Seite 2 von 3 ErsteErste 123 LetzteLetzte
Ergebnis 11 bis 20 von 25

Thema: Malware?

  1. #11
    Forenbenutzer Avatar von dogbreath
    Registriert seit
    05.02.2005
    Beiträge
    46

    Re: Malware?

    Hi Ruby, I've had a reply from raman.

    Hi!

    dogbreath wrote:
    >
    > Potential nasty enclosed.


    Yes, definitely. These Scanners allready know it, i send it to the others:

    BitDefender Backdoor.Sualimpo.A
    eSafe Trojan/Worm
    Fortinet BDoor.CVT!bdr
    Ikarus Backdoor.Win32.Hupigon.BV
    Trend Micro PAK_Generic.001


    MfG Ralf

  2. #12
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Malware?

    Hi Dogbreath
    ... and thank you very much @ Raman

    @ Dogbreath

    Please load down a Free Version of Bitdefender,
    Update in online.
    Go offline and scan your system in Safe Mode.
    Make Bitdefender delete everything it finds.
    Safe the Bitdefender-logfile.

    -> Copy the content of the Bitdefender Log to your thread. Thanks.

  3. #13
    Forenbenutzer Avatar von dogbreath
    Registriert seit
    05.02.2005
    Beiträge
    46

    Re: Malware?

    Hi Ruby.

    The link to Bitdefender doesn't work, so I downloaded the free v8 elsewhere. I installed it and updated the definitions and all seemed well. However, it would not run in safe mode.

    I ran it in standard mode and it detected only one item, the winhab32.dll file which you were concerned about. When Bitdefender tried to move the .dll file, PrevX tried to prevent this because 'winhab32.dll is a protected file'. On suspending PrevX, Bitdefender succesfully moved the offending .dll.

    The log is appended below:-


    //-----------------------------------------------------------------
    //
    // Product: BitDefender 8 Free Edition
    // Version: 8.0
    //
    // Created on: 16/04/2006 16:34:14
    //
    //-----------------------------------------------------------------


    Statistics

    Scan path : C:\
    Folders : 5389
    Files : 423578
    Archives : 9472
    Packed files : 35361
    Identified viruses : 1
    Infected files : 1
    Warnings : 0
    Suspect files : 0
    Disinfected files : 0
    Deleted files : 0
    Copied files : 0
    Moved files : 1
    Renamed files : 0
    I/O errors : 34
    Scan time : 01:02:20
    Scan speed (files/sec) : 113

    Virus definitions : 370090
    Scan plugins : 13
    Archive plugins : 39
    Unpack plugins : 4
    Mail plugins : 6
    System plugins : 1

    Scan options

    Detection
    [X] Scan boot sectors
    [X] Scan archives
    [X] Scan packed files
    [X] Scan email

    File mask
    [ ] Programs
    [X] All files
    [ ] User defined extensions:
    [ ] Exclude extensions: ;

    Action

    Infected objects
    [ ] Ignore
    [X] Disinfect
    [ ] Delete
    [ ] Copy to quarantine
    [ ] Move to quarantine
    [ ] Rename
    [ ] Prompt user

    Second action
    [ ] Ignore
    [ ] Delete
    [ ] Copy to quarantine
    [X] Move to quarantine
    [ ] Rename
    [ ] Prompt user

    Scan options
    [X] Enable warnings
    [X] Enable heuristics
    [ ] Show all files in log
    [X] Report file: vscan.log
    [ ] Append to existing report

    Summary:

    C:\WINDOWS\system32\winhab32.dll Infected Backdoor.Sualimpo.A
    C:\WINDOWS\system32\winhab32.dll Disinfection failed
    C:\WINDOWS\system32\winhab32.dll Moved

    Incidentally, I ran RootkitRevealer this afternoon. It picked up a couple of items, one being HKLM\SYSTEM\Control Set001\Services\sptd\Cfg. Later, when I was rebooting between safe mode and standard, PrevX flagged up an attempt by the file to survive a reboot attempt! I denied the attempt, but it occurs to me that this is a bit ify.

    Any thoughts on this??

    Regards,

    db.

  4. #14
    Forenbenutzer Avatar von dogbreath
    Registriert seit
    05.02.2005
    Beiträge
    46

    Re: Malware?

    Hi Ruby.

    Just had an afterthought.

    Although I am aware that the general rule is not to have two AV progs running in tandem, Bitdefender and Avast are both apparently running in harmony with no perceived loss in PC performance.

    Should I leave this as it is or should I ditch one of them??

    Your advice, as always, is very welcome.

    Regards.

    db.

  5. #15
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Malware?

    Hello Dogbreath

    Great that you suspended PrevX Wonderful !

    Well - BitDefender has got this bad file. Now you need to clean up the Quarantine Folder of Bitdefender. This free version of BitDefender doesn't have an On-Access-Scanner, so it's ok: you may want to run both programs if you like it. May I please see another new HijackThis log and a SilentRunner log, please?

    Load down Silent Runner.
    Run it, have it save a logfile and post it.

    I wish you a wonderful evening.

  6. #16
    Forenbenutzer Avatar von dogbreath
    Registriert seit
    05.02.2005
    Beiträge
    46

    Re: Malware?

    Hi Ruby.

    Thank you again for your valuable advice.

    HijackThis Log

    Logfile of HijackThis v1.99.1
    Scan saved at 20:37:30, on 16/04/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\csrss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

    C:\Program Files\Alwil Software\Avast4\ashServ.exe

    C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

    C:\Program Files\ewido anti-malware\ewidoctrl.exe

    C:\Program Files\Prevx Home\PXAgent.exe

    C:\Program Files\Microsoft IntelliPoint\point32.exe

    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    C:\WINDOWS\System32\snmp.exe

    C:\Program Files\Prevx Home\SAGUI.exe

    C:\WINDOWS\system32\wdfmgr.exe

    C:\Program Files\Softwin\BitDefender8\bdmcon.exe

    C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    C:\Program Files\Softwin\BitDefender8\bdnagent.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Spyware Doctor\sdhelp.exe

    C:\Program Files\Spyware Doctor\swdoctor.exe

    C:\HJT and ServiceFilter\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - blank (file missing)

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
    C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

    O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab

    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1122574713812

    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

    O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab

    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab

    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)

    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


    Silent Runner Log

    "Silent Runners.vbs", revision 44, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "IntelliPoint" = ""C:\Program Files\Microsoft IntelliPoint\point32.exe"" [MS]
    "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
    "Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
    "PrevxHome" = "C:\Program Files\Prevx Home\SAGUI.exe" ["Prevx Ltd."]
    "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
    "BDMCon" = ""C:\Program Files\Softwin\BitDefender8\bdmcon.exe"" ["SOFTWIN S.R.L."]
    "BDNewsAgent" = ""C:\Program Files\Softwin\BitDefender8\bdnagent.exe"" [null data]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Brow ser Helper Objects\
    {02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
    \InProcServer32\(Default) = "blank" [file not found]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEHlprObj Class"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "PCTools Site Guard"
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll" ["PC Tools"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "PCTools Browser Monitor"
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["PC Tools"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {HKLM...CLSID} = "Desktop Explorer"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer"
    -> {HKLM...CLSID} = "NOMAD Explorer"
    \InProcServer32\(Default) = "C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL" ["Creative Technology Ltd"]
    "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
    -> {HKLM...CLSID} = "Universal Plug and Play Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {HKLM...CLSID} = "DesktopContext Class"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {HKLM...CLSID} = "nView Desktop Context Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{20082881-FC36-4E47-9A7A-644C95FF749F}" = "IntelliPoint Wireless Control Panel Property Page"
    -> {HKLM...CLSID} = "Wireless Property Page"
    \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwir.dll"" [MS]
    "{AF90F543-6A3A-4C1B-8B16-ECEC073E69BE}" = "IntelliPoint Wheel Control Panel Property Page"
    -> {HKLM...CLSID} = "Wheel Property Page"
    \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplwhl.dll"" [MS]
    "{653DCCC2-13DB-45B2-A389-427885776CFE}" = "IntelliPoint Activities Control Panel Property Page"
    -> {HKLM...CLSID} = "Activities Property Page"
    \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplact.dll"" [MS]
    "{124597D8-850A-41AE-849C-017A4FA99CA2}" = "IntelliPoint Buttons Control Panel Property Page"
    -> {HKLM...CLSID} = "Buttons Property Page"
    \InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliPoint\ipcplbtn.dll"" [MS]
    "{59F96530-871E-11D3-BD55-00A0C9A341EC}" = "Registry"
    -> {HKLM...CLSID} = "Registry"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\regxplor.dll" [empty string]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {HKLM...CLSID} = "Portable Media Devices"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {HKLM...CLSID} = "Portable Media Devices Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    "{58670320-13EC-11D0-BF8E-F7B4D9CD8E4A}" = "Folder Size Shell Extension v3.2"
    -> {HKLM...CLSID} = "Folder Size Shell Extension v3.2"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\dfolder.dll" ["Orium Software"]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
    -> {HKLM...CLSID} = "Shell Search Band"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
    "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
    -> {HKLM...CLSID} = "UnlockerShellExtension"
    \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
    "{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}" = "ImageShack QuickLoad Image Uploader"
    -> {HKLM...CLSID} = "QuickLoad.QuickLoadContextMenu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.DLL" [MS]
    "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}" = "Context Menu Shell Extension"
    -> {HKLM...CLSID} = "Context Menu Shell Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\TAGREN~1\TRshell.dll" ["Softpointer Inc"]
    "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}" = "BitDefender Antivirus v8"
    -> {HKLM...CLSID} = "BitDefender Antivirus v8"
    \InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shel lExecuteHooks\
    INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
    -> {HKLM...CLSID} = "BitDefender Antivirus v8"
    \InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {HKLM...CLSID} = "Ctest Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
    moveonboot_delete\(Default) = "{12B23346-6BD8-4812-BF8C-75E7C386ACB8}"
    -> {HKLM...CLSID} = "MoveOnBootBootPopupMenuShlExt Class"
    \InProcServer32\(Default) = "C:\Program Files\GiPo@Utilities\GiPo@MoveOnBoot\mboot.dll" ["Gibin Software House (http://www.gibinsoft.net)"]
    PowerDesk Menu\(Default) = "{26E7F081-EB97-11d3-9239-006008D2D00F}"
    -> {HKLM...CLSID} = "PowerDesk ZIP Extension"
    \InProcServer32\(Default) = "C:\Program Files\VCOM\PowerDesk\pdshext.dll" ["V Communications, Inc."]
    QuickLoad\(Default) = "{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}"
    -> {HKLM...CLSID} = "QuickLoad.QuickLoadContextMenu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.DLL" [MS]
    TagRename_ContextMenu\(Default) = "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}"
    -> {HKLM...CLSID} = "Context Menu Shell Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\TAGREN~1\TRshell.dll" ["Softpointer Inc"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {HKLM...CLSID} = "Ctest Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
    PowerDesk Menu\(Default) = "{26E7F081-EB97-11d3-9239-006008D2D00F}"
    -> {HKLM...CLSID} = "PowerDesk ZIP Extension"
    \InProcServer32\(Default) = "C:\Program Files\VCOM\PowerDesk\pdshext.dll" ["V Communications, Inc."]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
    -> {HKLM...CLSID} = "avast"
    \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
    BitDefender Antivirus v8\(Default) = "{D653647D-D607-4DF6-A5B8-48D2BA195F7B}"
    -> {HKLM...CLSID} = "BitDefender Antivirus v8"
    \InProcServer32\(Default) = "C:\Program Files\Softwin\BitDefender8\bdshelxt.dll" ["SOFTWIN S.R.L."]
    TagRename_ContextMenu\(Default) = "{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}"
    -> {HKLM...CLSID} = "Context Menu Shell Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\TAGREN~1\TRshell.dll" ["Softpointer Inc"]
    UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
    -> {HKLM...CLSID} = "UnlockerShellExtension"
    \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
    -> {HKLM...CLSID} = "WinRAR"
    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shel lState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Steve\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Enabled Screen Saver:
    ---------------------

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


    Enabled Scheduled Tasks:
    ------------------------

    "Auto Cleanup" -> launches: "C:\WINDOWS\system32\cleanmgr.exe" [MS]
    "XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" ["ParetoLogic Inc."]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\N ameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\P rotocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

    {2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
    "ButtonText" = "Spyware Doctor"
    "CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
    -> {HKLM...CLSID} = "PCTools Browser Monitor"
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["PC Tools"]


    Internet Explorer Address Prefixes:
    -----------------------------------

    Prefix for specific service (i.e., "www")

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
    HIJACK WARNING! "HKEY_" = "reg://"
    HIJACK WARNING! "HKLM" = "reg://"
    HIJACK WARNING! "HKCR" = "reg://"
    HIJACK WARNING! "HKCU" = "reg://"
    HIJACK WARNING! "HKCC" = "reg://"
    HIJACK WARNING! "HKPD" = "reg://"
    HIJACK WARNING! "HKDD" = "reg://"


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
    avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
    avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
    avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
    avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
    BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]
    BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]
    Diskeeper, Diskeeper, ""C:\Program Files\Executive Software\DiskeeperLite\DKService.exe"" ["Executive Software International, Inc."]
    ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
    HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
    PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]
    Prevx Agent, PrevxAgent, ""C:\Program Files\Prevx Home\PXAgent.exe" -f" ["Prevx Ltd."]
    TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
    hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]
    Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
    PDFCreator\Driver = "pdfcmnnt.dll" [null data]


    ----------
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + To search all directories of local fixed drives for DESKTOP.INI
    DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
    use the -supp parameter or answer "No" at the first message box.
    ---------- (total run time: 105 seconds, including 18 seconds for message boxes)

    Again, many thanks.

    Hoping that you have a great evening too.

    Regards,

    db.

  7. #17
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Malware?

    Hi Dogbreath

    Here you go...
    Code:
    1
    Make sure you set windows to see the hidden files and folders.
    
    2
    Download and Instructions of Use
    
    A. Download
    Ad-Aware SE
    install and update it
    
    B. 
    Spybot Search & Destroy -> update it
    
    C. Download
    CWShredder.
    
    D. Download
    about:Buster,
    unzip to C:\aboutbuster, run it, and then:
    
    1. Click "Update".
    2. Click "Check For Update"
    (If no new version is available, skip that.)
    3. Click "Download Update", and wait for it to be installed.
    
    E. Download
    Disk Cleaner
    
    F. Download
    RegSeeker 1.45
    .
    Don't use the programs now.

    3
    Disconnect to the Internet.

    4
    Turn to safe mode. Stay in safe mode until you read that you may turn to normal mode!

    Code:
    5
    Close down all windows including Internet Explorer.
    Run Hijackthis, click scan, and put a checkmark next to each of these items.
    Then click the Fix Checked button:
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - blank (file missing)
    
    Click on Fix Checked and exit HijackThis.
    
    6
    Stay in safe mode
    run Ad-Aware SE (Adaware SE 1.05 Tutorial)
    Take a full system scan.
    Delete the content of all Ad-aware SE folders and the Quarantine box when the scan is finished.
    Safe the logfile.
    
    7
    Stay in safe mode
    Run Spybot Search & Destroy once more
    Turn on Advanced Mode. Go to "Tools" and put a checkmark into the box of ActiveX.
    Scan your system with a Full System Scan. Let Spybot Search & Setroy delete everything it finds.
    Take the immunication for your system.
    
    8
    Stay in safe mode
    Run CWShredder
    press the *fix,* not the scan button
    allow it to clean the infection.
    Close all browser and explorer windows before hitting the fix button.
    
    9
    Stay in safe mode
    Run about:Buster
    4. Click "Start".
    (Wait for the initial ADS scan to complete.)
    5. Save the logfile.
    6. Click "Exit".
    
    10
    Reboot your system into normal mode.
    
    11
    Run the Disk Cleaner
    Have a look to the screenshot.
    Set a checkmark to every item you want to clean.
    Temporary Internet Files and Temporary System Files, Cache, History and Prefetch must be cleaned.
    Clean as much folders as you can clean.
    
    12
     Empty your "Recycle Bin"
    Go to START > run and type: cleanmgr and click ok.
    Let it scan your system for files to remove.
    
    13
    Run RegSeeker
    Allow the program to delete all it finds.
    
    14
    Run a Full System Scan with Panda ActiveScan.
    It will last 2-3 hours. You will have to allow ActiveX.
    Save the logfile.
    Reboot the system when the scan is finished.
    
    15
    Configure then the IE with these Settings.
    
    16
    Turn off System Restore. 
    Right-click My Computer. 
    Click Properties. 
    Click the System Restore tab. 
    Check Turn off System Restore. 
    Click Apply, and then click OK. Reboot. 
    Turn System Restore Back On. 
    Right-click My Computer. 
    Click Properties. 
    Click the System Restore tab. 
    UN-Check *Turn off System Restore*. 
    Click Apply, and then click OK. Reboot.
    
    17
    Run HijackThis once more.
    Have it save a new Logfile.
    .
    -> Post the Ad Aware SE Logfile
    -> Post the About:Buster Logfile
    -> Post the Panda ActiveScan Logfile
    -> Please post the new HJT-Logfile.

  8. #18
    Forenbenutzer Avatar von dogbreath
    Registriert seit
    05.02.2005
    Beiträge
    46

    Re: Malware?

    Hi Ruby, you're a gem...if you'll pardon the pun. There's a lot to do there and I will set about it tomorrow. I'm going to get some sleep now...you're working me far too hard!!! Sleep tight and I'll speak to you tomorrow.

    Cheers!

    db.

  9. #19
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    AW: Malware?

    Have a good night @ Doggi
    See you tomorrow

  10. #20
    Forenbenutzer Avatar von dogbreath
    Registriert seit
    05.02.2005
    Beiträge
    46

    Re: Malware?

    Hi Ruby.

    *Doggie wipes sweat from brow and takes long sip of hot strong black coffee*

    1. Installed About Buster (v6.2) but wasn't given the option to update.

    2. On completion of the About Buster scan, PC requested Hewlett Packard (HP) installation disc to enable it to complete the installation of 'the process which you are now asking for'. I had previously disabled the HP Share-To-Web service coz it was adversely affecting Explorer (preventing the Move file function for example). Being trapped in a loop, I conformed to enable further progress.

    3. Ad-Aware new scan clear.

    4. I deleted all Ad-Aware file contents but this left no log to reproduce here.

    5. Ran Spybot S&D which found no immediate threats. 1 Cache entry, 2 Cookie entries and 5 Log entries were still noted. Immunisation option taken.

    6. CWShredder (a) Restored Hidden IE Options Tabs and (b) Removed CWS.Msconfig.

    7. Ran About Buster...LOG appended.

    AboutBuster 6.01
    Scan started on [17/04/2006] at [09:02:36]
    -------------------------------------------------------------
    Internet Explorer Instances Terminated!
    HomeSearch Service stopped if present
    -------------------------------------------------------------
    No Ads Found!
    -------------------------------------------------------------
    No Files Found!
    -------------------------------------------------------------
    Scan was COMPLETED SUCCESSFULLY at 09:05:20


    AboutBuster 6.01
    Scan started on [17/04/2006] at [09:50:17]
    -------------------------------------------------------------
    Internet Explorer Instances Terminated!
    HomeSearch Service stopped if present
    -------------------------------------------------------------
    No Ads Found!
    -------------------------------------------------------------
    No Files Found!
    -------------------------------------------------------------
    Scan was COMPLETED SUCCESSFULLY at 09:51:50


    8. Windows would not automatically reboot from Safe Mode, so I used the reset button.

    9. On reboot, PrevX flagged up the following:-

    'An attempt is being made to change...

    \REGISTRY\MACHINE\SYSTEM CONTROLSETUP001\SERVICES\MCHINJDRV\IMAGEPATH with...

    "\??\C:WINDOWS\TEMP\mc23.tmp"

    Reboot Survival Attempt'

    This was denied.

    10. Disc Cleaner (all options checked) removed 32kb from Web Client/ Publisher Temp Files and saved 9kb by Compressing Old Files. Recycle bin emptied.

    11. RegSeeker was allowed to repair 229 items.

    12. Panda Scan required Avast and PrevX to be disabled. Chose option to scan Local Discs which found Hacking Tool/ Potentially Unwanted Tool 'C:\Program Files\l2mfix\l2mfix.exe' but the scan froze on 352484 files @ WINDOWS\SYSTEM32\Shell.dll.

    13. Panda Scan was re-initiated, found the 'Hacker Tool' again. LOG appended below:-


    Incident Status Location

    Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\l2mfix\l2mfix.exe[Process.exe]


    14. Re-enabled Avast, rebooted and got the PrevX flag referred to at 9. above. Request denied.

    15. Disabled System Restore on all drives and rebooted. Same PrevX incident. Request denied.

    16. Re-enabled System Restore on all drives and rebooted. Same PrevX incident. Request denied.

    17. Ran HJT. LOG appended below:-

    Logfile of HijackThis v1.99.1
    Scan saved at 13:00:40, on 17/04/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\csrss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

    C:\Program Files\Alwil Software\Avast4\ashServ.exe

    C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

    C:\Program Files\ewido anti-malware\ewidoctrl.exe

    C:\Program Files\Prevx Home\PXAgent.exe

    C:\Program Files\Microsoft IntelliPoint\point32.exe

    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    C:\Program Files\Prevx Home\SAGUI.exe

    C:\Program Files\Spyware Doctor\sdhelp.exe

    C:\Program Files\Softwin\BitDefender8\bdmcon.exe

    C:\Program Files\Softwin\BitDefender8\bdnagent.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Spyware Doctor\swdoctor.exe

    C:\WINDOWS\System32\snmp.exe

    C:\WINDOWS\system32\wdfmgr.exe

    C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\HJT and ServiceFilter\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

    O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

    O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab

    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1122574713812

    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

    O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab

    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab

    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - C:\Program Files\Prevx Home\PXAgent.exe" -f (file missing)

    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


    Over to you, Ruby!!

    Thanks again for all the hard work.

    Regards.

    db.

Seite 2 von 3 ErsteErste 123 LetzteLetzte

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Malware Info
    Von Ruby im Forum Tipps & Tricks
    Antworten: 0
    Letzter Beitrag: 24.03.2006, 10:02
  2. Please help with my Malware problem.
    Von Rakeri im Forum Archiv
    Antworten: 3
    Letzter Beitrag: 13.05.2005, 04:08

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •