ComboFix 08-04-20.5 - Joe 2008-04-21 16:17:47.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.181 [GMT 2:00] ausgeführt von:: C:\Dokumente und Einstellungen\Joe\Desktop\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . (((((((((((((((((((((((((((((((((((( Weitere Löschungen )))))))))))))))))))))))))))))))))))))))))))))))) . C:\sys.txt . ((((((((((((((((((((((( Dateien erstellt von 2008-03-21 bis 2008-04-21 )))))))))))))))))))))))))))))) . 2008-04-20 15:23 . 2008-04-20 15:23 d-------- C:\Programme\Microsoft CAPICOM 2.1.0.2 2008-04-20 15:12 . 2007-07-09 15:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll 2008-04-20 14:38 . 2007-07-30 19:20 30,040 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2008-04-15 17:24 . 2008-04-15 17:24 d-------- C:\Programme\ZoneAlarmSB 2008-03-26 11:45 . 2008-03-26 11:47 d-------- C:\Programme\Gemeinsame Dateien\Remote Control Software Common . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-04-21 14:22 1,935,392 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-04-21 09:16 --------- d-----w C:\Dokumente und Einstellungen\Joe\Anwendungsdaten\AVG7 2008-04-21 09:11 22,076 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-04-21 08:57 --------- d-----w C:\Programme\Opera 2008-04-21 08:55 --------- d-----w C:\Programme\CleanUp! 2008-04-18 22:42 14,190 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2008-04-18 22:42 --------- d-----w C:\Dokumente und Einstellungen\Joe\Anwendungsdaten\Corel 2008-04-18 13:27 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avg7 2008-04-17 16:12 --------- d-----w C:\Programme\SUPERAntiSpyware 2008-03-27 07:00 --------- d-----w C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\AVG7 2008-03-26 09:44 --------- d--h--w C:\Programme\InstallShield Installation Information 2008-03-26 09:44 --------- d-----w C:\Programme\Logitech 2008-03-26 09:42 --------- d-----w C:\Programme\Gemeinsame Dateien\Remote Control Software Shared 2008-03-20 08:03 1,845,376 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-13 21:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe 2008-03-13 21:11 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll 2008-03-02 19:18 --------- d-----w C:\Programme\Microsoft ActiveSync 2008-03-02 19:17 --------- d-----w C:\Programme\ViennaSoft 2008-02-25 14:12 --------- d-----w C:\Dokumente und Einstellungen\Joe\Anwendungsdaten\vlc 2008-02-25 11:01 --------- d-----w C:\Programme\VideoLAN 2008-02-20 06:50 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:33 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-16 09:30 671,744 ----a-w C:\WINDOWS\system32\wininet.dll 2003-11-17 16:33 41,232 ----a-w C:\Programme\opera\program\plugins\icalogon.dll 2003-11-17 16:23 24,848 ----a-w C:\Programme\opera\program\plugins\pscript.dll 2003-11-17 16:33 41,232 ----a-w C:\Programme\opera\program\plugins\sslasock.dll 2003-11-17 16:33 57,616 ----a-w C:\Programme\opera\program\plugins\sslsdk_b.dll 2007-10-12 17:19 88 --sh--r C:\WINDOWS\system32\26A6F69E4A.sys . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}] 2008-04-15 17:24 262144 --a------ C:\Programme\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= "C:\Programme\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" [2008-04-15 17:24 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Programme\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-04-15 17:24 262144] [HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:57 15360] "SUPERAntiSpyware"="C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-17 18:12 1481968] "LDM"="C:\Programme\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-09-02 20:10 36864] "H/PC Connection Agent"="C:\Programme\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:50 1289000] "SpriteService"="C:\Programme\Sprite Software\Sprite Backup\SpriteService.exe" [2006-10-30 17:31 544768] "MsnMsgr"="C:\Programme\Windows Live\Messenger\MsnMsgr.exe" [ ] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-09-24 18:00 4861952] "nwiz"="nwiz.exe" [2003-09-24 18:00 323584 C:\WINDOWS\system32\nwiz.exe] "LTSMMSG"="LTSMMSG.exe" [2003-04-18 10:06 32768 C:\WINDOWS\ltsmmsg.exe] "SigmaTel StacMon"="C:\Programme\SigmaTel\SigmaTel AC97 Audio-Treiber\stacmon.exe" [2003-08-03 16:01 86073] "SynTPLpr"="C:\Programme\Synaptics\SynTP\SynTPLpr.exe" [2003-05-30 19:25 110592] "SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2003-05-30 19:23 614400] "TFNF5"="TFNF5.exe" [2003-07-18 17:41 73728 C:\WINDOWS\system32\TFNF5.exe] "TouchED"="C:\Programme\TOSHIBA\TouchED\TouchED.Exe" [2003-03-11 15:03 122880] "00THotkey"="C:\WINDOWS\System32\[u]0[/u]0THotkey.exe" [2003-05-23 15:23 253952] "000StTHK"="000StTHK.exe" [2001-06-23 21:28 24576 C:\WINDOWS\system32\[u]0[/u]00StTHK.exe] "TPSMain"="TPSMain.exe" [2003-10-02 14:20 266240 C:\WINDOWS\system32\TPSMain.exe] "TFncKy"="C:\Programme\TOSHIBA\TOSHIBA Controls\TFncKy.exe" [2003-09-18 10:55 102400] "TkBellExe"="C:\Programme\K-Lite Codec Pack\real\Update_OB\realsched.exe" [ ] "DXM6Patch_981116"="C:\WINDOWS\p_981116.exe" [1998-11-30 19:04 497376] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-18 15:27 579584] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "Adobe Photo Downloader"="C:\Programme\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ] "IntelZeroConfig"="C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 12:55 667718] "IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 12:56 602182] "EOUApp"="C:\Programme\Intel\Wireless\Bin\EOUWiz.exe" [2005-12-28 13:00 569413] "Sony Ericsson PC Suite"="C:\Programme\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744] "SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496] "Auto Run Software for Photo Frame"="" [] "QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-10-20 11:17 98304] "ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:57 15360] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 17:33 219136] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "SRUUninstall"="C:\WINDOWS\System32\msiexec.exe" [2005-03-21 15:00 78848] C:\Dokumente und Einstellungen\All Users\Startmen\Programme\Autostart\ Logitech Desktop Messenger.lnk - C:\Programme\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-09-02 20:10:07 196608] RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-08-14 19:08:30 155648] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programme\SUPERAntiSpyware\SASSEH.DLL [2007-02-16 17:57 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programme\SUPERAntiSpyware\SASWINLO.DLL 2007-05-26 11:01 294912 C:\Programme\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DivXc32.dll "vidc.DIV4"= DivXc32f.dll "msacm.lameacm"= lameACM.acm "vidc.3iv2"= 3ivxVfWCodec.dll "msacm.divxa32"= divxa32.acm "VIDC.HFYU"= huffyuv.dll "VIDC.i263"= i263_32.drv "msacm.imc"= imc32.acm "VIDC.VP31"= vp31vfw.dll [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Skype"="C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized "Steam"=C:\Valve\Steam\Steam.exe -silent [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "WinampAgent"="C:\Programme\Winamp\Winampa.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Programme\\ICQLite\\ICQLite.exe"= "C:\\Programme\\SmartFTP\\SmartFTP.exe"= "C:\\Programme\\IncrediMail\\bin\\ImpCnt.exe"= "C:\\Programme\\Grisoft\\AVG Free\\avginet.exe"= "C:\\Programme\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "C:\\Programme\\Grisoft\\AVG Free\\avgamsvr.exe"= "C:\\Programme\\Grisoft\\AVG Free\\avgcc.exe"= "C:\\Programme\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "C:\Programme\Microsoft ActiveSync\rapimgr.exe"= C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Programme\Microsoft ActiveSync\wcescomm.exe"= C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Programme\Microsoft ActiveSync\WCESMgr.exe"= C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Programme\\Skype\\Phone\\Skype.exe"= "C:\\Programme\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= "C:\\Programme\\Sprite Software\\Sprite Backup\\SpriteService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R3 AVMWAN;AVM NDIS WAN CAPI-Treiber;C:\WINDOWS\system32\DRIVERS\avmwan.sys [2001-08-17 12:13] R3 axvdkbus;axvdkbus;C:\WINDOWS\system32\DRIVERS\axvdkbus.sys [2003-02-25 20:43] R3 axvodka;axvodka;C:\WINDOWS\system32\DRIVERS\axvodka.sys [2003-02-27 18:50] R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2002-10-03 00:09] R3 TOSHIBASoftModem;TOSHIBA Software Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys [2002-09-17 16:12] R3 tsdhd;TOSHIBA SD Card Host Controller Driver;C:\WINDOWS\system32\DRIVERS\tsdhd.sys [2003-05-14 17:38] S3 fus2base;AVM ISDN-Controller FRITZ!Card USB v2.0;C:\WINDOWS\system32\DRIVERS\fus2base.sys [2001-08-17 12:15] S3 musbehco;musbehco;C:\DOKUME~1\Joe\LOKALE~1\Temp\musbehco.sys [] S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\NSNDIS5.SYS [] S3 pciSd;pciSd;C:\WINDOWS\system32\DRIVERS\tossdpci.sys [2003-02-12 09:03] S3 PFNDIS5;PFNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\PFNDIS5.SYS [] S3 TOMCATWAN;T-Online DynamicISDN (WDM);C:\WINDOWS\system32\DRIVERS\WTOMCAT.SYS [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8becb995-c775-11d9-9d24-000e35248340}] \Shell\AutoRun\command - E:\setupSNK.exe *Newly Created Service* - CATCHME . ************************************************************************** catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 16:22:47 Windows 5.1.2600 Service Pack 2 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Einträge... Scanne versteckte Dateien... ************************************************************************** . Zeit der Fertigstellung: 2008-04-21 16:29:36 ComboFix-quarantined-files.txt 2008-04-21 14:28:31 ComboFix2.txt 2007-10-28 12:45:35 18 Verzeichnis(se), 1,809,559,552 Bytes frei 23 Verzeichnis(se), 1,797,419,008 Bytes frei 173