43:42
Filesize: 132760
Attributes: archive
MD5: F112FB2FD2EF66D439799E3F834DF000
CRC32: D2B09219
Version: 6.0.0.6

{917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class)
DPF name:
CLSID name: CamImage Class
Installer:
Codebase: http://webcam.fantasy.de/webcam/AxisCamControl.ocx
description:
classification: Legitimate
known filename: AxisCamControl.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: AxisCamControl.ocx
Short name: AXISCA~1.OCX
Date (created): 16.01.2004 15:10:58
Date (last access): 06.11.2007 14:42:08
Date (last write): 16.01.2004 15:11:00
Filesize: 180560
Attributes: archive
MD5: 797D3E4250F49846DEB64F42DF23E1D8
CRC32: 21F297A3
Version: 1.0.1.41

{9F1C11AA-197B-4942-BA54-47A8489BB47F} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\iuctl.inf
Codebase: http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37870.3887384259
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla

{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04)
DPF name: Java Runtime Environment 1.4.1_04
CLSID name: Java Plug-in 1.4.1_04
Installer:
Codebase: http://java.sun.com/products/plugin/1.4/jinstall-14_04-windows-i586.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\Programme\Java\j2re1.4.1_04\bin\
Long name: NPJPI141_04.dll
Short name: NPJPI1~1.DLL
Date (created): 07.09.2003 00:34:26
Date (last access): 06.11.2007 15:19:24
Date (last write): 28.06.2003 07:56:38
Filesize: 61553
Attributes: archive
MD5: FFB7530FB579FE88D276A80084E4878F
CRC32: 970947BE
Version: 1.4.1.40

{CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_01
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description: Java Runtime Environment 1.4.2
classification: Legitimate
known filename: %ProgramFiles%\Java\j2re1.4.2_01\bin\NPJPI142_01.dll
info link:
info source: Patrick M. Kolla
Path: C:\Programme\Java\j2re1.4.2_01\bin\
Long name: NPJPI142_01.dll
Short name: NPJPI1~1.DLL
Date (created): 19.08.2067 16:23:36
Date (last access): 06.11.2007 15:19:24
Date (last write): 19.08.2003 16:23:34
Filesize: 65642
Attributes: archive
MD5: 0B668A48CB4845F9D9D335D99C82504C
CRC32: B9AD4E66
Version: 1.4.2.10

{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_10
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_10.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Programme\Java\jre1.5.0_10\bin\
Long name: NPJPI150_10.dll
Short name: NPJPI1~1.DLL
Date (created): 09.11.2006 15:07:34
Date (last access): 06.11.2007 15:19:24
Date (last write): 09.11.2006 15:21:54
Filesize: 75528
Attributes: archive
MD5: 635F4B3A0F1C661B5CEDE628BA85E46B
CRC32: 0C9B7145
Version: 5.0.100.3

{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_11
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_11.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Programme\Java\jre1.5.0_11\bin\
Long name: NPJPI150_11.dll
Short name: NPJPI1~1.DLL
Date (created): 15.12.2006 03:09:16
Date (last access): 06.11.2007 15:32:36
Date (last write): 15.12.2006 03:23:26
Filesize: 75528
Attributes: archive
MD5: 3B3F6984DBF972DAFF1B7E9C44E2FE75
CRC32: 4BDE2041
Version: 5.0.110.3

{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_01
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi160_01.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Programme\Java\jre1.6.0_01\bin\
Long name: npjpi160_01.dll
Short name: NPJPI1~1.DLL
Date (created): 14.03.2007 01:04:46
Date (last access): 06.11.2007 15:32:36
Date (last write): 14.03.2007 02:43:42
Filesize: 132760
Attributes: archive
MD5: F112FB2FD2EF66D439799E3F834DF000
CRC32: D2B09219
Version: 6.0.0.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_01
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Programme\Java\jre1.6.0_01\bin\
Long name: npjpi160_01.dll
Short name: NPJPI1~1.DLL
Date (created): 14.03.2007 01:04:46
Date (last access): 06.11.2007 15:32:36
Date (last write): 14.03.2007 02:43:42
Filesize: 132760
Attributes: archive
MD5: F112FB2FD2EF66D439799E3F834DF000
CRC32: D2B09219
Version: 6.0.0.6

{CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class)
DPF name:
CLSID name: Live365Player Class
Installer: C:\WINDOWS\Downloaded Program Files\play365.inf
Codebase: http://www.live365.com/players/play365.cab
description:
classification: Legitimate
known filename: PLAY365.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: Play365.dll
Short name:
Date (created): 06.06.2003 17:06:56
Date (last access): 06.11.2007 15:19:24
Date (last write): 06.06.2003 17:06:56
Filesize: 335872
Attributes: archive
MD5: 02D3243B77F6C3EFBF67AAD62C26B443
CRC32: FA8AB3C6
Version: 1.0.0.9

{CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object)
DPF name:
CLSID name: Zylom Loader Object
Installer: C:\WINDOWS\Downloaded Program Files\zylomloader.inf
Codebase: http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
description:
classification: Legitimate
known filename: zylomloader.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: zylomloader.dll
Short name: ZYLOML~1.DLL
Date (created): 15.06.2004 08:52:56
Date (last access): 06.11.2007 15:19:24
Date (last write): 15.06.2004 08:52:56
Filesize: 221184
Attributes: archive
MD5: F51AC085F67FA113F37290FDD8655BB1
CRC32: C26A0BE3
Version: 1.0.0.6

{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class)
DPF name:
CLSID name: get_atlcom Class
Installer: C:\WINDOWS\Downloaded Program Files\gp.inf
Codebase: http://www.adobe.com/products/acrobat/nos/gp.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gp.ocx
Short name:
Date (created): 16.05.2007 07:22:06
Date (last access): 06.11.2007 14:42:08
Date (last write): 16.05.2007 07:22:06
Filesize: 166512
Attributes: archive
MD5: 9BCFC46ECA1BF28E039ECCE2D331086E
CRC32: A9C6ED85
Version: 1.2.2.50

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 09.11.2006 23:46:26
Date (last access): 06.11.2007 15:19:24
Date (last write): 09.11.2006 23:46:26
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0

{E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15)
DPF name:
CLSID name: Flatcast Viewer 4.15
Installer:
Codebase: http://www.flatcast.com/de/download/NpFv415.dll
Path: C:\WINDOWS\DOWNLO~1\
Long name: NpFv415.dll
Short name:
Date (created): 11.02.2007 01:30:40
Date (last access): 06.11.2007 15:19:24
Date (last write): 11.02.2007 01:30:42
Filesize: 719064
Attributes: archive
MD5: E627C000BBB9F3148A1522AF1D6663CC
CRC32: 91BFF85C
Version: 4.15.0.0

 

[EMIN3M]

page 4

--- Process list ---
PID: 0 ( 0) [System]
PID: 636 ( 0) \SystemRoot\System32\smss.exe
size: 45568
PID: 740 ( 0) \??\C:\WINDOWS\system32\csrss.exe
size: 4096
PID: 764 ( 0) \??\C:\WINDOWS\system32\winlogon.exe
size: 488448
PID: 808 ( 0) C:\WINDOWS\system32\services.exe
size: 101888
MD5: A87C3A6B407FB3B22C566315607CE229
PID: 820 ( 0) C:\WINDOWS\system32\lsass.exe
size: 11776
MD5: 58239984742E8FD4CD3FCEEB545366C1
PID: 1028 ( 0) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: ADBB33D5893BCF08E75EA54BB5669205
PID: 1156 ( 0) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: ADBB33D5893BCF08E75EA54BB5669205
PID: 1384 ( 0) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: ADBB33D5893BCF08E75EA54BB5669205
PID: 1424 ( 0) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: ADBB33D5893BCF08E75EA54BB5669205
PID: 1620 ( 0) C:\WINDOWS\system32\spoolsv.exe
size: 51200
MD5: 9B627E6DA0EA47A3A664F69D954831D7
PID: 1848 ( 0) C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
size: 28672
MD5: 522215532916836B9CA19EE30658F3C1
PID: 1864 ( 0) C:\Programme\AntiVir PersonalEdition Classic\sched.exe
size: 63016
MD5: A6FA9C14E649B2F3DE15390A1840774D
PID: 1876 ( 0) C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
size: 214056
MD5: F640EA98231D7B1DB730385813BFCE79
PID: 1916 ( 0) C:\WINDOWS\System32\inetsrv\inetinfo.exe
size: 14336
MD5: F025A99102CEBEECAE062C4DFB98F6A4
PID: 1940 ( 0) C:\Programme\Nero\Nero 7\InCD\InCDsrv.exe
size: 1550896
MD5: C773D093D5C18765E71C7992AEE051A2
PID: 2012 ( 0) C:\WINDOWS\System32\nvsvc32.exe
size: 127043
MD5: F6FCA6047879DE7A2964757EB8B2101B
PID: 208 ( 0) c:\Programme\Jetsuite\okidaemon.exe
size: 45056
MD5: AF5FEDA478675108B99642DC9C5EC2EC
PID: 372 ( 0) C:\WINDOWS\Explorer.EXE
size: 1007104
MD5: 22B0A56E6C5847292437078B484EC61B
PID: 448 ( 0) C:\Programme\PrintSuperVision\PrintSuperVision\PSVService.exe
size: 184320
MD5: E9FB17A7ACAC80A6E4260B2CD6C3BF89
PID: 528 ( 0) C:\Programme\CyberLink\Shared Files\RichVideo.exe
size: 167936
MD5: BD517C7FB119997EFFBE39D5E4B37B05
PID: 700 ( 0) C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
size: 421935
MD5: 83D685BF679067DD2FEA7FD2B9842F13
PID: 972 ( 0) C:\WINDOWS\system32\rvs_cent.exe
size: 1155128
MD5: 8CF798B3679443F65E3A426B6542EE4D
PID: 1080 ( 0) C:\WINDOWS\System32\tcpsvcs.exe
size: 19456
MD5: 7A1A532F14FDE28489DC349C6E404A67
PID: 1332 ( 0) C:\WINDOWS\System32\snmp.exe
size: 29696
MD5: B64854CB4A204C21341F0D974BDA1E09
PID: 1320 ( 0) C:\WINDOWS\system32\ntvdm.exe
size: 397824
MD5: 25B5536AFB36D8078F0457F77F2413CF
PID: 964 ( 0) C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
size: 163840
MD5: 6949E4786E44610595142578272163D0
PID: 1392 ( 0) C:\WINDOWS\etMon.exe
size: 40960
MD5: D469068073D3C4ABA37778B1FC3BF3E3
PID: 1508 ( 0) C:\Programme\GigaByte\VGA Utility Manager\G-VGA.exe
size: 544768
MD5: 4B31471360A0CA510A5B42A1FE085341
PID: 1416 ( 0) C:\WINDOWS\System32\svchost.exe
size: 12800
MD5: ADBB33D5893BCF08E75EA54BB5669205
PID: 1536 ( 0) C:\Programme\Multimedia Card Reader\shwicon2k.exe
size: 139264
MD5: CC5799AF3F7E8605DC2BFF75874E9E37
PID: 1596 ( 0) C:\WINDOWS\Mixer.exe
size: 1818624
MD5: F83709D0BACBA84D297183825F089D98
PID: 1676 ( 0) C:\WINDOWS\System32\wdfmgr.exe
size: 38912
MD5: C81B8635DEE0D3EF5F64B3DD643023A5
PID: 1756 ( 0) C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
size: 180269
MD5: B8E684DF9A97497EDD2F87444A6307FB
PID: 1768 ( 0) C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
size: 249896
MD5: 6E898F5959E7195D64594C30E9251938
PID: 2060 ( 0) C:\programme\valve\steam\steam.exe
size: 1271032
MD5: 6A67C2CAA52F9254654E7498E22FC9D3
PID: 2132 ( 0) C:\WINDOWS\system32\fxssvc.exe
size: 251392
MD5: AFF49EDCA212B5D778DD180F1699F935
PID: 2192 ( 0) C:\Programme\Jetsuite\DLLCMD32.EXE
size: 25600
MD5: 02C8E840006AE3C04A3A352AD5358DD8
PID: 2252 ( 0) C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
size: 151595
MD5: 0963EF5F22FB4E6BD0B0F601A820F749
PID: 2308 ( 0) C:\Programme\Logitech\SetPoint\KEM.exe
size: 573440
MD5: 13ECA568C95C7DD9C2F77DE7BA7355CD
PID: 2388 ( 0) C:\Programme\VSTASCAN\vsaccess.exe
size: 159744
MD5: ABE6D0982264A04CF97F81C44A7FAD35
PID: 2464 ( 0) C:\OPLIMIT\ocrawr32.exe
size: 35328
MD5: C1F51D0BEF3627DA93262BBAFCDB8AD7
PID: 2468 ( 0) C:\Programme\Logitech\SetPoint\KHALMNPR.EXE
size: 29696
MD5: 554B6C2D7924B106C58DDD0588009883
PID: 2664 ( 0) C:\Programme\Netropa\Onscreen Display\OSD.exe
size: 90112
MD5: B7DAA769F6A6865B2EC9C08404367475
PID: 3560 ( 0) C:\WINDOWS\System32\dllhost.exe
size: 4608
MD5: B8A4DEAA394764E1F88659D7EF4718A7
PID: 3056 ( 0) C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
size: 4943184
MD5: C92780F50B8BB7A89E919585916494A9
PID: 3576 ( 0) C:\Programme\Internet Explorer\iexplore.exe
size: 91136
MD5: 258AEF4C5EAF5E95E1D4CA5A3D1BBDFA


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 06.11.2007 16:12:48

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.de/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.t-online.de/service/redir/ie_t-online.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip [*]

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ED6C8262-FB16-4A2F-B909-E9EAB507EE44}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ED6C8262-FB16-4A2F-B909-E9EAB507EE44}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A5D18CF3-3DB5-4234-9E68-56B0089DB8C6}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A5D18CF3-3DB5-4234-9E68-56B0089DB8C6}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9DD0E6E4-EE69-4FCA-8644-4FF01FC336B6}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9DD0E6E4-EE69-4FCA-8644-4FF01FC336B6}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{22E279AD-3B2C-490C-880F-3B32E380515E}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{22E279AD-3B2C-490C-880F-3B32E380515E}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1DD324B9-A7FE-46A7-8637-0D7E92E244C5}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1DD324B9-A7FE-46A7-8637-0D7E92E244C5}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5505212E-38D6-4A77-92C6-8C52BFDB7AA8}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{5505212E-38D6-4A77-92C6-8C52BFDB7AA8}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{11C57776-698C-40B4-AC9D-A127619459D0}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{11C57776-698C-40B4-AC9D-A127619459D0}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A02AED34-4918-4E82-8961-37D6AB5A48BB}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A02AED34-4918-4E82-8961-37D6AB5A48BB}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: TCP/IP
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: NLA-Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace


So, das war der komplette Bericht. Sorry, für die vielen Posts.

 

[raman]

Leiste bitte etwas vorarbeit:

nutze die mit Windows gelieferte Datenträgerbereinigung(außer alte Dateien komprimieren) und saeubere dort auch die Systemwiederherstellung über "weitere Optionen".
http://support.microsoft.com/default.aspx?scid=kb;de;315246

-----------------------------------------------------------------------------------------------


Lade Combofix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop
Alle Fenster schliessen, combofix.exe starten und bestaetige die folgende Abfrage mit 1 und druecke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Waehrend des Scans bitte nichts am Rechner unternehmen
Es kann moeglich sein, das der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.

 

[EMIN3M]

Ds mit der Datenträgerbereinigung haute nicht hin. Nach dem Start hatte ich dauerhaft 3 Balken (Scannen), eine Systemauslastung des Prozesses von 99% und es passierte nix.

Hier der Report aus ComboFix:

ComboFix 07-11-06.4 - Damian Wieczorek 2007-11-07 8:24:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1031.18.567 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Damian Wieczorek\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

Nicht in der Lage Systemrechte zu erhalten

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\boa.dat
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\gjkmp.bak1
C:\WINDOWS\system32\gjkmp.bak2
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\msvcrtd.exe
C:\WINDOWS\System32\pmkjg.dll
C:\WINDOWS\system32\winsys.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IPRIP
-------\Iprip
-------\nm


((((((((((((((((((((((( Dateien erstellt von 2007-10-07 bis 2007-11-07 ))))))))))))))))))))))))))))))
.

2007-11-07 08:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 11:23 81,472 --a------ C:\WINDOWS\system32\jmcfyiud.dll
2007-11-06 11:20 87,104 --a------ C:\WINDOWS\system32\siiejlln.dll
2007-11-05 23:06 <DIR> d-------- C:\Dokumente und Einstellungen\Damian Wieczorek\Gadu-Gadu
2007-11-04 19:54 36,352 --a------ C:\WINDOWS\system32\pmnnoon.dll
2007-11-04 19:51 36,352 --a------ C:\WINDOWS\system32\tuvusrr.dll
2007-10-30 19:22 <DIR> d-------- C:\WINDOWS\system32\OKIK.ECT
2007-10-29 21:43 19,968 -ra------ C:\WINDOWS\system32\runsetup.dll
2007-10-29 21:23 104,368 --a------ C:\WINDOWS\system32\DCOMPERM.DLL
2007-10-29 21:23 67,440 --a------ C:\WINDOWS\system32\DCP.EXE
2007-10-29 21:22 <DIR> d-------- C:\Programme\PrintSuperVision
2007-10-29 21:22 4,096 --a------ C:\WINDOWS\system32\aspSmartUploadUtil.dll
2007-10-29 21:08 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2007-10-29 21:06 <DIR> d-------- C:\Inetpub
2007-10-29 21:04 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2007-10-28 18:00 <DIR> d-------- C:\Programme\Jetsuite

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 07:37 17,962 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2007-11-06 19:37 13,440 ----a-w C:\WINDOWS\GPCIDrv.sys
2007-11-06 18:23 --------- d-----w C:\Dokumente und Einstellungen\Damian Wieczorek\Anwendungsdaten\phonostar-Player
2007-10-29 20:22 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-09-29 16:27 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2007-09-29 15:33 --------- d-----w C:\Programme\BMW M3 Challenge
2007-09-14 19:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-09-11 18:29 --------- d-----w C:\Programme\DivX
2005-07-23 19:07 75,400 ----a-w C:\Dokumente und Einstellungen\Damian Wieczorek\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2003-09-05 17:02 266 --sh--w C:\Programme\desktop.ini
2003-09-05 17:02 11,253 ---ha-w C:\Programme\folder.htt
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0}]
C:\WINDOWS\System32\coq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ba43469-dc97-45cc-a71a-7e76f474e226}]
2007-11-06 11:23 81472 --a------ C:\WINDOWS\System32\jmcfyiud.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5597409F-8C79-4367-951E-1BC8BD6672B5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-04 19:51 36352 --a------ C:\WINDOWS\system32\tuvusrr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-12-05 08:13]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-06-15 16:20]
"etMonitor"="C:\WINDOWS\etMon.exe" [2005-07-26 18:45]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-06-15 16:20]
"VGAUtil"="C:\Programme\GigaByte\VGA Utility Manager\G-VGA.exe" [2006-05-17 13:50]
"Sunkist2k"="C:\Programme\Multimedia Card Reader\shwicon2k.exe" [2005-10-07 16:42]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 C:\WINDOWS\mixer.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2004-11-17 18:28]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-10 20:53]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-12 18:19]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\programme\valve\steam\steam.exe" [2007-10-05 07:18]
"Philips Intelligent Agent"="C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" [2007-03-06 10:58]
"LDM"="\Program\BackWeb-8876480.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\tuvusrr.dll [2007-11-04 19:51 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvusrr]
tuvusrr.dll 2007-11-04 19:51 36352 C:\WINDOWS\system32\tuvusrr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\pmkjg.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SoniqueQuickStart"=C:\Programme\Sonique\sqstart.exe -nostick
"updateMgr"="C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe
"Philips Intelligent Agent"="C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"CloneCDTray"="C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"InCD"=C:\Programme\Nero\Nero 7\InCD\InCD.exe
"LanguageShortcut"=C:\Programme\CyberLink\PowerDVD\Language\Language.exe
"NeroFilterCheck"=C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
"RemoteControl"=C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
"SecurDisc"=C:\Programme\Nero\Nero 7\InCD\NBHGui.exe
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_01\bin\jusched.exe"

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\drivers\avgntmgr.sys
R0 axwhisky;axwhisky;C:\WINDOWS\System32\DRIVERS\axwhisky.sys
R0 axwskbus;axwskbus;C:\WINDOWS\System32\DRIVERS\axwskbus.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 js1284;js1284;C:\WINDOWS\System32\drivers\js1284.sys
R1 jsmux;jsmux;C:\WINDOWS\System32\drivers\jsmux.sys
R1 jsscan;jsscan;C:\WINDOWS\System32\drivers\jsscan.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys
R1 SSHDRV58;SSHDRV58;\??\C:\WINDOWS\System32\drivers\SSHDRV58.sys
R1 VBoxDrv;VirtualBox Service;C:\WINDOWS\System32\DRIVERS\VBoxDrv.sys
R2 elcapi20;elcapi20;C:\WINDOWS\System32\Drivers\elcapi20.sys
R2 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys
R2 jsfax;jsfax;C:\WINDOWS\System32\drivers\jsfax.sys
R2 jspclcap;jspclcap;C:\WINDOWS\System32\drivers\jspclcap.sys
R2 nhksrv;Netropa NHK Server;C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
R2 okidaemon;okidaemon;c:\Programme\Jetsuite\okidaemon.exe
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\System32\Drivers\ousbehci.sys
R2 PrintSupervisor;PrintSuperVisor;C:\Programme\PrintSuperVision\PrintSuperVision\PSVService.exe
R2 RVS_CE;RVS CAPI;C:\WINDOWS\system32\rvs_cent.exe
R2 rvsport;RVS Virtual COM Port;C:\WINDOWS\System32\drivers\rvsport.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 DCamUSBET;ET USB 2710 Camera;C:\WINDOWS\System32\DRIVERS\etDevice.sys
R3 ElgTaDrv;T-Concept X USB System Driver;C:\WINDOWS\System32\Drivers\ElgTaDrv.sys
R3 FiltUSBET;ET USB Device Lower Filter;C:\WINDOWS\System32\DRIVERS\etFilter.sys
R3 GPCIDrv;GPCIDrv;\??\C:\WINDOWS\GPCIDrv.sys
R3 GVTDrv;GVTDrv;\??\C:\WINDOWS\System32\Drivers\GVTDrv.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\System32\DRIVERS\ousb2hub.sys
R3 ScanUSBET;ET USB Still Image Capture Device;C:\WINDOWS\System32\DRIVERS\etScan.sys
R3 VBoxUSBFlt;VirtualBox USB Filter Driver;C:\WINDOWS\System32\DRIVERS\VBoxUSBFlt.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S1 AEC671X;AEC671X;C:\WINDOWS\System32\drivers\AEC671X.SYS
S1 DMX3191;DMX3191;C:\WINDOWS\System32\drivers\DMX3191.SYS
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\System32\Drivers\Ca533av.sys
S2 UDNT;UDNT;C:\WINDOWS\System32\drivers\UDNT.sys
S3 CoolerXPDriver;CoolerXPDriver;\??\C:\Programme\MSI\PC Alert 4\NTCooler.sys
S3 DCamUSBGrandTek;StyloCam PC Camera.;C:\WINDOWS\System32\Drivers\stylox1.SYS
S3 GT891x;StyloCam DSC;C:\WINDOWS\System32\Drivers\stylox0.SYS
S3 RvscomSv;RvscomSv;C:\Programme\Teledat\WCOM\SYSTEM\RVSCOMSV.EXE
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\System32\Drivers\Bulk533.sys
S3 VGAUTI;VGAUTI;\??\C:\WINDOWS\System32\DRIVERS\VGAUTI.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys
S4 jsdbg;jsdbg;C:\WINDOWS\System32\drivers\jsdbg.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 08:38:43
Windows 5.1.2600 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

**************************************************************************
.
Zeit der Fertigstellung: 2007-11-07 8:41:59 - machine was rebooted
.
--- E O F ---

 

[raman]

Hm, nutze bitte ATF Cleaner, lade ein neue Cobofixversion herunter und erstelle ein neuen Report.

Starte das Programm ATF cleaner, hake "Select All" an und druecke "Empty Selected". Das selbe kann man ueber die Reiter Firefox und Opera machen, sofern man diese Programme nutzt.

Nachtrag: aktualisiere bitte Antivir und stelle es ein wie hier beschrieben: http://board.protecus.de/t23979.htm Beachte, das APP nicht aktiviert werden muss!

 

[EMIN3M]

Danke, dass du mir bei meinem Problem hilfst!

Habe mein AntiVir umgestellt und auch den ATF Cleaner durch laufen lassen. Danach nochmal ComboFix neu runter geladen und ausgeführt:

Hier der Bericht dazu:

ComboFix 07-11-07.3 - Damian Wieczorek 2007-11-07 13:41:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1031.18.554 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Damian Wieczorek\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awvvu.dll
C:\WINDOWS\system32\uvvwa.bak1
C:\WINDOWS\system32\uvvwa.ini

.
((((((((((((((((((((((( Dateien erstellt von 2007-10-07 bis 2007-11-07 ))))))))))))))))))))))))))))))
.

2007-11-07 08:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-06 11:23 81,472 --a------ C:\WINDOWS\system32\jmcfyiud.dll
2007-11-06 11:20 87,104 --a------ C:\WINDOWS\system32\siiejlln.dll
2007-11-05 23:06 <DIR> d-------- C:\Dokumente und Einstellungen\Damian Wieczorek\Gadu-Gadu
2007-11-04 19:54 36,352 --a------ C:\WINDOWS\system32\pmnnoon.dll
2007-11-04 19:51 36,352 --a------ C:\WINDOWS\system32\tuvusrr.dll
2007-10-30 19:22 <DIR> d-------- C:\WINDOWS\system32\OKIK.ECT
2007-10-29 21:43 19,968 -ra------ C:\WINDOWS\system32\runsetup.dll
2007-10-29 21:23 104,368 --a------ C:\WINDOWS\system32\DCOMPERM.DLL
2007-10-29 21:23 67,440 --a------ C:\WINDOWS\system32\DCP.EXE
2007-10-29 21:22 <DIR> d-------- C:\Programme\PrintSuperVision
2007-10-29 21:22 4,096 --a------ C:\WINDOWS\system32\aspSmartUploadUtil.dll
2007-10-29 21:08 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2007-10-29 21:06 <DIR> d-------- C:\Inetpub
2007-10-29 21:04 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2007-10-28 18:00 <DIR> d-------- C:\Programme\Jetsuite

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 12:49 17,962 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2007-11-07 08:32 13,440 ----a-w C:\WINDOWS\GPCIDrv.sys
2007-11-06 18:23 --------- d-----w C:\Dokumente und Einstellungen\Damian Wieczorek\Anwendungsdaten\phonostar-Player
2007-10-29 20:22 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-09-29 16:27 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2007-09-29 15:33 --------- d-----w C:\Programme\BMW M3 Challenge
2007-09-14 19:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-09-11 18:29 --------- d-----w C:\Programme\DivX
2005-07-23 19:07 75,400 ----a-w C:\Dokumente und Einstellungen\Damian Wieczorek\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2003-09-05 17:02 266 --sh--w C:\Programme\desktop.ini
2003-09-05 17:02 11,253 ---ha-w C:\Programme\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2007-11-07_ 8.39.48.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-07 07:36:24 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-07 12:47:30 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-07 07:36:24 180,224 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-07 12:47:30 180,224 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-07 07:36:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2007-11-07 12:47:30 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
- 2007-11-07 07:36:57 206,626 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-07 12:48:33 206,639 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2007-10-30 17:48:33 85,824 ----a-w C:\WINDOWS\system32\perfc007.dat
+ 2007-11-07 08:33:57 85,824 ----a-w C:\WINDOWS\system32\perfc007.dat
- 2007-10-30 17:48:33 73,068 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 08:33:57 73,068 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-30 17:48:33 460,088 ----a-w C:\WINDOWS\system32\perfh007.dat
+ 2007-11-07 08:33:57 460,088 ----a-w C:\WINDOWS\system32\perfh007.dat
- 2007-10-30 17:48:33 437,948 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 08:33:57 437,948 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 12:48:30 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6a4.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0}]
C:\WINDOWS\System32\coq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3ba43469-dc97-45cc-a71a-7e76f474e226}]
2007-11-06 11:23 81472 --a------ C:\WINDOWS\System32\jmcfyiud.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5597409F-8C79-4367-951E-1BC8BD6672B5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-04 19:51 36352 --a------ C:\WINDOWS\system32\tuvusrr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A48E814-DFE0-4D8C-965F-D86B6DB5DEE1}]
C:\WINDOWS\System32\geebx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-12-05 08:13]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-06-15 16:20]
"etMonitor"="C:\WINDOWS\etMon.exe" [2005-07-26 18:45]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-06-15 16:20]
"VGAUtil"="C:\Programme\GigaByte\VGA Utility Manager\G-VGA.exe" [2006-05-17 13:50]
"Sunkist2k"="C:\Programme\Multimedia Card Reader\shwicon2k.exe" [2005-10-07 16:42]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 C:\WINDOWS\mixer.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2004-11-17 18:28]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-10 20:53]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-12 18:19]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\programme\valve\steam\steam.exe" [2007-10-05 07:18]
"Philips Intelligent Agent"="C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" [2007-03-06 10:58]
"LDM"="\Program\BackWeb-8876480.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\tuvusrr.dll [2007-11-04 19:51 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvusrr]
tuvusrr.dll 2007-11-04 19:51 36352 C:\WINDOWS\system32\tuvusrr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\awvvu.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SoniqueQuickStart"=C:\Programme\Sonique\sqstart.exe -nostick
"updateMgr"="C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe
"Philips Intelligent Agent"="C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"CloneCDTray"="C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"InCD"=C:\Programme\Nero\Nero 7\InCD\InCD.exe
"LanguageShortcut"=C:\Programme\CyberLink\PowerDVD\Language\Language.exe
"NeroFilterCheck"=C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
"RemoteControl"=C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
"SecurDisc"=C:\Programme\Nero\Nero 7\InCD\NBHGui.exe
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_01\bin\jusched.exe"

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\drivers\avgntmgr.sys
R0 axwhisky;axwhisky;C:\WINDOWS\System32\DRIVERS\axwhisky.sys
R0 axwskbus;axwskbus;C:\WINDOWS\System32\DRIVERS\axwskbus.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 js1284;js1284;C:\WINDOWS\System32\drivers\js1284.sys
R1 jsmux;jsmux;C:\WINDOWS\System32\drivers\jsmux.sys
R1 jsscan;jsscan;C:\WINDOWS\System32\drivers\jsscan.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys
R1 SSHDRV58;SSHDRV58;\??\C:\WINDOWS\System32\drivers\SSHDRV58.sys
R1 VBoxDrv;VirtualBox Service;C:\WINDOWS\System32\DRIVERS\VBoxDrv.sys
R2 elcapi20;elcapi20;C:\WINDOWS\System32\Drivers\elcapi20.sys
R2 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys
R2 jsfax;jsfax;C:\WINDOWS\System32\drivers\jsfax.sys
R2 jspclcap;jspclcap;C:\WINDOWS\System32\drivers\jspclcap.sys
R2 nhksrv;Netropa NHK Server;C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
R2 okidaemon;okidaemon;c:\Programme\Jetsuite\okidaemon.exe
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\System32\Drivers\ousbehci.sys
R2 PrintSupervisor;PrintSuperVisor;C:\Programme\PrintSuperVision\PrintSuperVision\PSVService.exe
R2 RVS_CE;RVS CAPI;C:\WINDOWS\system32\rvs_cent.exe
R2 rvsport;RVS Virtual COM Port;C:\WINDOWS\System32\drivers\rvsport.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 DCamUSBET;ET USB 2710 Camera;C:\WINDOWS\System32\DRIVERS\etDevice.sys
R3 ElgTaDrv;T-Concept X USB System Driver;C:\WINDOWS\System32\Drivers\ElgTaDrv.sys
R3 FiltUSBET;ET USB Device Lower Filter;C:\WINDOWS\System32\DRIVERS\etFilter.sys
R3 GPCIDrv;GPCIDrv;\??\C:\WINDOWS\GPCIDrv.sys
R3 GVTDrv;GVTDrv;\??\C:\WINDOWS\System32\Drivers\GVTDrv.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\System32\DRIVERS\ousb2hub.sys
R3 ScanUSBET;ET USB Still Image Capture Device;C:\WINDOWS\System32\DRIVERS\etScan.sys
R3 VBoxUSBFlt;VirtualBox USB Filter Driver;C:\WINDOWS\System32\DRIVERS\VBoxUSBFlt.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S1 AEC671X;AEC671X;C:\WINDOWS\System32\drivers\AEC671X.SYS
S1 DMX3191;DMX3191;C:\WINDOWS\System32\drivers\DMX3191.SYS
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\System32\Drivers\Ca533av.sys
S2 UDNT;UDNT;C:\WINDOWS\System32\drivers\UDNT.sys
S3 CoolerXPDriver;CoolerXPDriver;\??\C:\Programme\MSI\PC Alert 4\NTCooler.sys
S3 DCamUSBGrandTek;StyloCam PC Camera.;C:\WINDOWS\System32\Drivers\stylox1.SYS
S3 GT891x;StyloCam DSC;C:\WINDOWS\System32\Drivers\stylox0.SYS
S3 RvscomSv;RvscomSv;C:\Programme\Teledat\WCOM\SYSTEM\RVSCOMSV.EXE
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\System32\Drivers\Bulk533.sys
S3 VGAUTI;VGAUTI;\??\C:\WINDOWS\System32\DRIVERS\VGAUTI.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys
S4 jsdbg;jsdbg;C:\WINDOWS\System32\drivers\jsdbg.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 13:50:33
Windows 5.1.2600 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

**************************************************************************
.
Zeit der Fertigstellung: 2007-11-07 13:52:50 - machine was rebooted
.
--- E O F ---

 

[raman]

Kopiere bitte folgendes in der Codezeile in eine Datei namens cfscript.txt und speichere diese auf den Desktop und ziehe sie auf die combofix.exe

Collect::
C:\WINDOWS\system32\jmcfyiud.dll
C:\WINDOWS\system32\siiejlln.dll
C:\WINDOWS\system32\pmnnoon.dll
C:\WINDOWS\system32\tuvusrr.dll

Das von Combofix dann erstellte Log bitte posten. Zusaetzlich noch ein Hijackthis Report erstellen:

Download: http://www.trendsecure.com/portal/en-US/threat_analytics/HiJackThis.zip

Lade/entpacke HijackThis in einen extra Ordner, Benenne Hijackthis in HJT um, starte es und waehle
---> None of the above just start the program --> Scan -> Save log --> hijackthis.log - Save - es öffnet sich der Editor

nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"


Antivir sollte eigentlich einiges mehr gefunden haben!?

 

[EMIN3M]

ComboFix 07-11-07.3 - Damian Wieczorek 2007-11-07 15:09:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1031.18.568 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Damian Wieczorek\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\Damian Wieczorek\Desktop\CFScript.txt
* Neuer Wiederherstellungspunkt wurde erstellt
.

Nicht in der Lage Systemrechte zu erhalten

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jmcfyiud.dll
C:\WINDOWS\system32\pmnnoon.dll
C:\WINDOWS\system32\siiejlln.dll
C:\WINDOWS\system32\tuvusrr.dll
C:\WINDOWS\system32\ututv.bak1
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\vtutu.dll

.
((((((((((((((((((((((( Dateien erstellt von 2007-10-07 bis 2007-11-07 ))))))))))))))))))))))))))))))
.

2007-11-07 08:21 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 23:06 <DIR> d-------- C:\Dokumente und Einstellungen\Damian Wieczorek\Gadu-Gadu
2007-10-30 19:22 <DIR> d-------- C:\WINDOWS\system32\OKIK.ECT
2007-10-29 21:43 19,968 -ra------ C:\WINDOWS\system32\runsetup.dll
2007-10-29 21:23 104,368 --a------ C:\WINDOWS\system32\DCOMPERM.DLL
2007-10-29 21:23 67,440 --a------ C:\WINDOWS\system32\DCP.EXE
2007-10-29 21:22 <DIR> d-------- C:\Programme\PrintSuperVision
2007-10-29 21:22 4,096 --a------ C:\WINDOWS\system32\aspSmartUploadUtil.dll
2007-10-29 21:08 <DIR> d-------- C:\WINDOWS\IIS Temporary Compressed Files
2007-10-29 21:06 <DIR> d-------- C:\Inetpub
2007-10-29 21:04 <DIR> d-------- C:\WINDOWS\system32\Logfiles
2007-10-28 18:00 <DIR> d-------- C:\Programme\Jetsuite

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 12:50 13,440 ----a-w C:\WINDOWS\GPCIDrv.sys
2007-11-07 12:49 17,962 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2007-11-06 18:23 --------- d-----w C:\Dokumente und Einstellungen\Damian Wieczorek\Anwendungsdaten\phonostar-Player
2007-10-29 20:22 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-09-29 16:27 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\AntiVir PersonalEdition Classic
2007-09-29 15:33 --------- d-----w C:\Programme\BMW M3 Challenge
2007-09-14 19:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2007-09-11 18:29 --------- d-----w C:\Programme\DivX
2005-07-23 19:07 75,400 ----a-w C:\Dokumente und Einstellungen\Damian Wieczorek\Anwendungsdaten\GDIPFONTCACHEV1.DAT
2003-09-05 17:02 266 --sh--w C:\Programme\desktop.ini
2003-09-05 17:02 11,253 ---ha-w C:\Programme\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2007-11-07_ 8.39.48.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-07 07:36:24 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-07 14:18:11 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-07 07:36:24 180,224 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-07 14:18:11 180,224 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2007-11-07 07:36:24 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2007-11-07 14:18:11 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
- 2007-11-07 07:36:57 206,626 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-07 14:18:44 206,627 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2007-10-30 17:48:33 85,824 ----a-w C:\WINDOWS\system32\perfc007.dat
+ 2007-11-07 08:33:57 85,824 ----a-w C:\WINDOWS\system32\perfc007.dat
- 2007-10-30 17:48:33 73,068 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 08:33:57 73,068 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-30 17:48:33 460,088 ----a-w C:\WINDOWS\system32\perfh007.dat
+ 2007-11-07 08:33:57 460,088 ----a-w C:\WINDOWS\system32\perfh007.dat
- 2007-10-30 17:48:33 437,948 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 08:33:57 437,948 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 14:19:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4bc.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0}]
C:\WINDOWS\System32\coq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5597409F-8C79-4367-951E-1BC8BD6672B5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A48E814-DFE0-4D8C-965F-D86B6DB5DEE1}]
C:\WINDOWS\System32\geebx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MULTIMEDIA KEYBOARD"="C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-12-05 08:13]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-06-15 16:20]
"etMonitor"="C:\WINDOWS\etMon.exe" [2005-07-26 18:45]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-06-15 16:20]
"VGAUtil"="C:\Programme\GigaByte\VGA Utility Manager\G-VGA.exe" [2006-05-17 13:50]
"Sunkist2k"="C:\Programme\Multimedia Card Reader\shwicon2k.exe" [2005-10-07 16:42]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 C:\WINDOWS\mixer.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2004-11-17 18:28]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2005-01-10 20:53]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-12 18:19]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\programme\valve\steam\steam.exe" [2007-10-05 07:18]
"Philips Intelligent Agent"="C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" [2007-03-06 10:58]
"LDM"="\Program\BackWeb-8876480.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvusrr]
tuvusrr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\vtutu.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SoniqueQuickStart"=C:\Programme\Sonique\sqstart.exe -nostick
"updateMgr"="C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe
"Philips Intelligent Agent"="C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"CloneCDTray"="C:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"InCD"=C:\Programme\Nero\Nero 7\InCD\InCD.exe
"LanguageShortcut"=C:\Programme\CyberLink\PowerDVD\Language\Language.exe
"NeroFilterCheck"=C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
"RemoteControl"=C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
"SecurDisc"=C:\Programme\Nero\Nero 7\InCD\NBHGui.exe
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_01\bin\jusched.exe"

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\drivers\avgntmgr.sys
R0 axwhisky;axwhisky;C:\WINDOWS\System32\DRIVERS\axwhisky.sys
R0 axwskbus;axwskbus;C:\WINDOWS\System32\DRIVERS\axwskbus.sys
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys
R1 js1284;js1284;C:\WINDOWS\System32\drivers\js1284.sys
R1 jsmux;jsmux;C:\WINDOWS\System32\drivers\jsmux.sys
R1 jsscan;jsscan;C:\WINDOWS\System32\drivers\jsscan.sys
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\System32\DRIVERS\msikbd2k.sys
R1 SSHDRV58;SSHDRV58;\??\C:\WINDOWS\System32\drivers\SSHDRV58.sys
R1 VBoxDrv;VirtualBox Service;C:\WINDOWS\System32\DRIVERS\VBoxDrv.sys
R2 elcapi20;elcapi20;C:\WINDOWS\System32\Drivers\elcapi20.sys
R2 GVCplDrv;GVCplDrv;C:\WINDOWS\System32\drivers\GVCplDrv.sys
R2 jsfax;jsfax;C:\WINDOWS\System32\drivers\jsfax.sys
R2 jspclcap;jspclcap;C:\WINDOWS\System32\drivers\jspclcap.sys
R2 nhksrv;Netropa NHK Server;C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
R2 okidaemon;okidaemon;c:\Programme\Jetsuite\okidaemon.exe
R2 ousbehci;NEC PCI to USB Enhanced Host Controller;C:\WINDOWS\System32\Drivers\ousbehci.sys
R2 PrintSupervisor;PrintSuperVisor;C:\Programme\PrintSuperVision\PrintSuperVision\PSVService.exe
R2 RVS_CE;RVS CAPI;C:\WINDOWS\system32\rvs_cent.exe
R2 rvsport;RVS Virtual COM Port;C:\WINDOWS\System32\drivers\rvsport.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R3 DCamUSBET;ET USB 2710 Camera;C:\WINDOWS\System32\DRIVERS\etDevice.sys
R3 ElgTaDrv;T-Concept X USB System Driver;C:\WINDOWS\System32\Drivers\ElgTaDrv.sys
R3 FiltUSBET;ET USB Device Lower Filter;C:\WINDOWS\System32\DRIVERS\etFilter.sys
R3 GPCIDrv;GPCIDrv;\??\C:\WINDOWS\GPCIDrv.sys
R3 GVTDrv;GVTDrv;\??\C:\WINDOWS\System32\Drivers\GVTDrv.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\System32\DRIVERS\ousb2hub.sys
R3 ScanUSBET;ET USB Still Image Capture Device;C:\WINDOWS\System32\DRIVERS\etScan.sys
R3 VBoxUSBFlt;VirtualBox USB Filter Driver;C:\WINDOWS\System32\DRIVERS\VBoxUSBFlt.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\System32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\System32\drivers\WmFilter.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\System32\drivers\WmXlCore.sys
S1 AEC671X;AEC671X;C:\WINDOWS\System32\drivers\AEC671X.SYS
S1 DMX3191;DMX3191;C:\WINDOWS\System32\drivers\DMX3191.SYS
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\System32\Drivers\Ca533av.sys
S2 UDNT;UDNT;C:\WINDOWS\System32\drivers\UDNT.sys
S3 CoolerXPDriver;CoolerXPDriver;\??\C:\Programme\MSI\PC Alert 4\NTCooler.sys
S3 DCamUSBGrandTek;StyloCam PC Camera.;C:\WINDOWS\System32\Drivers\stylox1.SYS
S3 GT891x;StyloCam DSC;C:\WINDOWS\System32\Drivers\stylox0.SYS
S3 RvscomSv;RvscomSv;C:\Programme\Teledat\WCOM\SYSTEM\RVSCOMSV.EXE
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\System32\Drivers\Bulk533.sys
S3 VGAUTI;VGAUTI;\??\C:\WINDOWS\System32\DRIVERS\VGAUTI.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\System32\drivers\WmVirHid.sys
S4 jsdbg;jsdbg;C:\WINDOWS\System32\drivers\jsdbg.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 15:20:13
Windows 5.1.2600 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

**************************************************************************
.
Zeit der Fertigstellung: 2007-11-07 15:22:53 - machine was rebooted
.
--- E O F ---

 

[EMIN3M]

Ausserdem hat er hier eine Datei erzeugt: "[4]-Submit_2007-11-07@15.09" die er weg schicken will. Kann ich dir die irgendwie zuschicken???

AntiVir findet nur beim Scan immer einen Trojaner, sonst keine Unterschiede zu früher.

Mache jetzt noch den Scan mit dem HJT.

 

[EMIN3M]

hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:30:32, on 07.11.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Programme\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\Programme\Jetsuite\okidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\PrintSuperVision\PrintSuperVision\PSVService.exe
C:\Programme\CyberLink\Shared Files\RichVideo.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
C:\WINDOWS\system32\rvs_cent.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Programme\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\etMon.exe
C:\Programme\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Programme\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\Mixer.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\programme\valve\steam\steam.exe
C:\Programme\Jetsuite\DLLCMD32.EXE
C:\Programme\Logitech\SetPoint\KEM.exe
C:\Programme\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\dllhost.exe
C:\Dokumente und Einstellungen\Damian Wieczorek\Desktop\HiJackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.t-online.de/service/redir/ie_t-online.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=www-proxy.t-online.de:80;ftp=ftp-proxy.t-online.de:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.t-online.de;localhost;<local>
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: H - {30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0} - C:\WINDOWS\System32\coq.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Flash Module - {5597409F-8C79-4367-951E-1BC8BD6672B5} - btasv.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A48E814-DFE0-4D8C-965F-D86B6DB5DEE1} - C:\WINDOWS\System32\geebx.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programme\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Programme\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Programme\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Steam] "c:\programme\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Philips Intelligent Agent] "C:\Programme\Philips Intelligent Agent\Philips Intelligent Agent.exe" /SILENT
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\Programme\VSTASCAN\vsaccess.exe
O4 - Global Startup: DllCmd32.lnk = C:\Programme\Jetsuite\DLLCMD32.EXE
O4 - Global Startup: Jetsuite Pro Status.lnk = C:\Programme\Jetsuite\JETSTAT.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with NetPumper - C:\Programme\NetPumper\AddUrl.htm
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Programme\LingoCom\Translator.lnk (file missing)
O9 - Extra 'Tools' menuitem: LingoWare Translator... - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\Programme\LingoCom\Translator.lnk (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQ\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.t-online.de/service/redir/ie_t-online.htm
O20 - Winlogon Notify: tuvusrr - tuvusrr.dll (file missing)
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programme\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: okidaemon - JetFax, Inc. - c:\Programme\Jetsuite\okidaemon.exe
O23 - Service: PrintSuperVisor (PrintSupervisor) - Unknown owner - C:\Programme\PrintSuperVision\PrintSuperVision\PSVService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programme\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RVS CommCenter (RvsCC) - Unknown owner - C:\Programme\Teledat\WCOM\SYSTEM\RVSCC.EXE
O23 - Service: RvscomSv - RVS Datentechnik GmbH, München - C:\Programme\Teledat\WCOM\SYSTEM\RVSCOMSV.EXE
O23 - Service: RVS Installer (RVSINST) - RVS Datentechnik GmbH, München - C:\Programme\Teledat\WCOM\SYSTEM\RVSINST.EXE
O23 - Service: RVS CAPI (RVS_CE) - RVS Datentechnik GmbH, Munich - C:\WINDOWS\system32\rvs_cent.exe

--
End of file - 9162 bytes

 

[raman]

Jupp, die Datei schicke bitte an virus@protecus.de und an detections (at) spybot.info.


Hake bitte folgendes in Hijackthis an und druecke fix checked:

O2 - BHO: H - {30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0} - C:\WINDOWS\System32\coq.dll (file missing){5597409F-8C79-4367-951E-1BC8BD6672B5} - btasv.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A48E814-DFE0-4D8C-965F-D86B6DB5DEE1} - C:\WINDOWS\System32\geebx.dll (file missing)
O20 - Winlogon Notify: tuvusrr - tuvusrr.dll (file missing)

Starte neu und schaue, ob alle Eintraege verschwunden sind.
Wo findet Antivir welchen Trojaner?

Tippe bitte unter Start/Ausführen "catchme" (ohne die") ein und druecke enter. Danach in Catchme auf scan druecken und schaue, ob es etwas findet.

 

[EMIN3M]

Trojaner

Der Trojaner, den er findet, heisst TR/Injekt.JT

Dieser befindet sich

C:\DOKUMENTE~1\DAMIAN~1\LOKALE~1\...\dwdeljxq.dll

Meldet er z.B. jetzt, als ich catchme eingegeben und gestartet habe.

 

[EMIN3M]

So, die Einträge waren nach dem Reboot verschwunden und auch catchme hat nix mehr gefunden.

Soll ich jetzt S&D nochmal durchlaufen lassen, ob er was findet oder was nun?