TR/Vundo.Gen und werd ihn nicht los!!!

#0
28.01.2008, 13:22
...neu hier

Beiträge: 5
#1 Seit gestern abend hab ich auf meinem REchner den Trojaner TR/Vundo.Gen und ich hab hier im Forum festgestellt, dass es ein sehr hartnäckiger Trojaner ist! Kann mir jemand helfen ihn loszuwerden? Ich hab versucht den Anweisungen der Moderatoren zu folgen und hab mir "HiJAckthis" Runtergeladen, aber leider komm ich alleine nicht weiter...

Hier meine Log. Datei die ich mit datfind erstellt habe:

Verzeichnis von C:\WINDOWS\system32

28.01.2008 13:15 2.206 wpa.dbl
28.01.2008 03:09 2.298.824 FNTCACHE.DAT
27.01.2008 21:14 9 130c02fe
25.01.2008 18:09 38.912 vtusspp.dll
10.01.2008 15:27 90.112 QuickTimeVR.qtx
10.01.2008 15:27 57.344 QuickTime.qts
02.01.2008 19:21 17.642.616 MRT.exe

Anhang: datfind.txt
Dieser Beitrag wurde am 28.01.2008 um 13:47 Uhr von Blackstar1611 editiert.
Seitenanfang Seitenende
28.01.2008, 15:35
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#2 Hallo ;)

wende bitte Combofix an + poste das log hier
http://www.virus-protect.org/artikel/tools/combofix.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
28.01.2008, 16:04
...neu hier

Themenstarter

Beiträge: 5
#3 HIer der Log den mir ComboFix gegeben hat:

ComboFix 08-01-23.1C - User 2008-01-28 3:22:31.2 - [color=red]FAT32[/color]x86
ausgeführt von:: C:\Dokumente und Einstellungen\User\Desktop\ComboFix.exe

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\plugin1.dat
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\wyadd.ini2
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini2
D:\Autorun.inf
N:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF




((((((((((((((((((((((( Dateien erstellt von 2007-12-28 bis 2008-01-28 ))))))))))))))))))))))))))))))
.

2008-01-28 03:13 . 2008-01-28 03:13 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-28 03:13 . 2008-01-28 03:13 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-28 02:42 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-28 02:11 . 2008-01-28 02:11 <DIR> d-------- C:\Programme\Microsoft Works
2008-01-27 21:14 . 2008-01-27 21:14 9 --a------ C:\WINDOWS\system32\130c02fe
2008-01-27 19:26 . 2008-01-27 19:26 333,312 --------- C:\WINDOWS\system32\ddayw.dll
2008-01-25 18:09 . 2008-01-25 18:09 38,912 --------- C:\WINDOWS\system32\vtusspp.dll
2008-01-25 17:34 . 2008-01-25 17:34 <DIR> d--hs---- C:\FOUND.004
2008-01-24 16:04 . 2008-01-24 16:04 <DIR> d-------- C:\Programme\ICQToolbar
2008-01-23 07:24 . 2008-01-23 07:24 675,328 --a------ C:\WINDOWS\isRS-000.tmp
2008-01-22 02:22 . 2008-01-22 02:22 <DIR> d-------- C:\phonedmg
2008-01-22 01:21 . 2008-01-22 01:21 <DIR> d-------- C:\Programme\iTunes
2008-01-22 01:21 . 2008-01-22 01:21 <DIR> d-------- C:\Programme\iPod
2008-01-22 01:19 . 2008-01-22 01:19 <DIR> d-------- C:\Programme\Bonjour
2008-01-20 19:09 . 2008-01-20 19:09 <DIR> d-------- C:\totalcmd
2008-01-20 19:09 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\UC.PIF
2008-01-20 19:09 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\RAR.PIF
2008-01-20 19:09 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKZIP.PIF
2008-01-20 19:09 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\PKUNZIP.PIF
2008-01-20 19:09 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\NOCLOSE.PIF
2008-01-20 19:09 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\LHA.PIF
2008-01-20 19:09 . 2007-09-14 07:02 545 --a------ C:\WINDOWS\ARJ.PIF
2008-01-20 19:09 . 2008-01-20 19:13 526 --a------ C:\WINDOWS\wincmd.ini
2008-01-20 19:03 . 2008-01-20 19:03 <DIR> d-------- C:\Programme\SSH Explorer
2008-01-17 15:52 . 2008-01-17 15:52 <DIR> d-------- C:\Programme\WinSCP
2008-01-10 15:27 . 2008-01-10 15:27 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-01-10 15:27 . 2008-01-10 15:27 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-01-08 17:33 . 2008-01-08 17:33 <DIR> d-------- C:\Programme\Lavasoft

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 01:39 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-01-09 03:30 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-12-05 17:44 --------- d-----w C:\Programme\PornPlay.to
2007-11-07 09:27 729,600 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:27 729,600 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 23:19 3,590,656 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:42 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:42 1,293,312 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2003-12-24 05:27 236,943 ----a-w C:\WINDOWS\Fonts\futura\alltype\FUTURA4.zip
2003-12-24 05:27 236,943 ----a-w C:\WINDOWS\Fonts\Futura Fonts\futura\alltype\FUTURA4.zip
2002-12-17 15:20 696,320 ----a-w C:\Programme\Gemeinsame Dateien\XCMHook.dll
2002-12-17 15:20 24,576 ----a-w C:\Programme\Gemeinsame Dateien\XCPCMenu.exe
2002-07-21 20:37 1,652,294 ----a-w C:\WINDOWS\Fonts\=Atomic Media Fonts=\=atomic media fonts=.zip
2002-03-25 21:32 8,299 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Sugarray.Zip
2002-03-25 21:32 40,704 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Weezer.Zip
2002-03-25 21:32 4,347 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Squealer.Zip
2002-03-25 21:32 39,168 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Shredded.Zip
2002-03-25 21:32 37,400 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Uptown__.Zip
2002-03-25 21:32 33,117 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Thebeatles.Zip
2002-03-25 21:32 29,122 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Vulgardisplay.Zip
2002-03-25 21:32 28,231 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Singoth.Zip
2002-03-25 21:32 26,350 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Viking-N.Zip
2002-03-25 21:32 24,430 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Temple.Zip
2002-03-25 21:32 20,840 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Sickness.Zip
2002-03-25 21:32 15,173 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Soulfly.Zip
2002-03-25 21:32 10,197 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Zeppelin2.Zip
2002-03-25 21:31 7,116 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Pod_Tagsxtreme.Zip
2002-03-25 21:31 6,099 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Rammsteinfont.Zip
2002-03-25 21:31 41,553 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Sepultura_Font.Zip
2002-03-25 21:31 31,438 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Oasisfontpctruetype.Zip
2002-03-25 21:31 29,964 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Plaio___.Zip
2002-03-25 21:31 22,094 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Ozzy_Baratz.Zip
2002-03-25 21:31 21,956 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Polaroid.Zip
2002-03-25 21:31 21,755 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Nonpoint.Zip
2002-03-25 21:31 18,883 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Scorpions.Zip
2002-03-25 21:31 15,929 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Punchlabel.Zip
2002-03-25 21:31 14,569 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Orgywin.Zip
2002-03-25 21:31 13,075 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Pyrite.Zip
2002-03-25 21:30 9,114 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Metallic.Zip
2002-03-25 21:30 83,514 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Metrolox.Zip
2002-03-25 21:30 62,697 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Newcrack.Zip
2002-03-25 21:30 6,436 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Metalor.Zip
2002-03-25 21:30 56,047 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Machinehead.Zip
2002-03-25 21:30 48,305 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Nirvana.Zip
2002-03-25 21:30 40,993 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Metnew.Zip
2002-03-25 21:30 29,161 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Megadeth.Zip
2002-03-25 21:30 27,857 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Mus-Collectivesouldosage.Zip
2002-03-25 21:30 27,703 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Monstermagnet-Klingon.Zip
2002-03-25 21:30 20,578 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Lansbury.Zip
2002-03-25 21:30 17,646 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Limpbizkit2.Zip
2002-03-25 21:30 16,358 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Nirvana2.Zip
2002-03-25 21:30 15,590 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Misfit.Zip
2002-03-25 21:30 15,478 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Linkinpark.Zip
2002-03-25 21:29 9,087 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Fakep___.Zip
2002-03-25 21:29 72,323 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Hollywood10.Zip
2002-03-25 21:29 61,915 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Holewm.Zip
2002-03-25 21:29 56,192 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Issuesfont.Zip
2002-03-25 21:29 37,617 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Kornucopia.Zip
2002-03-25 21:29 35,945 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Highv___.Zip
2002-03-25 21:29 31,586 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Floyd.Zip
2002-03-25 21:29 22,403 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Icedeart_Ttf.Zip
2002-03-25 21:29 21,467 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Guns N' Roses (Live Era).Zip
2002-03-25 21:29 18,676 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Kashmir.Zip
2002-03-25 21:29 16,305 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Kravitz.Zip
2002-03-25 21:29 14,543 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Karloff.Zip
2002-03-25 21:28 9,410 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Edition.Zip
2002-03-25 21:28 9,069 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Danzig.Zip
2002-03-25 21:28 56,536 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Cheaptrick.Zip
2002-03-25 21:28 36,034 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Facerg__.Zip
2002-03-25 21:28 32,518 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Coprgtb.Zip
2002-03-25 21:28 30,074 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Everlast_Whiteyford.Zip
2002-03-25 21:28 28,966 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Creed.Zip
2002-03-25 21:28 26,882 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Everclear_Afterglow.Zip
2002-03-25 21:28 22,518 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Chimaira.Zip
2002-03-25 21:28 22,498 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Euroswh.Zip
2002-03-25 21:28 20,528 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Deftones.Zip
2002-03-25 21:28 15,420 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Dienasty.Zip
2002-03-25 21:28 14,964 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Doors.Zip
2002-03-25 21:28 13,726 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Criminal.Zip
2002-03-25 21:28 10,999 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Europa__.Zip
2002-03-25 21:28 10,662 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Dborgir.Zip
2002-03-25 21:27 58,437 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Adema.Zip
2002-03-25 21:27 5,635 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Barcode.Zip
2002-03-25 21:27 41,553 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Cas_Antn.Zip
2002-03-25 21:27 35,860 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Original Motley Font (Pc).Zip
2002-03-25 21:27 34,582 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Berliner.Zip
2002-03-25 21:27 25,586 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Avalq___.Zip
2002-03-25 21:27 22,294 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Willrobinson.Zip
2002-03-25 21:27 21,758 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Apollyon.Zip
2002-03-25 21:27 21,717 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Baddssb_.Zip
2002-03-25 21:27 21,547 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Bonjovi.Zip
2002-03-25 21:27 20,254 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Band.Zip
2002-03-25 21:27 15,669 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Brooklyn.Zip
2002-03-25 21:26 9,302 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Nin_Downward.Zip
2002-03-25 21:26 37,135 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Oldenglish.Zip
2002-03-25 21:26 13,349 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Chinese Motley Font.Zip
2002-03-25 21:26 120,246 ----a-w C:\WINDOWS\Fonts\= Rock & Roll Fontz =\Linkin_Park.Zip
2004-12-26 04:39 56 --sh--r C:\WINDOWS\system32\3BA2E7ACD6.sys
2005-12-17 04:07 80 --sh--r C:\WINDOWS\system32\3BA2E7ACD6.dll
2005-06-26 23:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-07-14 20:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-22 06:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-28_ 3.15.29.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-28 02:58:02 16,384 ----a-w C:\WINDOWS\Temp\Perflib_Perfdata_15c.dat
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37A582E9-8320-40FC-893D-9E06877852D1}]
2008-01-27 19:26 333312 --------- C:\WINDOWS\system32\ddayw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{415D402F-A6FC-4CA2-927B-2323BAAFB966}]
2008-01-25 18:09 38912 --------- C:\WINDOWS\system32\vtusspp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:57 15360]
"WindowsWelcomeObserver"="C:\Dokumente und Einstellungen\User\Anwendungsdaten\Microsoft Connect Driver.exe" [2007-09-30 00:54 36864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus DX4800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 06:00 98304]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"EPSON Stylus DX4800 Series (Kopie 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.exe" [2005-02-02 06:00 98304]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:57 15360]
"kernel32dll"="guardpc.exe" []
"DIABLO666"="Winupdsys.exe" []
"nternet Explorer"="iexplore.exe" []
"Service Update"="svshost.exe" []
"T-Online_Software_6\WLAN-Access Finder"="C:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-31 02:53 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nternet Explorer"="iexplore.exe" []
"kernel32dll"="guardpc.exe" []

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{415D402F-A6FC-4CA2-927B-2323BAAFB966}"= C:\WINDOWS\system32\vtusspp.dll [2008-01-25 18:09 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\Programme\Gemeinsame Dateien\Stardock\mcpstub.dll 2003-08-25 11:25 139264 C:\Programme\Gemeinsame Dateien\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtusspp]
vtusspp.dll 2008-01-25 18:09 38912 C:\WINDOWS\system32\vtusspp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 23:34 24576 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
"msnmsgr"="C:\Programme\MSN Messenger\msnmsgr.exe" /background
"Microsoft Outlook"=C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE Outlook:Inbox /recycle
"Skype"="C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
"E-Mail Alarm"="C:\Programme\WEB.DE\WEB.DE Club E-Mail Alarm\EmailAlarm.exe" HIDE
"WEB.DE Club E-Mail Alarm"="C:\Programme\WEB.DE\WEB.DE Club E-Mail Alarm\EmailAlarm.exe" HIDE
"RK Launcher"=C:\Programme\RK Launcher\RKLauncher.exe
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"LDM"=C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
"LogitechSoftwareUpdate"=C:\Programme\Logitech\Video\ManifestEngine.exe boot
"Alt+Q Hotkey Tool"=C:\WINDOWS\Alt+Q Hotkey.exe
"WinRoll"=C:\Programme\WinRoll\winroll.exe
"Yz Shadow"=C:\Programme\YzShadow\YzShadow.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"
"UberIcon"="C:\Programme\UberIcon\UberIcon Manager.exe"
"TuneUp MemOptimizer"="C:\Programme\TuneUp Utilities 2006\MemOptimizer.exe" autostart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" -atboottime
"nternet Explorer"=iexplore.exe
"SoundMan"=SOUNDMAN.EXE
"RemoteControl"=C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
"PinnacleDriverCheck"=C:\WINDOWS\system32\PSDrvCheck.exe
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
"WEB.DE Sync - WebDeSync"=C:\Programme\Gemeinsame Dateien\XCPCSync\Translators\WebDeSync\WebDeSyncTray.exe
"CallStation"=C:\Programme\CallStation\CStation.exe
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"LogitechVideoTray"=C:\Programme\Logitech\Video\LogiTray.exe
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe"
"LogitechVideoRepair"=C:\Programme\Logitech\Video\ISStart.exe
"SsAAD.exe"=C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
"Google Desktop Search"="C:\Programme\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"Flashget"=C:\Programme\FlashGet\flashget.exe /min
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
"SBCSTray"=C:\Programme\Sunbelt Software\CounterSpy\SBCSTray.exe
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
"BootSkin Startup Jobs"="C:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BootSkin.exe" /StartupJobs
"TXP"=c:\programme\topthemesxp\txp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Auto Update"=AUP.exe
"kernel32dll"=guardpc.exe
"nternet Explorer"=iexplore.exe

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2007-09-11 20:18]
R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys [2007-10-31 03:33]
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-10-30 01:56]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2007-09-11 20:18]
R2 MZCCntrl;T-Online WLAN Adapter Steuerungsdienst;C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe [2005-04-23 19:05]
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-11-28 14:22]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 08:58]
R3 3xHybrid;Pinnacle PCTV Stereo service;C:\WINDOWS\system32\DRIVERS\3xHybrid.sys [2003-12-05 12:56]
R3 SBAPIFS;SBAPIFS;C:\WINDOWS\system32\drivers\sbapifs.sys []
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S2 TryAndDecideService;Acronis Try And Decide Service;"C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe" []
S3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
S3 ComFiltr;Panda Anti-Dialer;C:\WINDOWS\system32\DRIVERS\COMFiltr.sys []
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-03-04 18:08]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-03-04 18:11]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-03-04 18:11]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-03-04 18:13]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-03-04 18:15]
S3 MACNDIS5;MACNDIS5 NDIS Protocol Driver;C:\PROGRA~1\GEMEIN~1\MARMIK~1\MACNDIS5.SYS [2004-03-01 17:03]
S3 Ntmsrdawn;Ntmsrdawn;C:\WINDOWS\system32\smss.exe [2004-08-04 08:58]
S3 Smndsdatc;Smndsdatc;C:\WINDOWS\system32\drivers\rndismp.sys [2004-08-04 07:04]
S3 WinDSLa;WinDSL-Adapter (PPP-over-Ethernet);C:\WINDOWS\system32\DRIVERS\WinDSL.sys []
S3 ZD1211U(ACER);ACER WLAN 11g USB Adapter(ACER);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-07-05 22:38]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS [2004-06-30 13:54]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\N]
\Shell\AutoRun\command - N:\setupSNK.exe

*Newly Created Service* - SBAPIFS
.
Inhalt des "geplante Tasks" Ordners
"2008-01-25 14:00:02 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Programme\Norton Security Scan\Nss.exe
"2008-01-25 16:15:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-25 13:51:02 C:\WINDOWS\Tasks\20070815_145100_User.job"
- C:\Programme\Nero\Nero 7\Nero BackItUp\BackItUp.exe8/TASKTYPE:NBSERVICE /JOBFILE:
"2008-01-21 15:06:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programme\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 03:59:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-01-28 4:05:15 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-01-28 03:05:00
.
2008-01-10 02:34:34 --- E O F ---
Seitenanfang Seitenende
28.01.2008, 16:16
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#4 Blackstar1611

Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gib an "Alle Dateien" - Speichern

Man sollte jetzt auf dem Desktop diese Datei cfscript.txt finden.
cfscript.txt und mit der rechten Maustaste auf das Symbol von Combofix ziehen
danach: Combofix noch einmal anwenden - tippe 1 - poste den neuen Report hier

Zitat

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37A582E9-8320-40FC-893D-9E06877852D1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{415D402F-A6FC-4CA2-927B-2323BAAFB966}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"kernel32dll"=-
"DIABLO666"=-
"nternet Explorer"=-
"Service Update"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nternet Explorer"=-
"kernel32dll"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{415D402F-A6FC-4CA2-927B-2323BAAFB966}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtusspp]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nternet Explorer"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nternet Explorer"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"Auto Update"=-
"kernel32dll"=-
"nternet Explorer"=-

File::
C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\vtusspp.dll

Folder::
C:\FOUND.004
------------

wende smitfraud an - poste hier beide Reporte
http://www.virus-protect.org/artikel/tools/smitfrautfix.html

----------

wende rvaxo an - poste den report
http://www.virus-protect.org/artikel/tools/rvaxo.html

---------

wende Hijackthis an + poste den report
http://www.virus-protect.org/hjtkurz.html

----------

scanne mit sdfix im abgesicherten Modus - poste den report
http://www.virus-protect.org/artikel/tools/sdfix.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
28.01.2008, 17:27
...neu hier

Themenstarter

Beiträge: 5
#5 Hier zunächst mal der cfscript.txt den mir ComboFix gegeben hat:

Anhang: log.txt
Seitenanfang Seitenende
28.01.2008, 18:21
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#6 nun arbeite alles weitere ab ;)
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
28.01.2008, 18:37
...neu hier

Themenstarter

Beiträge: 5
#7 So hier nun der SmitFraud Report1:

SmitFraudFix v2.276

Scan done at 17:31:52,21, 28.01.2008
Run from C:\Dokumente und Einstellungen\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\Programme\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Stardock\SDMCP.exe
C:\Programme\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Mozilla Firefox 2.0 Web.de\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\User


»»»»»»»»»»»»»»»»»»»»»»»» C:\Dokumente und Einstellungen\User\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOKUME~1\USER\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programme


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Die derzeitige Homepage"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Paketplaner-Miniport
DNS Server Search Order: 80.69.98.110
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer=192.168.2.1,62.26.26.62
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer=80.69.98.110,192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer=192.168.2.1,62.26.26.62
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer=80.69.98.110,192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer=192.168.2.1,62.26.26.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer=80.69.98.110,192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer=192.168.2.1,62.26.26.62
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer=80.69.98.110,192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Hier der zweite:

SmitFraudFix v2.276

Scan done at 17:36:36,32, 28.01.2008
Run from C:\Dokumente und Einstellungen\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Paketplaner-Miniport
DNS Server Search Order: 80.69.98.110
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer=192.168.2.1,62.26.26.62
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer=80.69.98.110,192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer=192.168.2.1,62.26.26.62
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer=80.69.98.110,192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer=192.168.2.1,62.26.26.62
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer=80.69.98.110,192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer=192.168.2.1,62.26.26.62
HKLM\SYSTEM\CS3\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer=80.69.98.110,192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
"Startup"="MCPSystemStartup"


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Der HiJackLog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:53:33, on 28.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\Programme\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\Stardock\SDMCP.exe
C:\Programme\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Mozilla Firefox 2.0 Web.de\firefox.exe
C:\Dokumente und Einstellungen\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:5002
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Multi_Media_Germany toolbar - {dac6ed64-8dd1-4ab8-aedf-b97892d28ffe} - C:\Programme\Multi_Media_Germany\tbMul0.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Web-Recherche-Browser Helper Object - {255215E2-87DC-4819-8724-D0B4C94DBEF5} - C:\Programme\Web-Recherche\WRShell.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programme\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - G:\BitComet\tools\BitCometBHO_1.1.9.24.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Multi_Media_Germany toolbar - {dac6ed64-8dd1-4ab8-aedf-b97892d28ffe} - C:\Programme\Multi_Media_Germany\tbMul0.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: EZSaveFlash - {F9E5F47A-45FD-450C-91DF-81C72E1FADB0} - C:\Programme\EZSaveFlash\EZSaveFlash.dll
O3 - Toolbar: MSN Suche Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Toolbar Suite\TB\02.05.0000.1082\de-de\msntb.dll
O3 - Toolbar: Radio DE Toolbar - {52cdd23e-6c91-4669-b63e-1b4f1f8fd79f} - C:\Programme\Radio_DE\tbRadi.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Multi_Media_Germany toolbar - {dac6ed64-8dd1-4ab8-aedf-b97892d28ffe} - C:\Programme\Multi_Media_Germany\tbMul0.dll
O3 - Toolbar: Web-Recherche-Symbolleiste - {8F0F47B1-7D4B-4834-A981-91E2A3DCE069} - C:\Programme\Web-Recherche\WRShell.dll
O3 - Toolbar: Web-Recherche-Bearbeitungsleiste - {5338DF6C-3B3B-4E38-8B31-7B99986627B2} - C:\Programme\Web-Recherche\WRShell.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P26 "EPSON Stylus DX4800 Series" /O6 "USB002" /M "Stylus DX4800"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus DX4800 Series (Kopie 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE /P36 "EPSON Stylus DX4800 Series (Kopie 1)" /O6 "USB002" /M "Stylus DX4800"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WindowsWelcomeObserver] C:\Dokumente und Einstellungen\User\Anwendungsdaten\Microsoft Connect Driver.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Alles mit FlashGet laden - C:\Programme\FlashGet\jc_all.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://G:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://G:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://G:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Mit FlashGet laden - C:\Programme\FlashGet\jc_link.htm
O8 - Extra context menu item: &MSN Suche - res://C:\Programme\MSN Toolbar Suite\TB\02.05.0000.1082\de-de\msntb.dll/search.htm
O8 - Extra context menu item: In neuer Registerkarte im Hintergrund öffnen - res://C:\Programme\MSN Toolbar Suite\TAB\02.05.0001.1119\de-de\msntabres.dll/229?d6793fba2b3d4d38b319c13219d51996
O8 - Extra context menu item: In neuer Registerkarte im Vordergrund öffnen - res://C:\Programme\MSN Toolbar Suite\TAB\02.05.0001.1119\de-de\msntabres.dll/230?d6793fba2b3d4d38b319c13219d51996
O8 - Extra context menu item: Web-Recherche: Bild speichern - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#101
O8 - Extra context menu item: Web-Recherche: Bild speichern unter... - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#108
O8 - Extra context menu item: Web-Recherche: Link-Adresse speichern unter... - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#110
O8 - Extra context menu item: Web-Recherche: Markierte Ziele speichern unter... - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#111
O8 - Extra context menu item: Web-Recherche: Markierung speichern - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#104
O8 - Extra context menu item: Web-Recherche: Markierung speichern unter... - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#109
O8 - Extra context menu item: Web-Recherche: Seitenbereich (Frame) speichern - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#102
O8 - Extra context menu item: Web-Recherche: Seitenbereich (Frame) speichern unter... - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#106
O8 - Extra context menu item: Web-Recherche: Ziel speichern - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#103
O8 - Extra context menu item: Web-Recherche: Ziel speichern unter... - res://C:\PROGRA~1\WEB-RE~1\wrshell.dll/#107
O9 - Extra button: iOpus iMacros - {0483894E-2422-45E0-8384-021AFF1AF3CD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - G:\BitComet\tools\BitCometBHO_1.1.9.24.dll
O9 - Extra button: Flash - {5699BDDB-A771-4E54-ACBB-BE86921D7892} - C:\Programme\EZSaveFlash\EZSaveFlash.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Programme\FlashCapture\fciext.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: Movies Extractor Scout LITE - {DE0CA882-BD17-4D89-9FDD-30A68DBEBDCB} - C:\Programme\Movies Extractor Scout LITE\flashextract.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - G:\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - G:\ICQ6\ICQ.exe
O9 - Extra button: XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002®\XM2002.exe (file missing)
O9 - Extra 'Tools' menuitem: &XM2002® - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Programme\IPPS\XM2002®\XM2002.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Programme\PartyGaming.Net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay104.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {59136DB4-6CA3-4B40-8F2F-BBF84B6F1E91} (Attachment Upload Control) - https://stream.web.de/mail/activex/mail_upload_11213.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BB87C3EA-AFC2-401F-84E8-0C166F2B0DA3} (OggPlayer Class) - http://www.one2one.com/static/class/WMOggPlayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74EE2EE4-2608-49F5-BEB6-CCA1E544C069}: NameServer = 192.168.2.1,62.26.26.62
O17 - HKLM\System\CCS\Services\Tcpip\..\{A83BB404-0211-4E85-B42C-D9CAB7A11D17}: NameServer = 80.69.98.110,192.168.0.1
O18 - Protocol: cs - {3CBB59DA-1F82-4F10-A0E0-92C3FBD70889} - C:\Programme\Web-Recherche\WRProtocol.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wr - {3CBB59DA-1F82-4F10-A0E0-92C3FBD70889} - C:\Programme\Web-Recherche\WRProtocol.dll
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programme\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programme\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programme\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programme\Design Science\MathPlayer\MathMLMimer.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - T-Online International AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Programme\WinPcap\rpcapd.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Programme\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programme\Gemeinsame Dateien\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Acronis\Fomatik\TrueImageTryStartService.exe (file missing)

--
End of file - 16049 bytes
Seitenanfang Seitenende
28.01.2008, 23:31
Ehrenmitglied
Avatar Pinguin

Beiträge: 1441
#8 Hallo,

das sieht schon viel besser aus ;)

««
scanne mit sdfix im abgesicherten Modus - poste den report
http://www.virus-protect.org/artikel/tools/sdfix.html

««
dann wieder sdfix ( RunThis.bat doppelt klicken) im Normalmodus - schreibe 3 - Sophos wird geladen, scanne mit Option 6 + poste den Report hier
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: