Logi

[niunka]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:54:48, on 23.07.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
D:\Programme\Norton Ghost\Agent\VProSvc.exe
D:\Programme\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\explorer.exe
D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\System32\svchost.exe
D:\Programme\Mozilla Firefox\firefox.exe
D:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [amd_dc_opt] "D:\Programme\AMD\amd_dc_opt\amd_dc_opt.exe"
O4 - HKLM\..\Run: [AVP] "D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: Hinzufügen zu Anti-Banner - D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Statistik für den Schutz des Web-Datenverkehrs - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BC34B18-0946-44F9-A653-2A00688EBF8E}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BC34B18-0946-44F9-A653-2A00688EBF8E}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2BC34B18-0946-44F9-A653-2A00688EBF8E}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Unknown owner - D:\Programme\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod-Dienst (iPod Service) - Unknown owner - D:\Programme\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Ghost - Symantec Corporation - D:\Programme\Norton Ghost\Agent\VProSvc.exe
O23 - Service: SymSnapService - Symantec - D:\Programme\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: Windows Media Player-Netzwerkfreigabedienst (WMPNetworkSvc) - Unknown owner - C:\Programme\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 5079 bytes




"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"amd_dc_opt" = ""D:\Programme\AMD\amd_dc_opt\amd_dc_opt.exe"" [null data]
"AVP" = ""D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"" ["Kaspersky Lab"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
{HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "D:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}\(Default) = "IEVkbdBHO"
{HKLM...CLSID} = "IEVkbdBHO Class"
\InProcServer32\(Default) = "D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
{HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" = "Microsoft Datenverknüpfung"
{HKLM...CLSID} = "Microsoft OLE DB Service Component Data Links"
\InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\System\Ole DB\oledb32.dll" [file not found]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
{HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Nach Personen..."
{HKLM...CLSID} = "&Nach Personen..."
\InProcServer32\(Default) = "C:\Programme\Outlook Express\wabfind.dll" [file not found]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "d:\Programme\WinRAR\rarext.dll" [null data]
"{544F5441-4C43-4D44-5550-5348454C4C00}" = "TCUP: Shell Extention"
{HKLM...CLSID} = "TCUP: Shell Extention"
\InProcServer32\(Default) = "D:\PROGRA~1\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL" [null data]
"{67C63340-679B-11D2-92EE-000021474C19}" = "IrfanView Extensions"
{HKLM...CLSID} = "IrfanView Extensions"
\InProcServer32\(Default) = "D:\Programme\IrfanView\IVEX.dll" ["BAxBEx Software"]
"{731E006D-0C55-4C6F-ABF0-C98F268FD077}" = "APDFR Context Menu Shell Extension"
{HKLM...CLSID} = "APDFRCtxMenu Class"
\InProcServer32\(Default) = "D:\Programme\APDFR\APDFRSHL.dll" [empty string]
"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"
{HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "D:\Programme\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
{HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\Programme\Unlocker\UnlockerCOM.dll" [null data]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statistik für den Schutz des Web-Datenverkehrs"
{HKLM...CLSID} = "Statistik für den Schutz des Web-Datenverkehrs"
\InProcServer32\(Default) = "D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
{HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshserviceobj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll" ["Kaspersky Lab"]
TCUPShellExt\(Default) = "{544F5441-4C43-4D44-5550-5348454C4C00}"
{HKLM...CLSID} = "TCUP: Shell Extention"
\InProcServer32\(Default) = "D:\PROGRA~1\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "d:\Programme\WinRAR\rarext.dll" [null data]
{67C63340-679B-11D2-92EE-000021474C19}\(Default) = "{67C63340-679B-11D2-92EE-000021474C19}"
{HKLM...CLSID} = "IrfanView Extensions"
\InProcServer32\(Default) = "D:\Programme\IrfanView\IVEX.dll" ["BAxBEx Software"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
TCUPShellExt\(Default) = "{544F5441-4C43-4D44-5550-5348454C4C00}"
{HKLM...CLSID} = "TCUP: Shell Extention"
\InProcServer32\(Default) = "D:\PROGRA~1\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL" [null data]
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
{HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "D:\Programme\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "d:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll" ["Kaspersky Lab"]
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
{HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "D:\Programme\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
{HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\Programme\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "d:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
{HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\Programme\Unlocker\UnlockerCOM.dll" [null data]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSMHelp" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ForceStartMenuLogoff" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDesktopCleanupWizard" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "D:\Programme\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
{HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

Picasa2ImportPicturesOnArrival\
"Provider" = "Picasa2"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "D:\Programme\Picasa2\Picasa2.exe "%1"" ["Google Inc."]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "d:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "d:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
{HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" launches: "D:\Programme\Apple Software Update\SoftwareUpdate.exe -task" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statistik für den Schutz des Web-Datenverkehrs"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statistik für den Schutz des Web-Datenverkehrs"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Kaspersky Internet Security, AVP, ""D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r" ["Kaspersky Lab"]
Norton Ghost, Norton Ghost, "D:\Programme\Norton Ghost\Agent\VProSvc.exe" ["Symantec Corporation"]
SymSnapService, SymSnapService, ""D:\Programme\Norton Ghost\Shared\Drivers\SymSnapService.exe"" ["Symantec"]


---------- (launch time: 2008-07-23 21:52:10)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 45 seconds.
---------- (total run time: 93 seconds)


ComboFix 08-07-22.4 - Blacky 2008-07-23 21:57:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.694 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Blacky\Desktop\ComboFix.exe

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM475e7263.xml

.
((((((((((((((((((((((( Dateien erstellt von 2008-06-23 bis 2008-07-23 ))))))))))))))))))))))))))))))
.

2008-07-23 21:18 . 2008-07-23 21:18 <DIR> d-------- D:\Programme\Kaspersky Lab
2008-07-23 21:18 . 2008-07-23 21:49 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-07-23 21:18 . 2008-07-23 21:53 526,880 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-23 21:18 . 2008-07-23 21:51 147,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-23 21:18 . 2008-07-23 21:18 96,645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-23 21:18 . 2008-07-23 21:18 87,941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-23 21:18 . 2008-07-23 21:52 7,292 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-23 21:18 . 2008-07-23 21:51 3,680 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-23 20:07 . 2008-07-23 20:07 354 ---hs---- C:\WINDOWS\system32\wwqxtkse.ini
2008-07-23 19:16 . 2008-07-23 19:58 1,006 ---hs---- C:\WINDOWS\system32\oxixqnqy.ini
2008-07-23 19:09 . 2008-07-23 19:12 706 ---hs---- C:\WINDOWS\system32\gmuymycv.ini
2008-07-23 16:54 . 2008-07-23 16:55 <DIR> d-------- D:\Programme\Unlocker
2008-07-23 10:23 . 2008-07-23 11:30 43,581 --ahs---- C:\WINDOWS\system32\yxtdavfs.ini
2008-07-22 15:18 . 2008-07-22 15:18 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\skypePM
2008-07-22 15:18 . 2008-07-22 15:18 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-07-22 15:16 . 2008-07-22 15:16 <DIR> d-------- D:\Programme\Skype
2008-07-22 15:16 . 2008-07-22 15:16 <DIR> d-------- D:\Programme\Gemeinsame Dateien\Skype
2008-07-22 15:16 . 2008-07-23 11:32 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\Skype
2008-07-22 15:16 . 2008-07-22 15:16 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype
2008-07-19 21:44 . 2008-07-19 21:44 <DIR> d-------- D:\Programme\Teamspeak2_RC2
2008-07-19 21:44 . 2008-07-19 21:44 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\teamspeak2
2008-07-19 21:44 . 2008-07-19 21:44 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-07-18 23:42 . 2008-07-18 23:42 <DIR> d-------- D:\Programme\AMD
2008-07-18 23:42 . 2006-06-27 14:24 31,744 --a------ C:\WINDOWS\system32\drivers\AmdTools.sys
2008-07-18 23:41 . 2008-07-18 23:41 <DIR> d-------- D:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-07-18 21:57 . 2008-07-18 21:57 <DIR> dr-h----- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\SecuROM
2008-07-18 21:57 . 2008-07-18 21:57 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-07-17 15:08 . 2008-07-17 15:08 271,360 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2008-07-17 15:07 . 2008-07-17 15:08 18,048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2008-07-17 14:20 . 2008-07-17 16:10 <DIR> d-------- D:\Programme\Gothic III
2008-07-17 08:41 . 2008-07-17 08:41 <DIR> d-------- D:\Programme\Gemeinsame Dateien\DirectX
2008-07-17 06:00 . 2008-07-17 06:00 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\InstallShield
2008-07-16 05:50 . 2008-07-16 05:50 <DIR> d-------- D:\Programme\Ubisoft
2008-07-12 22:40 . 2008-07-12 22:40 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-09 12:09 . 2008-07-09 12:09 <DIR> d-------- D:\Programme\Real Alternative
2008-07-09 12:08 . 2008-07-09 12:08 <DIR> d-------- D:\Programme\ffdshow
2008-07-09 12:08 . 2008-06-22 20:33 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2008-07-09 12:08 . 2008-06-22 20:33 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2008-07-09 12:08 . 2008-06-22 20:33 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-07-09 12:05 . 2008-07-09 12:05 <DIR> d-------- D:\Programme\SubEdit-Player
2008-07-05 09:33 . 2008-07-05 09:33 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\AdobeUM
2008-07-05 09:29 . 2008-07-05 09:29 <DIR> d-------- C:\WINDOWS\Cache
2008-07-05 09:27 . 2008-07-05 09:27 <DIR> d-------- D:\Programme\Foxit Software
2008-07-04 20:18 . 2008-04-01 13:23 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-07-04 20:18 . 2008-04-01 13:23 118,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-07-04 19:15 . 2008-07-04 19:15 <DIR> d-------- D:\Programme\Gemeinsame Dateien\Macrovision Shared
2008-07-04 18:25 . 2008-07-04 19:25 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\FLEXnet
2008-07-04 11:47 . 2008-07-04 11:47 <DIR> d-------- D:\Programme\Trend Micro
2008-07-04 11:39 . 2008-07-04 11:39 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\Symantec
2008-07-04 11:35 . 2008-07-04 11:35 <DIR> d-------- D:\Programme\Symantec
2008-07-04 11:35 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2008-07-04 11:35 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2008-07-04 11:35 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2008-07-04 11:34 . 2008-07-04 11:34 <DIR> d-------- D:\Programme\Norton Ghost
2008-07-04 11:34 . 2008-07-04 11:35 <DIR> d-------- D:\Programme\Gemeinsame Dateien\Symantec Shared
2008-07-04 11:34 . 2008-07-04 11:37 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2008-07-04 11:34 . 2007-12-20 17:13 136,416 --a------ C:\WINDOWS\system32\drivers\symsnap.sys
2008-07-04 11:34 . 2008-01-19 20:12 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2008-07-04 11:34 . 2008-01-19 19:45 38,112 --a------ C:\WINDOWS\system32\drivers\v2imount.sys
2008-07-04 11:34 . 2008-01-19 19:40 15,088 --a------ C:\WINDOWS\system32\drivers\vproeventmonitor.sys
2008-07-04 11:20 . 2008-07-04 11:23 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\Apple Computer
2008-07-04 11:19 . 2008-07-04 11:34 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-07-04 11:19 . 2008-07-04 11:20 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple Computer
2008-07-04 11:18 . 2008-07-23 13:28 <DIR> d-------- D:\Programme\Gemeinsame Dateien\Apple
2008-07-04 11:18 . 2008-07-04 11:18 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Apple
2008-07-04 09:57 . 2008-07-04 09:57 751 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-07-03 19:16 . 2008-07-05 09:32 <DIR> d-------- D:\Programme\Gemeinsame Dateien\Adobe
2008-07-03 19:13 . 2008-07-03 19:14 <DIR> d-------- D:\Programme\UltraISO
2008-07-03 19:13 . 2008-07-03 19:13 <DIR> d-------- D:\Programme\Gemeinsame Dateien\EZB Systems
2008-07-03 10:56 . 2008-07-15 04:00 <DIR> d-------- D:\Programme\eMule
2008-07-03 09:57 . 2008-07-03 09:57 <DIR> d-------- D:\Programme\APDFR
2008-07-03 09:40 . 2008-07-03 09:40 11,732 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-03 09:39 . 2008-07-03 09:39 <DIR> d-------- D:\Programme\Picasa2
2008-07-03 09:39 . 2008-07-03 09:39 <DIR> d-------- D:\Programme\Google
2008-07-03 09:07 . 2008-07-03 09:07 141 --a------ C:\WINDOWS\IVEx.ini
2008-07-03 09:00 . 2008-07-03 09:00 <DIR> d-------- D:\Programme\IrfanView
2008-06-29 14:21 . 2008-06-29 14:21 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator
2008-06-29 14:21 . 2008-06-29 14:21 230,400 --a------ C:\WINDOWS\system32\wmasf.dll
2008-06-29 11:58 . 2008-06-29 11:58 <DIR> d-------- D:\Programme\MozBackup
2008-06-29 11:44 . 2008-07-23 21:43 72,789 --a------ C:\WINDOWS\system32\oodbs.lor
2008-06-29 11:32 . 2008-06-29 11:32 0 --a------ C:\WINDOWS\oodcnt.INI
2008-06-29 11:12 . 2008-06-29 11:12 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-06-29 11:08 . 2008-06-29 11:08 <DIR> d-------- D:\Programme\OO Software
2008-06-28 11:35 . 2008-06-28 11:35 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\Gadu-Gadu
2008-06-28 09:30 . 2008-06-28 09:30 <DIR> d-------- D:\Programme\Gadu-Gadu
2008-06-28 09:30 . 2008-07-02 10:08 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Gadu-Gadu
2008-06-27 09:07 . 2008-06-27 09:09 <DIR> d-------- D:\Programme\Winamp
2008-06-27 09:07 . 2008-06-27 11:56 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\Winamp
2008-06-26 23:05 . 2008-06-26 23:37 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\Meine Die Schlacht um Mittelerde™ II-Dateien
2008-06-26 22:43 . 2008-06-26 22:43 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\My Battle for Middle-earth(tm) II Files
2008-06-25 18:21 . 2008-06-25 18:22 <DIR> d-------- D:\Programme\Hero Editor
2008-06-25 18:21 . 2008-06-25 18:21 249,856 --------- C:\WINDOWS\Setup1.exe
2008-06-25 18:21 . 2008-06-25 18:21 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-06-25 18:10 . 2008-06-25 21:47 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-25 17:46 . 2008-06-25 17:46 102,400 --a------ C:\WINDOWS\DIIUnin.exe
2008-06-25 17:46 . 2008-06-25 21:47 36,698 --a------ C:\WINDOWS\DIIUnin.dat
2008-06-25 17:46 . 2008-06-25 17:46 2,829 --a------ C:\WINDOWS\DIIUnin.pif
2008-06-25 17:04 . 2008-06-25 17:04 <DIR> d-------- D:\Programme\DAEMON Tools Lite
2008-06-25 17:02 . 2008-06-25 17:02 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\DAEMON Tools
2008-06-25 17:02 . 2008-06-25 17:02 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-25 17:02 . 2008-07-23 21:42 17,596 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000001-00000000-00000006-00001102-00000002-80651102}.rfx
2008-06-25 17:02 . 2008-07-23 21:42 17,596 --a------ C:\WINDOWS\system32\BMXState-{00000001-00000000-00000006-00001102-00000002-80651102}.rfx
2008-06-25 17:02 . 2008-07-23 21:42 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-06-25 17:02 . 2008-07-23 21:42 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-06-25 17:02 . 2008-07-23 21:42 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000001-00000000-00000006-00001102-00000002-80651102}.dat
2008-06-25 17:02 . 2008-07-23 21:42 24 --a------ C:\WINDOWS\system32\DVCState-{00000001-00000000-00000006-00001102-00000002-80651102}.dat
2008-06-25 16:50 . 2008-06-25 16:50 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\atitray
2008-06-25 16:45 . 2008-06-25 16:48 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-06-25 16:40 . 2008-06-25 16:40 <DIR> d-------- C:\Dokumente und Einstellungen\Blacky\Anwendungsdaten\vlc
2008-06-25 16:39 . 2008-07-17 10:10 3,374,944 --a------ C:\WINDOWS\{00000001-00000000-00000006-00001102-00000002-80651102}.CDF
2008-06-25 16:39 . 2008-07-17 10:10 3,374,944 --a------ C:\WINDOWS\{00000001-00000000-00000006-00001102-00000002-80651102}.BAK
2008-06-25 16:38 . 2008-07-17 14:20 <DIR> d--h----- D:\Programme\InstallShield Installation Information
2008-06-25 16:37 . 2008-06-25 16:38 <DIR> d-------- D:\Programme\Creative
2008-06-25 16:37 . 1999-12-17 01:00 6,752 --------- C:\WINDOWS\system32\PFMODNT.SYS
2008-06-25 14:03 . 2008-06-25 14:03 <DIR> d-------- C:\Logs
2008-06-25 13:32 . 2008-06-25 13:32 <DIR> d-------- D:\Programme\Gemeinsame Dateien\Blizzard Entertainment
2008-06-24 14:42 . 2008-06-24 14:42 <DIR> d-------- D:\Programme\MSBuild
2008-06-24 14:42 . 2008-06-24 14:43 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-06-24 14:41 . 2008-06-24 14:41 <DIR> d-------- D:\Programme\Reference Assemblies
2008-06-24 14:41 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-24 14:39 . 2008-06-24 14:39 <DIR> d-------- D:\Programme\MSXML 6.0
2008-06-24 14:39 . 2006-10-16 16:10 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-06-24 14:33 . 2008-06-24 14:33 <DIR> d-------- C:\WINDOWS\PCHEALTH
2008-06-24 13:50 . 2008-06-24 13:51 <DIR> d-------- D:\Programme\jv16 PowerTools 2008
2008-06-24 13:47 . 2008-06-24 13:49 <DIR> d-------- D:\Programme\TC UP

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 04:00 --------- d-----w D:\Programme\Codemasters
2008-06-26 23:22 --------- d-----w D:\Programme\Electronic Arts
2008-06-23 21:58 472,576 ----a-w C:\WINDOWS\Radeon Omega Drivers v4.8.442 Uninstall.exe
2008-05-30 12:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 12:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 12:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 12:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 12:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 12:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 12:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="D:\Programme\AMD\amd_dc_opt\amd_dc_opt.exe" [2006-06-28 15:42 106496]
"AVP"="D:\Programme\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992]
"AtiPTA"="atiptaxx.exe" [2006-02-22 03:05 344064 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDesktopCleanupWizard"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-03 20:57 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 11:39 486856 D:\Programme\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a------ 2001-11-29 01:00 28672 D:\Programme\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 14.0]
--a------ 2008-01-19 20:01 2245984 D:\Programme\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 02:08 2512392 C:\WINDOWS\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2008-02-26 03:23 443968 D:\Programme\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2008-05-30 15:54 21718312 D:\Programme\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-r------- 2006-06-20 23:42 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a------ 2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"O&O Defrag"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"D:\\Programme\\Electronic Arts\\Die Schlacht um Mittelerde II\\game.dat"=
"D:\\Programme\\eMule\\emule.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R1 atitray;atitray;D:\Programme\Radeon Omega Drivers\v4.8.442\ATI Tray Tools\atitray.sys [2007-11-05 09:55]
R1 VD_FileDisk;VD_FileDisk;C:\WINDOWS\system32\drivers\VD_FileDisk.sys [2006-01-13 15:00]
R3 AmdTools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys [2006-06-27 14:24]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 SymSnapService;SymSnapService;D:\Programme\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 17:13]

*Newly Created Service* - HELPSVC
*Newly Created Service* - WUAUSERV
.
Inhalt des "geplante Tasks" Ordners
"2008-07-04 09:19:42 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Programme\Apple Software Update\SoftwareUpdate.exe
.
.
------- Zusätzlicher Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O17 -: HKLM\CCS\Interface\{2BC34B18-0946-44F9-A653-2A00688EBF8E}: NameServer = 192.168.0.1


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-23 21:57:44
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-07-23 21:58:08
ComboFix-quarantined-files.txt 2008-07-23 19:58:02
ComboFix2.txt 2008-07-23 19:46:28

Pre-Run: 6,817,394,688 Bytes frei
Post-Run: 6,808,264,704 Bytes frei

245

[huber2t]

fix w hijackthis

O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)

Pobierz ComboFix, ale nie uruchamiaj
Otwórz notatnik i wklej do niego:

Kod: Zaznacz wszystko

File::
C:\WINDOWS\system32\wwqxtkse.ini
C:\WINDOWS\system32\oxixqnqy.ini
C:\WINDOWS\system32\gmuymycv.ini
C:\WINDOWS\system32\yxtdavfs.ini

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-


Plik zapisz jako CFScript.txt.
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://www.wklej.eu/ lub na http://wklej.org a w poście dajesz tylko link

[niunka]

Logi dajesz na wklejto lub na http://wklej.org a w poście dajesz tylko link

Dlacze chcesz zeby logi wklejac na te strony ?

Link http://wklejto.pl/6548

File::
C:\WINDOWS\system32\wwqxtkse.ini
C:\WINDOWS\system32\oxixqnqy.ini
C:\WINDOWS\system32\gmuymycv.ini
C:\WINDOWS\system32\yxtdavfs.ini

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-

Co to za wpisy , bo nic o tym nie znalazlam i co ta za kluch ?
Jedyne co znalazlam to wszedziie jest zeby to usunac,ale co to jest nigdzie nic nie ma

[huber2t]

Lepiej jest mi logi sprawdzać

Log wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!

[niunka]

Lepiej jest mi logi sprawdzać

Log wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!

huber2t to nie jest moj komp
Ccleaner nigdy nie uzywam bo mi sie nie podoba,znacznie lepszy moim zdaniem jest JV16 PT
Co do optymalizacji itd to jest wszystko top,bo instalka windy robiona byla przezemnie.
Co do logow to nie musialam nic robic,bo moglam nadpisac obraz z ghosta,bardziej mi chodzilo co to za smieci.

[huber2t]

pozostałości po infekcji Vundo mialaś

[niunka]

pozostałości po infekcji Vundo mialaś

Pozostalosci ?
Vundo jak dla mnie to wyglada znacznie inaczej ,pozatym scanowalam Prevx CSI. i tez nic nie znalazl.
Jedyne co sie dzialo to byly dziwne zawieszania sie FF i to tylko przez to chcialam sprawdzic logi.

[huber2t]

Ten plik był na dysku:
C:\WINDOWS\system32\yxtdavfs.ini


A do reszty były powiązania z rejestru któe pousuwałem i dla pewności wsadziłem te pliki do skryptu

Sory to nie w rejestrze tylko w logu byli te pliki

[niunka]

Dobra to jeszcze jedno,co to jest w autostarcie?

Kod: Zaznacz wszystko

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

[huber2t]

to mozna zfixowac ale tego nei zrobiłem, bo mniało niby to naprawić

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"=-

Ale jeśli jeszcze w hijackthis to masz to możesz śmaiło fixować

To sa zbędniki

[niunka]

to mozna zfixowac ale tego nei zrobiłem, bo mniało niby to naprawić
To sa zbędniki

Zapytam jeszcze raz, wiesz co to jest od czego sa te wpisy ?

[huber2t]

nie wiem, w każdym badź razie nie sa to bezpieczne rzeczy

[niunka]

nie wiem, w każdym badź razie nie sa to bezpieczne rzeczy

Chyba jednak nic zlego to nie jest.Zaraz po zainstalowaniu systemu i sprawdzeniu loga loga sa te wpisy.
A od czego , od nLite podczas tworzenia instalki windows zmian konfiguracyjnych poprostu tak wyszlo.
Musze tylko dosc za co jest to odpowiedzialne

[huber2t]

Ja tak jak powiedziałem, nie jestem pewien od czego to jest ale postaram się dowiedzieć



EDIT::

Dowiedziałem się od kolegi że to jest od Windowsa instalowanego przez nlite