schrauber schrieb:
und was ist mit der malwaremeldung, die du hattest, als du noch mit sp1 unterwegs warst?
du weißt schon dass die installation eines sp, während der rechner befallen ist, die unmittelbare zerstörung des sp zur folge hat?
wenn ich du wäre würde ich einmal neu aufsetzen, dann alle sp´s installieren, av-programm updaten und erst dann online gehen.
aber wenn du willst können wir mal schauen wie stark die verseuchung ist.
SilentRunners
Lade SilentRunners von
dieser Seite auf den Desktop runter.
- Alle Programme schließen und SilentRunners starten.
- In der Abfrage nein wählen, damit die supplementary searches ebenfalls ausgeführt werden.
- Die weitere Abfrage mit ja bestätigen.
- Nun warten, bis SilentRunners mit einem Fenster bestätigt fertig zu sein, dies kann einige Zeit dauern.
- Das Logfile findest Du danach auf dem Desktop. Dessen Inhalt posten.
Ok hier ist das Logfile von SilentRunners!
Silent Runners.vbs, revision 58,
http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by {++}
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
Performance Center = C:\Programme\Ascentive\Performance Center\APCMain.exe -m [file not found]
TomTomHOME.exe = C:\Programme\TomTom HOME 2\HOMERunner.exe [file not found]
A00F13E4A6C.exe = C:\DOKUME~1\Klaus\LOKALE~1\Temp\_A00F13E4A6C.exe [file not found]
A00F91E4A.exe = C:\DOKUME~1\Klaus\LOKALE~1\Temp\_A00F91E4A.exe [file not found]
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
SoundMan = SOUNDMAN.EXE [Realtek Semiconductor Corp.]
NeroCheck = C:\WINDOWS\system32\NeroCheck.exe [Ahead Software Gmbh]
ActiveSpeed = C:\Programme\Ascentive\ActiveSpeed\AS.exe -b [file not found]
iTunesHelper = C:\Programme\iTunes\iTunesHelper.exe [Apple Computer, Inc.]
TomTomHOME.exe = C:\Programme\TomTom HOME\TomTomHOME.exe -s [TomTom]
SpyHunter Security Suite = C:\Programme\Enigma Software Group\SpyHunter\SpyHunter3.exe [file not found]
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [ALWIL Software]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = IE7 Uninstall Stub
\StubPath = C:\WINDOWS\system32\ieudinit.exe [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = Outlook Express
\StubPath = C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = Adobe PDF Reader Link Helper
\InProcServer32\(Default) = C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe Systems Incorporated]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
{42071714-76d4-11d1-8b24-00a0c9068ff3} = CPL-Erweiterung für Anzeigeverschiebung
-> {HKLM...CLSID} = CPL-Erweiterung für Anzeigeverschiebung
\InProcServer32\(Default) = deskpan.dll [file not found]
{88895560-9AA2-1069-930E-00AA0030EBC8} = Erweiterung für HyperTerminal-Icons
-> {HKLM...CLSID} = HyperTerminal Icon Ext
\InProcServer32\(Default) = C:\WINDOWS\System32\hticons.dll [Hilgraeve, Inc.]
{DCED20BE-3645-11D4-BC95-00C04F0E0588} = InoShell
-> {HKLM...CLSID} = InoShell
\InProcServer32\(Default) = C:\Programme\CA\eTrust Antivirus\InoShell.dll [file not found]
{15362FA5-C983-41ed-B7AC-5B9BEAF56929} = AOL
-> {HKLM...CLSID} = AOL
\InProcServer32\(Default) = C:\PROGRA~1\GEMEIN~1\aolshare\shell\de\shellext.dll [America Online, Inc.]
{42042206-2D85-11D3-8CFF-005004838597} = Microsoft Office HTML Icon Handler
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = C:\Programme\Microsoft Office\Office10\msohev.dll [MS]
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = WinRAR shell extension
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Programme\WinRAR\rarext.dll [null data]
{cc86590a-b60a-48e6-996b-41d25ed39a1e} = Portable Media Devices Menu
-> {HKLM...CLSID} = Portable Media Devices Menu
\InProcServer32\(Default) = C:\WINDOWS\System32\Audiodev.dll [MS]
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} = iTunes
-> {HKLM...CLSID} = iTunes
\InProcServer32\(Default) = C:\Programme\iTunes\iTunesMiniPlayer.dll [Apple Computer, Inc.]
{472083B0-C522-11CF-8763-00608CC02F24} = avast
-> {HKLM...CLSID} = avast
\InProcServer32\(Default) = C:\Programme\Alwil Software\Avast4\ashShell.dll [ALWIL Software]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> 2c10ed01382\DLLName = C:\WINDOWS\System32\__c003BD0B.dat [Avira GmbH]
<<!>> dimsntfy\DLLName = C:\WINDOWS\System32\dimsntfy.dll [MS]
<<!>> igfxcui\DLLName = igfxsrvc.dll [Intel Corporation]
<<!>> __c00FEF62\DLLName = C:\WINDOWS\System32\__c00FEF62.dat [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = PDF Column Info
-> {HKLM...CLSID} = PDF Shell Extension
\InProcServer32\(Default) = C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll [Adobe Systems, Inc.]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = {472083B0-C522-11CF-8763-00608CC02F24}
-> {HKLM...CLSID} = avast
\InProcServer32\(Default) = C:\Programme\Alwil Software\Avast4\ashShell.dll [ALWIL Software]
IGXMADD\(Default) = {6DB8751F-2BBF-11d2-A39B-00C04FB96AD2}
-> {HKLM...CLSID} = Micrografx Share Media File Import Shell Extension
\InProcServer32\(Default) = C:\Programme\Corel\CorelDRAW ESSENTIALS 2\Photobook\Share\Media\igxMadd.dll [file not found]
InoShell\(Default) = {DCED20BE-3645-11D4-BC95-00C04F0E0588}
-> {HKLM...CLSID} = InoShell
\InProcServer32\(Default) = C:\Programme\CA\eTrust Antivirus\InoShell.dll [file not found]
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Programme\WinRAR\rarext.dll [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
InoShell\(Default) = {DCED20BE-3645-11D4-BC95-00C04F0E0588}
-> {HKLM...CLSID} = InoShell
\InProcServer32\(Default) = C:\Programme\CA\eTrust Antivirus\InoShell.dll [file not found]
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Programme\WinRAR\rarext.dll [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = {472083B0-C522-11CF-8763-00608CC02F24}
-> {HKLM...CLSID} = avast
\InProcServer32\(Default) = C:\Programme\Alwil Software\Avast4\ashShell.dll [ALWIL Software]
WinRAR\(Default) = {B41DB860-8EE4-11D2-9906-E49FADC173CA}
-> {HKLM...CLSID} = WinRAR
\InProcServer32\(Default) = C:\Programme\WinRAR\rarext.dll [null data]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
NoDispBackgroundPage = (REG_DWORD) dword:0x00000000
{Hide Desktop tab}
NoDispScrSavPage = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
shutdownwithoutlogon = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
undockwithoutlogon = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
Wallpaper = C:\WINDOWS\system32\config\systemprofile\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
Wallpaper = C:\Dokumente und Einstellungen\Klaus\Lokale Einstellungen\Anwendungsdaten\Microsoft\Wallpaper1.bmp
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
SCRNSAVE.EXE = C:\WINDOWS\System32\blphc1gnj0e12n.scr [file not found]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
CDBurnerXP\
Provider = CDBurnerXP
InvokeProgID = CDBurnerXPOpen
InvokeVerb = open
HKLM\SOFTWARE\Classes\CDBurnerXPOpen\shell\open\command\(Default) = C:\CDBurnerXP\cdbxpp.exe [null data]
iTunesBurnCDOnArrival\
Provider = iTunes
InvokeProgID = iTunes.BurnCD
InvokeVerb = burn
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = C:\Programme\iTunes\iTunes.exe /AutoPlayBurn %L [Apple Computer, Inc.]
iTunesImportSongsOnArrival\
Provider = iTunes
InvokeProgID = iTunes.ImportSongsOnCD
InvokeVerb = import
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = C:\Programme\iTunes\iTunes.exe /AutoPlayImportSongs %L [Apple Computer, Inc.]
iTunesPlaySongsOnArrival\
Provider = iTunes
InvokeProgID = iTunes.PlaySongsOnCD
InvokeVerb = play
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = C:\Programme\iTunes\iTunes.exe /playCD %L [Apple Computer, Inc.]
iTunesShowSongsOnArrival\
Provider = iTunes
InvokeProgID = iTunes.ShowSongsOnCD
InvokeVerb = showsongs
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = C:\Programme\iTunes\iTunes.exe /AutoPlayShowSongs %L [Apple Computer, Inc.]
MSVideoCameraArrival\
Provider = @C:\Programme\Movie Maker\1031\wmm2res.dll,-100
ProgID = Shell.HWEventHandlerShellExecute
InitCmdLine = C:\Programme\Movie Maker\moviemk.exe /RECORD
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
-> {HKLM...CLSID} = ShellExecute HW Event Handler
\LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]
NeroAutoPlay7CDAudio\
Provider = Nero SoundTrax
InvokeProgID = Nero.AutoPlay3
InvokeVerb = HandleCDBurningOnArrival_CDAudio
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = C:\Programme\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe / [file not found]
NeroAutoPlay7CopyCD\
Provider = Nero Burning ROM
InvokeProgID = Nero.AutoPlay3
InvokeVerb = PlayMusicFilesOnArrival_CopyCD
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayMusicFilesOnArrival_CopyCD\command\(Default) = C:\Programme\Nero\Nero 7\Core\nero.exe /Dialog
iscCopy /Drive:%L [file not found]
NeroAutoPlay7PlayAudioCD\
Provider = Nero SoundTrax
InvokeProgID = Nero.AutoPlay3
InvokeVerb = PlayCDAudioOnArrival_PlayAudioCD
HKLM\SOFTWARE\Classes\Nero.AutoPlay3\shell\PlayCDAudioOnArrival_PlayAudioCD\command\(Default) = C:\Programme\Nero\Nero 7\Nero SoundTrax\SoundTrax.exe /Play /Drive:%L [file not found]
PDVDPlayDVDMovieOnArrival\
Provider = PowerDVD
InvokeProgID = DVD
InvokeVerb = PlayWithPowerDVD
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = C:\Programme\Home Cinema\PowerDVD\PowerDVD.exe %L [CyberLink Corp.]
PPDCameraArrival\
Provider = PowerProducer
InvokeProgID = Picture
InvokeVerb = OpenWithPowerProducer
HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = C:\Programme\Home Cinema\PowerProducer\Producer.exe [Cyberlink]
PPDVArrival\
Provider = PowerProducer
ProgID = Shell.HWEventHandlerShellExecute
InitCmdLine = C:\Programme\Home Cinema\PowerProducer\Producer.exe
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}
-> {HKLM...CLSID} = ShellExecute HW Event Handler
\LocalServer32\(Default) = rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7} [MS]
VLCPlayCDAudioOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.CDAudio
InvokeVerb = play
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1 [VideoLAN Team]
VLCPlayDVDMovieOnArrival\
Provider = VideoLAN VLC media player
InvokeProgID = VLC.DVDMovie
InvokeVerb = play
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1 [VideoLAN Team]
Enabled Scheduled Tasks:
------------------------
EasyShare Registration RunOnce Task -> launches: C:\WINDOWS\System32\rundll32.exe C:\DOKUME~1\ALLUSE~1\ANWEND~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.5.30.2.sxt _RegistrationOfferSilence@16 [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000002\LibraryPath = %SystemRoot%\System32\winrnr.dll [MS]
000000000003\LibraryPath = %SystemRoot%\System32\mswsock.dll [MS]
000000000004\LibraryPath = %SystemRoot%\System32\nwprovau.dll [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69}
-> {HKLM...CLSID} = GMX Toolbar
\InProcServer32\(Default) = C:\Programme\GMX\GMX Toolbar\toolbar.dll [GMX GmbH]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
{2D1DDD38-CE4D-459B-A01C-F11BC92D5B69} = (no title provided)
-> {HKLM...CLSID} = GMX Toolbar
\InProcServer32\(Default) = C:\Programme\GMX\GMX Toolbar\toolbar.dll [GMX GmbH]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
MenuText = @xpsp3res.dll,-20001
Exec = %windir%\Network Diagnostic\xpnetdiag.exe [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
ButtonText = Messenger
MenuText = Windows Messenger
Exec = C:\Programme\Messenger\msmsgs.exe [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to Reset Web Settings)
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.t-online.de
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
avast! Antivirus, avast! Antivirus, C:\Programme\Alwil Software\Avast4\ashServ.exe [ALWIL Software]
avast! iAVS4 Control Service, aswUpdSv, C:\Programme\Alwil Software\Avast4\aswUpdSv.exe [ALWIL Software]
avast! Mail Scanner, avast! Mail Scanner, C:\Programme\Alwil Software\Avast4\ashMaiSv.exe /service [ALWIL Software]
avast! Web Scanner, avast! Web Scanner, C:\Programme\Alwil Software\Avast4\ashWebSv.exe /service [ALWIL Software]
BrSplService, Brother XP spl Service, C:\WINDOWS\System32\brsvc01a.exe [brother Industries Ltd]
C-DillaCdaC11BA, C-DillaCdaC11BA, C:\WINDOWS\System32\drivers\CDAC11BA.EXE [Macrovision]
Ereignisprotokoll-Überwachung, LogWatch, C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe [Computer Associates]
NMSAccessU, NMSAccessU, C:\CDBurnerXP\NMSAccessU.exe [null data]
T-Online WLAN Adapter Steuerungsdienst, MZCCntrl, C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe [T-Online International AG, Marmiko IT-Solutions GmbH]
WAN Miniport (ATW) Service, WANMiniportService, C:\WINDOWS\wanmpsvc.exe [America Online, Inc.]
Windows User Mode Driver Framework, UMWdf, C:\WINDOWS\System32\wdfmgr.exe [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor i450\Driver = CNMLM4w.DLL [CANON INC.]
Canon BJ Language Monitor S520\Driver = CNMLM3m.DLL [CANON INC.]
Microsoft Shared Fax Monitor\Driver = FXSMON.DLL [MS]
---------- (launch time: 2008-08-29 15:38:50)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer No at the
first message box and Yes at the second message box.
---------- (total run time: 160 seconds, including 18 seconds for message boxes)
Gruß Blacky