Any suggestions how to find the trojan.
I remomed c-o-c-k directory earlier this week
Also did a thorough cleanup with CCleaner latest version and ran Malwarebytes Anti Malware.
I am losing my methodology and am beginning to shoot at random with various tools.
Help bring some order in to my search. Also my system is in German language which I understand but don't really like too much.
I don't do any banking on this unit since the trojan alert and used a keyscrambler when I did.
regards
ComboFix 10-12-02.01 - Administrator 08/12/2010 8:55.6.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.49.1031.18.1015.689 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Andrew\Eigene Dateien\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
- REDUZIERTER FUNKTIONALITÄTSMODUS -
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\xmldm
c:\windows\system32\xmldm\3100_FF_0000000519.key
.
((((((((((((((((((((((( Dateien erstellt von 2010-11-08 bis 2010-12-08 ))))))))))))))))))))))))))))))
.
2010-12-06 20:48 . 2010-12-06 21:06 -------- d-----w- c:\dokumente und einstellungen\Andrew\Lokale Einstellungen\Anwendungsdaten\Temp
2010-12-06 19:59 . 2010-12-06 20:06 -------- d-----w- c:\dokumente und einstellungen\Andrew\Pavark
2010-12-06 19:15 . 2010-12-06 19:15 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-12-06 19:15 . 2010-12-06 19:15 -------- d-----w- c:\dokumente und einstellungen\Andrew\log
2010-12-06 16:51 . 2010-05-26 09:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-06 16:32 . 2010-12-06 16:32 -------- d-----w- c:\programme\Sophos
2010-12-05 21:08 . 2010-12-05 21:08 2 --shatr- c:\windows\winstart.bat
2010-12-05 21:07 . 2010-12-05 22:23 -------- d-----w- c:\programme\UnHackMe
2010-12-05 14:53 . 2010-12-05 14:53 -------- d-----w- c:\dokumente und einstellungen\Andrew\Lokale Einstellungen\Anwendungsdaten\Help
2010-12-05 14:47 . 2010-12-05 14:47 -------- d-----w- c:\programme\Fortego Security
2010-12-05 14:47 . 2010-12-05 14:47 -------- d-----w- c:\windows\Downloaded Installations
2010-12-04 16:06 . 2010-12-04 16:08 -------- dc-h--w- c:\windows\ie8
2010-12-02 21:16 . 2010-12-02 21:16 -------- d-----w- c:\programme\Harden-It
2010-12-02 18:34 . 2010-12-02 18:34 -------- d-----w- c:\dokumente und einstellungen\Administrator\Lokale Einstellungen\Anwendungsdaten\Mozilla
2010-12-02 18:18 . 2010-12-02 18:18 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Malwarebytes
2010-12-02 17:07 . 2010-12-02 17:07 -------- d-----w- c:\dokumente und einstellungen\Administrator\Anwendungsdaten\SUPERAntiSpyware.com
2010-12-02 16:25 . 2010-12-02 16:25 -------- d-----w- c:\programme\CCleaner
2010-12-02 11:42 . 2010-12-02 11:42 0 ----a-w- c:\windows\system32\si8ih2b5.default.tmp
2010-12-01 13:49 . 2010-12-01 13:49 0 ----a-w- c:\windows\system32\49ik0a7w.default.tmp
2010-11-28 16:58 . 2010-11-28 16:58 -------- d-----w- c:\windows\system32\5008
2010-11-28 16:58 . 2010-11-28 16:58 112 ----a-w- c:\windows\system32\srvblck2.tmp
2010-11-15 21:04 . 2010-11-15 21:04 -------- d-----w- c:\dokumente und einstellungen\Andrew\Anwendungsdaten\Imaxel
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 16:42 . 2010-05-12 18:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 16:42 . 2010-05-12 18:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-22 11:50 . 2009-05-14 17:49 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-06 09:22 . 2009-05-14 17:49 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-09-18 10:22 . 2008-07-08 13:58 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:52 . 2008-07-08 13:58 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:52 . 2008-07-08 13:58 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:52 . 2008-07-08 13:58 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 03:50 . 2010-04-18 15:51 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-15 01:29 . 2010-04-18 15:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:47 . 2008-07-08 13:59 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:47 . 2008-07-08 13:58 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:47 . 2008-07-08 13:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
2008-05-07 14:34 . 2010-07-10 18:31 15523560 ----a-w- c:\programme\U1 Setup.exe
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"ISUSPM Startup"="c:\progra~1\GEMEIN~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"avgnt"="c:\programme\Avira\AntiVir Desktop\avgnt.exe" [2010-11-06 281768]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]
"TkBellExe"="c:\programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2010-03-17 202256]
"AppleSyncNotifier"="c:\programme\Gemeinsame Dateien\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"QuickTime Task"="c:\programme\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\programme\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\programme\Gemeinsame Dateien\Java\Java Update\jusched.exe" [2010-05-14 248552]
"LogitechQuickCamRibbon"="c:\programme\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
BTTray.lnk - c:\programme\WIDCOMM\Bluetooth Software\BTTray.exe [2008-4-14 596584]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\programme\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-12-19 21:07 131072 ----a-w- c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Programme\\TVAnts\\Tvants.exe"=
"c:\\Programme\\SopCast\\SopCast.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programme\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\iTunes\\iTunes.exe"=
"c:\\Programme\\Logitech\\Vid HD\\Vid.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [06/12/2010 17:51 18816]
S1 SASDIFSV;SASDIFSV;c:\programme\SUPERAntiSpyware\SASDIFSV.SYS [05/08/2009 15:06 12872]
S1 SASKUTIL;SASKUTIL;c:\programme\SUPERAntiSpyware\SASKUTIL.SYS [05/08/2009 15:06 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\programme\Avira\AntiVir Desktop\sched.exe [14/05/2009 18:49 135336]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [22/05/2009 17:46 16512]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [29/12/2008 20:46 114952]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [10/07/2010 19:14 625024]
S3 SASENUM;SASENUM;c:\programme\SUPERAntiSpyware\SASENUM.SYS [05/08/2009 15:06 12872]
.
Inhalt des "geplante Tasks" Ordners
2010-12-08 c:\windows\Tasks\Auf Updates für Windows Live Toolbar prüfen.job
- c:\programme\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 09:20]
2010-12-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2998078457-1890881797-4138810558-1006Core.job
- c:\dokumente und einstellungen\Andrew\Lokale Einstellungen\Anwendungsdaten\Google\Update\GoogleUpdate.exe [2010-12-06 21:04]
2010-12-07 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2998078457-1890881797-4138810558-1006.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
2010-12-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2998078457-1890881797-4138810558-1007.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
2010-12-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2998078457-1890881797-4138810558-1008.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
2010-12-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2998078457-1890881797-4138810558-1011.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
2010-12-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2998078457-1890881797-4138810558-1006.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
2010-10-26 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2998078457-1890881797-4138810558-1007.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
2010-11-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2998078457-1890881797-4138810558-1008.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
2010-12-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2998078457-1890881797-4138810558-1011.job
- c:\programme\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://eeepc.asus.com/global
IE: Senden an &Bluetooth-Gerät... - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Senden an Bluetooth - c:\programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\dokumente und einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\kv83s5vk.default\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programme\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\programme\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\dokumente und einstellungen\All Users\Anwendungsdaten\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Extension: Java Quick Starter: [email protected] - c:\programme\Java\jre6\lib\deploy\jqs\ff
FF - Extension: JavaString Helper: {ED0CF0C8-62F1-4865-A3FD-2E2A2B50FAFA} - c:\windows\system32\5008
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-08 08:57
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\9.tmp"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft-Datenträgerkontingent"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Softwareinstallation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Programme\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"Hilfeassistent"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"HelpAssistant"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
Zeit der Fertigstellung: 2010-12-08 09:00:46
ComboFix-quarantined-files.txt 2010-12-08 08:00
ComboFix2.txt 2010-12-07 18:38
ComboFix3.txt 2010-12-05 20:12
Vor Suchlauf: 8 Verzeichnis(se), 51,797,323,776 Bytes frei
Nach Suchlauf: 10 Verzeichnis(se), 51,781,931,008 Bytes frei
- - End Of File - - F655BF5981E76E07CA3DE73971CAE4B3