Stration.Gen Virus/Wurm

#1 Hi! Ich geselle mich seit gestern leider auch zu den Leuten, die den blöden ICQ-Link a la "check this out" geöffnet haben.

Ich habe mal das Hijackthis-Programm laufen lassen. Leider habe ich nicht so viel Ahnung davon und hoffe, dass man mir hier helfen kann.

P.S.: Tschuldigung wegen des blöden Namens...

Hier das logfile:

Logfile of HijackThis v1.99.1
Scan saved at 20:28:04, on 17.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\HHVcdV5Sys\VC5SecS.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\MSI\System Control Manager\MGSysCtrl.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\HHVcdV5Sys\VC5Play.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\Virtual CD v5\System\VC5Tray.exe
C:\Programme\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\shfoxpob.exe
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Programme\WinRAR\WinRAR.exe
C:\Dokumente und Einstellungen\Antje\Eigene Dateien\WURMTÖTER\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar3.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Programme\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VC5Player] C:\Programme\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [himem.exe] C:\WINDOWS\skksd32.exe -s
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\skksd32.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Programme\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [amcdiag] C:\WINDOWS\system32\amcconf.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSzed029YYNL_ZNxdm414YYDE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3021d2cb3a93159be406/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107082269546
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://studivz.net/photouploader/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {96512D57-F751-4088-A689-5778FCC77F7A} (Photo Uploader Control) - http://www.studivz.net/lib/photouploader/PhotoUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: shfoxpob - C:\WINDOWS\system32\shfoxpob.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Programme\HHVcdV5Sys\VC5SecS.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

#2 Hi,

bitte prüfen:

virustotal:
Files bitte prüfen da unbekannt/infiziert sein können

Zitat

C:\WINDOWS\System32\shfoxpob.exe
C:\WINDOWS\skksd32.exe
C:\WINDOWS\system32\amcconf.exe (-> typisch für: Email-Worm.Win32.Warezov.dq)
C:\WINDOWS\AGRSMMSG.exe (->sollte ein "AMR-Modem Treiber" sein)

http://www.virustotal.com/flash/index_en.html
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu
prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen

Poste die Logs...

Arbeite dann unbedingt noch den Rest von

Zitat

http://board.protecus.de/t23188.htm
- Erstellen eines Hijackthis-Logfiles (hast Du ja schon)
- CleanUp (temporaeren Dateien loeschen)
- Combofix
- Logfiles mittels datfind.bat (alle Files, nur die letzten 3-6 Monate posten)

ab, da es mit Sicherheit zusätzliche Files gibt die nicht im Hijackthis auftauchen...

chris

#3 Hi danke für die schnelle Antwort!!!
Hab gestern Abend noch den Tip eines Bekannten bekommen doch auch ALvast noch mal zusätzlich auszuprobieren. Der hat auch tatsächlich um die 18 infizierte Dateien gefunden,die ich dann allesamt in den Container verschoben habe. Als ich dann jedoch Antivir anmachte kamen wieder lauter Meldungen und ich könnte mal wieder den Akku entfernen weil nichts mehr ging! Hab jetzt nochmal einen highjack gemacht, denke es hat sich durch den Scan was verändert:


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\MSI\System Control Manager\MGSysCtrl.exe
C:\Programme\HHVcdV5Sys\VC5SecS.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\HHVcdV5Sys\VC5Play.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\Virtual CD v5\System\VC5Tray.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\Programme\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\shfoxpob.exe
C:\Dokumente und Einstellungen\Antje\Eigene Dateien\WURMTÖTER\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar3.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Programme\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VC5Player] C:\Programme\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [himem.exe] C:\WINDOWS\skksd32.exe -s
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\skksd32.exe
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Programme\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [amcdiag] C:\WINDOWS\system32\amcconf.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSzed029YYNL_ZNxdm414YYDE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3021d2cb3a93159be406/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107082269546
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://studivz.net/photouploader/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {96512D57-F751-4088-A689-5778FCC77F7A} (Photo Uploader Control) - http://www.studivz.net/lib/photouploader/PhotoUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: shfoxpob - C:\WINDOWS\system32\shfoxpob.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Programme\HHVcdV5Sys\VC5SecS.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe



Virustotal:

Complete scanning result of "shfoxpob.exe", received in VirusTotal at 04.18.2007, 20:32:22 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
AntiVir 7.3.1.53 04.18.2007 Worm/Warezov.ND.1
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.18.2007 no virus found
AVG 7.5.0.447 04.18.2007 no virus found
BitDefender 7.2 04.18.2007 Win32.Warezov.XJ@mm
CAT-QuickHeal 9.00 04.18.2007 (Suspicious) - DNAScan
ClamAV devel-20070416 04.18.2007 Worm.Stration.ACJ-5
DrWeb 4.33 04.18.2007 Win32.HLLM.Limar
eSafe 7.0.15.0 04.18.2007 Win32.Warezov.nd
eTrust-Vet 30.7.3576 04.18.2007 no virus found
Ewido 4.0 04.18.2007 Worm.Warezov.nd
FileAdvisor 1 04.18.2007 No Thread detected
Fortinet 2.85.0.0 04.18.2007 suspicious
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.18.2007 Email-Worm.Win32.Warezov.nd
Ikarus T3.1.1.5 04.18.2007 Email-Worm.Win32.Warezov.at
Kaspersky 4.0.2.24 04.18.2007 Email-Worm.Win32.Warezov.nd
McAfee 5012 04.18.2007 New Malware.n
Microsoft 1.2405 04.18.2007 no virus found
NOD32v2 2202 04.18.2007 Win32/Stration.YQ
Norman 5.80.02 04.18.2007 no virus found
Panda 9.0.0.4 04.18.2007 Suspicious file
Prevx1 V2 04.18.2007 Malware:SysCovert
Sophos 4.16.0 04.17.2007 Mal/Packer
Sunbelt 2.2.907.0 04.07.2007 VIPRE.Suspicious
Symantec 10 04.18.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.18.2007 MalwareScope.Worm.Warezov.6
VirusBuster 4.3.7:9 04.18.2007 no virus found
Webwasher-Gateway 6.0.1 04.18.2007 Worm.Warezov.ND.1


Aditional Information
File size: 79092 bytes
MD5: 27a97a0c2380a731b058f5123316dc2b
SHA1: 46eb91536ec739248f0bce169e5227845c046e7a
packers: UPACK
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=27a97a0c2380a731b058f5123316dc2b
packers: UPack
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=671789497926
Sunbelt info: VIPRE.Suspicious is a generic detection for potential Thread that are deemed suspicious


also den skksd hab ich nicht mehr gefunden dafür aber ne neue nette Überraschung,die angeblich heute früh!! erstellt wurde:

Complete scanning result of "skkkkkkk.exe", received in VirusTotal at 04.18.2007, 20:44:31 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
AntiVir 7.3.1.53 04.18.2007 HEUR/Malware
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.18.2007 no virus found
AVG 7.5.0.447 04.18.2007 no virus found
BitDefender 7.2 04.18.2007 no virus found
CAT-QuickHeal 9.00 04.18.2007 no virus found
ClamAV devel-20070416 04.18.2007 no virus found
DrWeb 4.33 04.18.2007 Win32.HLLM.Limar
eSafe 7.0.15.0 04.18.2007 suspicious Trojan/Worm
eTrust-Vet 30.7.3576 04.18.2007 no virus found
Ewido 4.0 04.18.2007 no virus found
FileAdvisor 1 04.18.2007 no virus found
Fortinet 2.85.0.0 04.18.2007 suspicious
F-Prot 4.3.2.48 04.18.2007 W32/Downloader2.BHH
F-Secure 6.70.13030.0 04.18.2007 W32/Horst.gen28
Ikarus T3.1.1.5 04.18.2007 no virus found
Kaspersky 4.0.2.24 04.18.2007 no virus found
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.18.2007 no virus found
NOD32v2 2202 04.18.2007 Win32/Stration
Norman 5.80.02 04.18.2007 W32/Horst.gen28
Panda 9.0.0.4 04.18.2007 Suspicious file
Prevx1 V2 04.18.2007 Win32.Malware.gen
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.18.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.18.2007 no virus found
VirusBuster 4.3.7:9 04.18.2007 no virus found
Webwasher-Gateway 6.0.1 04.18.2007 Heuristic.Malware


Aditional Information
File size: 35840 bytes
MD5: 9d50b32aacf6b0c790346d3a26ea7708
SHA1: 002baf29ba7e3c7e3da7a09bf7b9892a4dcd9581
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=1c2389909512



amcconf kann ich auch nicht mehr finden.dafür hab ich aber nen andern gesehen,der sehr verdächtig is

STATUS: FINISHEDComplete scanning result of "secumsje.exe", received in VirusTotal at 04.18.2007, 21:10:09 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
AntiVir 7.3.1.53 04.18.2007 WORM/Stration.Gen
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.18.2007 no virus found
AVG 7.5.0.447 04.18.2007 no virus found
BitDefender 7.2 04.18.2007 Win32.Warezov.XJ@mm
CAT-QuickHeal 9.00 04.18.2007 no virus found
ClamAV devel-20070416 04.18.2007 Worm.Stration.ACJ-3
DrWeb 4.33 04.18.2007 Win32.HLLM.Limar
eSafe 7.0.15.0 04.18.2007 no virus found
eTrust-Vet 30.7.3576 04.18.2007 no virus found
Ewido 4.0 04.18.2007 no virus found
FileAdvisor 1 04.18.2007 no virus found
Fortinet 2.85.0.0 04.18.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.18.2007 Email-Worm.Win32.Warezov.nd
Ikarus T3.1.1.5 04.18.2007 no virus found
Kaspersky 4.0.2.24 04.18.2007 Email-Worm.Win32.Warezov.nd
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.18.2007 no virus found
NOD32v2 2202 04.18.2007 Win32/Stration.YQ
Norman 5.80.02 04.18.2007 no virus found
Panda 9.0.0.4 04.18.2007 W32/Spamta.WA.worm
Prevx1 V2 04.18.2007 no virus found
Sophos 4.16.0 04.17.2007 W32/Strati-Gen
Sunbelt 2.2.907.0 04.14.2007 no virus found
Symantec 10 04.18.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.18.2007 no virus found
VirusBuster 4.3.7:9 04.18.2007 no virus found
Webwasher-Gateway 6.0.1 04.18.2007 Worm.Stration.Gen


Aditional Information
File size: 16384 bytes
MD5: 0df33cf33a806e55da92603e8ebe1109
SHA1: 899f2b59ab175d2731541764caa4b6f591850532


Complete scanning result of "AGRSMMSG.exe", received in VirusTotal at 04.18.2007, 21:24:10 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.0 04.18.2007 no virus found
AntiVir 7.3.1.53 04.18.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.18.2007 no virus found
AVG 7.5.0.447 04.18.2007 no virus found
BitDefender 7.2 04.18.2007 no virus found
CAT-QuickHeal 9.00 04.18.2007 no virus found
ClamAV devel-20070416 04.18.2007 no virus found
DrWeb 4.33 04.18.2007 no virus found
eSafe 7.0.15.0 04.18.2007 no virus found
eTrust-Vet 30.7.3576 04.18.2007 no virus found
Ewido 4.0 04.18.2007 no virus found
FileAdvisor 1 04.18.2007 No Thread detected
Fortinet 2.85.0.0 04.18.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.18.2007 no virus found
Ikarus T3.1.1.5 04.18.2007 no virus found
Kaspersky 4.0.2.24 04.18.2007 no virus found
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.18.2007 no virus found
NOD32v2 2202 04.18.2007 no virus found
Norman 5.80.02 04.18.2007 no virus found
Panda 9.0.0.4 04.18.2007 no virus found
Prevx1 V2 04.18.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.18.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.18.2007 no virus found
VirusBuster 4.3.7:9 04.18.2007 no virus found
Webwasher-Gateway 6.0.1 04.18.2007 no virus found


Aditional Information
File size: 88363 bytes
MD5: f7b737e2af9e5c14459c659ecd6c4ed5
SHA1: 3ad5cb1881aa2ae392558cc9dc3c283d02527eaa
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=f7b737e2af9e5c14459c659ecd6c4ed5


also cleanup hat wunderbar funktioniert. Bei Combofix allerdings gibts Probleme.Der l#ässt sich erst gar nicht runterladen,bricht immer mittendrin ab.


Datfindbat:


Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: D051-B4FF

Verzeichnis von C:\WINDOWS\system32

18.04.2007 22:31 79.092 shfoxpob.exe
18.04.2007 22:22 2.206 wpa.dbl
18.04.2007 22:22 20.096 MGHwTemp.sys
18.04.2007 08:48 4 shfoxpob.dat
17.04.2007 23:07 3.002 CONFIG.NT
17.04.2007 19:58 24.576 trafracp.dll
17.04.2007 15:51 12.800 Thumbs.db
17.04.2007 01:51 79.092 shfoxpob.exe.ren
17.04.2007 00:53 20.480 msstersv.dll
16.04.2007 22:07 16.384 secumsje.exe
16.04.2007 22:07 98.304 shfoxpob.dll
14.04.2007 09:42 90.112 AvastSS.scr
10.04.2007 13:18 712.832 aswBoot.exe
04.04.2007 10:48 169.096 FNTCACHE.DAT
03.04.2007 22:48 13.511.640 MRT.exe
28.03.2007 07:12 51.538 perfc009.dat
28.03.2007 07:12 386.302 perfh007.dat
28.03.2007 07:12 375.740 perfh009.dat
28.03.2007 07:12 62.364 perfc007.dat
28.03.2007 07:12 884.200 PerfStringBackup.INI
17.03.2007 15:44 293.376 winsrv.dll
09.03.2007 13:51 270.336 xpsp3res.dll
08.03.2007 17:36 281.600 gdi32.dll
08.03.2007 17:36 579.072 user32.dll
08.03.2007 17:36 40.960 mf3216.dll
08.03.2007 17:32 1.843.712 win32k.sys
28.02.2007 18:02 2.182.656 ntoskrnl.exe
28.02.2007 18:02 2.059.904 ntkrnlpa.exe
21.02.2007 14:16 23.392 nscompat.tlb
21.02.2007 14:16 16.832 amcompat.tlb
21.02.2007 14:10 902 InstallUtil.InstallLog
17.02.2007 01:52 122.142 TZLog.log
16.02.2007 10:54 65.536 QuickTimeVR.qtx
16.02.2007 10:54 49.152 QuickTime.qts
15.02.2007 19:01 337.280 WgaTray.exe
15.02.2007 19:01 1.476.992 LegitCheckControl.dll
15.02.2007 19:00 236.928 WgaLogon.dll
05.02.2007 22:18 185.856 upnphost.dll
29.01.2007 10:58 60.416 tzchange.exe
23.01.2007 21:30 546.304 hhctrl.ocx
12.01.2007 10:27 6.054.400 ieframe.dll
12.01.2007 10:27 670.720 mstime.dll
12.01.2007 10:27 51.712 msfeedsbs.dll
12.01.2007 10:27 27.136 jsproxy.dll
12.01.2007 10:27 822.784 wininet.dll
12.01.2007 10:27 3.580.416 mshtml.dll
12.01.2007 10:27 132.608 extmgr.dll
12.01.2007 10:27 232.960 webcheck.dll
12.01.2007 10:27 458.752 msfeeds.dll
12.01.2007 10:27 1.149.952 urlmon.dll
12.01.2007 10:27 477.696 mshtmled.dll


Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: D051-B4FF

Verzeichnis von C:\DOKUME~1\Antje\LOKALE~1\Temp

18.04.2007 22:22 245.760 ~DFB7E2.tmp
18.04.2007 20:16 16.384 ~DFCCDA.tmp
18.04.2007 20:16 16.384 ~DFC624.tmp
18.04.2007 19:51 245.760 ~DF9F69.tmp


Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: D051-B4FF

Verzeichnis von C:\WINDOWS

18.04.2007 22:22 0 0.log
18.04.2007 22:22 4.254 ModemLog_Agere Systems AC'97 Modem v2141D.txt
18.04.2007 22:22 159 wiadebug.log
18.04.2007 22:22 1.309.446 WindowsUpdate.log
18.04.2007 22:21 50 wiaservc.log
18.04.2007 22:21 2.048 bootstat.dat
18.04.2007 22:20 32.622 SchedLgU.Txt
18.04.2007 08:48 35.840 skkkkkkk.exe
16.04.2007 02:39 93.090 wmsetup.log
15.04.2007 12:41 201.188 setupapi.log
12.04.2007 17:14 54.156 QTFont.qfn
11.04.2007 15:04 131.915 iis6.log
11.04.2007 15:04 282.151 comsetup.log
11.04.2007 15:04 170.349 ntdtcsetup.log
11.04.2007 15:04 45.546 ocmsn.log
11.04.2007 15:04 323.517 tsoc.log
11.04.2007 15:04 1.374 imsins.log
11.04.2007 15:03 14.907 KB931784.log
11.04.2007 15:03 405.140 ocgen.log
11.04.2007 15:03 41.609 msgsocm.log
11.04.2007 15:03 837.417 FaxSetup.log
11.04.2007 15:03 13.172 KB931261.log
11.04.2007 15:03 87.325 updspapi.log
11.04.2007 15:03 12.657 KB930178.log
11.04.2007 15:03 14.292 KB932168.log
07.04.2007 14:19 116 NeroDigital.ini
04.04.2007 10:41 12.374 KB925902.log
30.03.2007 19:13 218.435 setupact.log
17.03.2007 04:05 8.288 KB929399.log
17.03.2007 04:02 12.189 KB929338.log
28.02.2007 12:42 46.022 spupdsvc.log
28.02.2007 12:39 18.055 WgaNotify.log
27.02.2007 21:05 169 RtlRack.ini
21.02.2007 14:50 3.318 wmsetup10.log
21.02.2007 14:17 7.423 KB926239.log
21.02.2007 14:16 5.338 MSCompPackV1.log
21.02.2007 14:16 19.985 wmp11.log
21.02.2007 14:15 599 win.ini
21.02.2007 14:13 28.928 WMFDist11.log
21.02.2007 14:13 316.640 WMSysPr9.prx
21.02.2007 14:11 12.816 Wudf01000Inst.log
17.02.2007 01:52 17.912 KB927779.log
17.02.2007 01:52 14.988 KB927802.log
17.02.2007 01:52 14.671 KB928255.log
17.02.2007 01:52 6.631 KB923723.log
17.02.2007 01:52 11.112 KB924667.log
17.02.2007 01:52 23.579 KB931836.log
17.02.2007 01:51 13.054 KB926436.log
17.02.2007 01:51 9.440 KB928090-IE7.log
17.02.2007 01:51 10.732 KB918118.log
17.02.2007 01:50 10.655 KB928843.log
15.01.2007 22:11 1.409 QTFont.for
11.01.2007 13:05 3.612 KB929969.log


Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: D051-B4FF

Verzeichnis von C:\WINDOWS\Temp

18.04.2007 22:22 409 WGANotify.settings
18.04.2007 22:22 0 T30DebugLogFile.txt
18.04.2007 22:21 255 WGAErrLog.txt
18.04.2007 19:50 16.384 Perflib_Perfdata_4a0.dat
18.04.2007 18:07 16.384 Perflib_Perfdata_4bc.dat
18.04.2007 00:04 16.384 Perflib_Perfdata_4b0.dat
17.04.2007 23:09 16.384 Perflib_Perfdata_4dc.dat
23.03.2007 10:30 29.035 Alcxau.inf
21.03.2007 11:08 496.923 alcxwdm.cat
21.03.2007 11:08 321.237 Alcxwdm0.cat
08.03.2007 15:02 32.539 Alcxau15.inf
08.03.2007 15:02 33.230 Alcxau16.inf
08.03.2007 15:02 26.696 Alcxau17.inf
08.03.2007 15:02 24.530 Alcxau18.inf
08.03.2007 15:02 28.870 Alcxau19.inf
08.03.2007 15:02 64.121 Alcxau2.inf
08.03.2007 15:02 31.732 Alcxau20.inf
08.03.2007 15:02 29.118 Alcxau21.inf
08.03.2007 15:02 45.692 Alcxau22.inf
08.03.2007 15:02 34.027 Alcxau23.inf
08.03.2007 15:02 64.331 Alcxau0.inf
08.03.2007 15:02 32.537 Alcxau14.inf
08.03.2007 15:02 44.819 Alcxau26.inf
08.03.2007 15:02 35.839 Alcxau27.inf
08.03.2007 15:02 24.596 Alcxau28.inf
08.03.2007 15:02 34.213 Alcxau29.inf
08.03.2007 15:02 31.172 Alcxau3.inf
08.03.2007 15:02 45.816 Alcxau30.inf
08.03.2007 15:02 52.705 Alcxau4.inf
08.03.2007 15:02 30.730 Alcxau5.inf
08.03.2007 15:02 34.217 Alcxau6.inf
08.03.2007 15:02 25.253 Alcxau7.inf
08.03.2007 15:02 33.829 Alcxau8.inf
08.03.2007 15:02 33.717 Alcxau9.inf
08.03.2007 15:02 56.051 Alcxau13.inf
08.03.2007 15:02 61.571 Alcxau12.inf
08.03.2007 15:02 42.509 Alcxau10.inf
08.03.2007 15:02 29.797 Alcxau11.inf
08.03.2007 15:02 34.475 Alcxau25.inf
08.03.2007 15:02 63.623 Alcxau1.inf
08.03.2007 15:02 35.549 Alcxau24.inf
08.03.2007 14:34 4.027.840 alcxwdm.sys


Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: D051-B4FF

Verzeichnis von C:\WINDOWS\Downloaded Program Files

27.12.2006 19:46 2.557.752 ImageUploader4.ocx
27.12.2006 19:45 377 ImageUploader4.inf


Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: D051-B4FF

Verzeichnis von C:\

18.04.2007 22:46 0 sys.txt
18.04.2007 22:46 1.067 down.txt
18.04.2007 22:45 2.805 tmp.txt
18.04.2007 22:44 12.007 system.txt
18.04.2007 22:43 514 systemtemp.txt
18.04.2007 22:39 104.585 system32.txt
18.04.2007 22:21 502.714.368 hiberfil.sys
18.04.2007 22:21 754.974.720 pagefile.sys

#4 Hi,

ganz schön lebendig die Biester...

virustotal:
Files bitte prüfen da unbekannt, falls diese
als Virus/Trojaner erkannt werden, bitte
File mit Pfad beim Avengerscrip (Files to
delete) ergänzen und die entsprechenden
Einträge bei Hijackthis ergänzen!

Zitat

C:\WINDOWS\System32\msstersv.dll
C:\WINDOWS\SYSTEM32\igfxsrvc.dll

http://www.virustotal.com/flash/index_en.html
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu

prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen

Falls eine Datei erkannt wird bei Avenger mit Pfad (Files to delete)
dazunehmen...



Also:
Avenger
http://virus-protect.org/artikel/tools/avenger.html
Input script manually (anhaken)
kopiere in: View/edit script

Zitat

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|himem.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SoundMnEx32

registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\shfoxpob

Registry values to replace with dummy:


Files to delete:
C:\WINDOWS\system32\shfoxpob.dll
C:\WINDOWS\system32\shfoxpob.exe
C:\WINDOWS\system32\shfoxpob.dll
C:\WINDOWS\system32\secumsje.exe
C:\WINDOWS\system32\shfoxpob.exe.ren
C:\WINDOWS\system32\shfoxpob.dat
C:\WINDOWS\skkkkkkk.exe



Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

Hijackthis, fixen:
öffne das HijackThis -- Button "scan" -- vor diese Einträge Häkchen setzen -- Button "Fix checked" -- PC neustarten

Zitat

O4 - HKLM\..\Run: [himem.exe] C:\WINDOWS\skksd32.exe -s
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\skksd32.exe
09 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: shfoxpob - C:\WINDOWS\system32\shfoxpob.dll

scanne mit ewido und poste den scanreport & neues Hijackthis-Log.
http://virus-protect.org/onlinescan.html

Chris

#5 hier hier der virustotal:

Complete scanning result of "msstersv.dll", received in VirusTotal at 04.19.2007, 20:26:03 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007 Win32/Stration.worm.Gen
AntiVir 7.3.1.53 04.19.2007 WORM/Stration.Gen
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.19.2007 no virus found
AVG 7.5.0.447 04.18.2007 no virus found
BitDefender 7.2 04.19.2007 Win32.Warezov.XJ@mm
CAT-QuickHeal 9.00 04.19.2007 no virus found
ClamAV devel-20070416 04.19.2007 Worm.Stration.ACJ-2
DrWeb 4.33 04.19.2007 Win32.HLLM.Limar
eSafe 7.0.15.0 04.19.2007 no virus found
eTrust-Vet 30.7.3579 04.19.2007 Win32/Stration!generic
Ewido 4.0 04.19.2007 no virus found
FileAdvisor 1 04.19.2007 no virus found
Fortinet 2.85.0.0 04.19.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.19.2007 Email-Worm.Win32.Warezov.nd
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 Email-Worm.Win32.Warezov.nd
McAfee 5012 04.18.2007 no virus found
Microsoft 1.2405 04.19.2007 Trojan:Win32/Stration.F!dll
NOD32v2 2205 04.19.2007 Win32/Stration.YQ
Norman 5.80.02 04.19.2007 no virus found
Panda 9.0.0.4 04.19.2007 W32/Spamta.WA.worm
Prevx1 V2 04.19.2007 no virus found
Sophos 4.16.0 04.17.2007 W32/Strati-Gen
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.088 04.09.2007 no virus found
VBA32 3.11.3 04.19.2007 suspected of MalwareScope.Worm.Warezov.6 (paranoid heuristics)
VirusBuster 4.3.7:9 04.19.2007 no virus found
Webwasher-Gateway 6.0.1 04.19.2007 Worm.Stration.Gen


Aditional Information
File size: 20480 bytes
MD5: d1bb96ea2bd400ca125fef84b5689bc8
SHA1: 50aa412b675aa1b5cb1f730a822565d27805e81e


Complete scanning result of "igfxsrvc.dll", received in VirusTotal at 04.19.2007, 21:00:40 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.19.1 04.19.2007 no virus found
AntiVir 7.3.1.53 04.19.2007 no virus found
Authentium 4.93.8 04.18.2007 no virus found
Avast 4.7.981.0 04.19.2007 no virus found
AVG 7.5.0.464 04.19.2007 no virus found
BitDefender 7.2 04.19.2007 no virus found
CAT-QuickHeal 9.00 04.19.2007 no virus found
ClamAV devel-20070416 04.19.2007 no virus found
DrWeb 4.33 04.19.2007 no virus found
eSafe 7.0.15.0 04.19.2007 no virus found
eTrust-Vet 30.7.3579 04.19.2007 no virus found
Ewido 4.0 04.19.2007 no virus found
FileAdvisor 1 04.19.2007 No threat detected
Fortinet 2.85.0.0 04.19.2007 no virus found
F-Prot 4.3.2.48 04.18.2007 no virus found
F-Secure 6.70.13030.0 04.19.2007 no virus found
Ikarus T3.1.1.5 04.19.2007 no virus found
Kaspersky 4.0.2.24 04.19.2007 no virus found
McAfee 5013 04.19.2007 no virus found
Microsoft 1.2405 04.19.2007 no virus found
NOD32v2 2205 04.19.2007 no virus found
Norman 5.80.02 04.19.2007 no virus found
Panda 9.0.0.4 04.19.2007 no virus found
Prevx1 V2 04.19.2007 no virus found
Sophos 4.16.0 04.17.2007 no virus found
Sunbelt 2.2.907.0 04.07.2007 no virus found
Symantec 10 04.19.2007 no virus found
TheHacker 6.1.6.095 04.15.2007 no virus found
VBA32 3.11.3 04.19.2007 no virus found
VirusBuster 4.3.7:9 04.19.2007 no virus found
Webwasher-Gateway 6.0.1 04.19.2007 no virus found


Aditional Information
File size: 348160 bytes
MD5: a6d2654ef1d678939385ece70435cfa0
SHA1: 645a4215f6b7b1dca8614ff3298cc80328349ce8
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=a6d2654ef1d678939385ece70435cfa0


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mtcoyjva

*******************

Script file located at: \??\C:\nhebscvo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\shfoxpob.dll deleted successfully.
File C:\WINDOWS\system32\shfoxpob.exe deleted successfully.


File C:\WINDOWS\system32\shfoxpob.dll not found!
Deletion of file C:\WINDOWS\system32\shfoxpob.dll failed!

Could not process line:
C:\WINDOWS\system32\shfoxpob.dll
Status: 0xc0000034

File C:\WINDOWS\system32\secumsje.exe deleted successfully.
File C:\WINDOWS\system32\shfoxpob.exe.ren deleted successfully.
File C:\WINDOWS\system32\shfoxpob.dat deleted successfully.
File C:\WINDOWS\skkkkkkk.exe deleted successfully.
File C:\WINDOWS\System32\msstersv.dll deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|himem.exe deleted successfully.
Registry value HKLM\Software\Microsoft\Windows\CurrentVersion\Run|SoundMnEx32 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\shfoxpob deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Mediaplex
Path: C:\Dokumente und Einstellungen\Antje\Cookies\antje@mediaplex[1].txt
Risk: Medium

Name: Worm.Warezov.nd
Path: C:\avenger\backup.zip/avenger/secumsje.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\avenger\backup.zip/avenger/shfoxpob.dll
Risk: High

Name: Worm.Warezov.nd
Path: C:\avenger\backup.zip/avenger/shfoxpob.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\avenger\backup.zip/avenger/shfoxpob.exe.ren
Risk: High

Name: Adware.DriveCleaner
Path: C:\Programme\ICQToolbar\tbu7\tbupdate.cab/version.txt
Risk: Medium

Name: Adware.DriveCleaner
Path: C:\Programme\ICQToolbar\tbu7\version.txt
Risk: Medium

Name: Adware.Websearch
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP548\A0045050.DLL
Risk: Medium

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0045273.exe
Risk: High

Name: Worm.Warezov.ne
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0046271.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0046274.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0046284.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0047285.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048285.exe
Risk: High

Name: Worm.Warezov.ne
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048292.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048301.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048308.dll
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048324.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048330.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048343.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048353.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048369.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0048385.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0049383.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP559\A0049676.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP560\A0049696.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP560\A0049706.dll
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP560\A0049735.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP560\A0049736.dll
Risk: High

Name: Worm.Warezov.nd
Path: C:\System Volume Information\_restore{B69B3DC0-454F-44D8-9713-E0E336CBDF01}\RP560\A0049737.exe
Risk: High

Name: Worm.Warezov.nd
Path: C:\WINDOWS\system32\trafracp.dll
Risk: High


Gab danach noch eine Option säubern,hab ich jetzt aber nicht gemacht weil ich mir nicht sicher war.
Bei dem ersten highjack bei dem ich bestimmte Dateien fixen sollte hab ich leider nur zwei gefunden.

O4 - HKLM\..\Run: [himem.exe] C:\WINDOWS\skksd32.exe -s
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\skksd32.exe
O20 - Winlogon Notify: shfoxpob - C:\WINDOWS\system32\shfoxpob.dll

waren nicht in der Liste vertreten.




Logfile of HijackThis v1.99.1
Scan saved at 22:30:35, on 19.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\HHVcdV5Sys\VC5SecS.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\MSI\System Control Manager\MGSysCtrl.exe
C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe
C:\Programme\HHVcdV5Sys\VC5Play.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\CleanUp XP\CleanUp.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Virtual CD v5\System\VC5Tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Media Player\WMPNSCFG.exe
C:\Programme\Skype\Plugin Manager\SkypePM.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Antje\Eigene Dateien\WURMTÖTER\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar3.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\tbu7\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MGSysCtrl] C:\Programme\MSI\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Programme\Home Cinema\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VC5Player] C:\Programme\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] "C:\Programme\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Programme\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [amcdiag] C:\WINDOWS\system32\amcconf.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CleanUp XP] C:\Programme\CleanUp XP\CleanUp.exe -h
O4 - HKLM\..\Run: [wincrt.exe] C:\WINDOWS\wincrt.exe s
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSzed029YYNL_ZNxdm414YYDE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/3021d2cb3a93159be406/netzip/RdxIE601_de.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107082269546
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://studivz.net/photouploader/ImageUploader4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {96512D57-F751-4088-A689-5778FCC77F7A} (Photo Uploader Control) - http://www.studivz.net/lib/photouploader/PhotoUploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Programme\HHVcdV5Sys\VC5SecS.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe