MalwareCrush + Spyware Detection Alert

#1 Hi ! Habe auch das besagte Problem, wenn man den Rechner hochfährt erscheint unten rechts in der Ecke ein "fake" Symbol welches ich öffnen oder schliessen kann. Wenn ich open klicke kommt ein Fenster mit Security warning und Spyware detection Alert ! Hab schon adaware, spybot etc. laufen lassen, geht dann temporär weg und nachm booten ist der driss wieder da...Bitte dringend um Hilfe !!!

Hier mein HJthis logfile :

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:43:37, on 28.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\cFosSpeed\spd.exe
O:\Nero\Nero 8\InCD\InCDsrv.exe
C:\Programme\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
O:\Nero\Nero 8\Nero BackItUp\NBService.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe
C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Programme\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE
O:\Nero\Nero 8\InCD\NBHGui.exe
O:\Nero\Nero 8\InCD\InCD.exe
C:\Programme\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Programme\Olympus\DeviceDetector\DevDtct2.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\Setup-virus_utilities_1.0.61.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\HiJackThis_v2.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7886E23A-F87D-4425-9123-7B9668612A06} - C:\WINDOWS\system32\awtqr.dll
O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\tuvtrrs.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "O:\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Programme\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [EPSON Stylus DX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIE.EXE /FU "C:\WINDOWS\TEMP\E_SE9.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] O:\Nero\Nero 8\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] O:\Nero\Nero 8\InCD\InCD.exe
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvnop.dll,startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programme\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Programme\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.ak.studivz.net/photouploader/ImageUploader4.cab?nocache=20071128-1
O17 - HKLM\System\CCS\Services\Tcpip\..\{00339863-FAEB-4B2B-A9F1-B1FCB38B98FD}: NameServer = 195.94.90.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{00339863-FAEB-4B2B-A9F1-B1FCB38B98FD}: NameServer = 195.94.90.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{00339863-FAEB-4B2B-A9F1-B1FCB38B98FD}: NameServer = 195.94.90.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{00339863-FAEB-4B2B-A9F1-B1FCB38B98FD}: NameServer = 195.94.90.10
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll
O20 - Winlogon Notify: tuvtrrs - C:\WINDOWS\SYSTEM32\tuvtrrs.dll
O20 - Winlogon Notify: winrnt32 - C:\WINDOWS\SYSTEM32\winrnt32.dll
O20 - Winlogon Notify: wvuuvuv - wvuuvuv.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Programme\cFosSpeed\spd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - O:\Nero\Nero 8\InCD\InCDsrv.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - O:\Nero\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Windows Media Player-Netzwerkfreigabedienst (WMPNetworkSvc) - Unknown owner - C:\Programme\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 10019 bytes

Vielen Dank schon mal im Vorraus !!!

#2 Hallo

wende Combofix an + poste hier das log, was erscheint
http://virus-protect.org/artikel/tools/combofix.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#3 ComboFix 08-01-28.2 - Administrator 2008-01-28 18:46:39.1 - NTFSx86
Se ejecuta desde: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe

[color=red]ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! [/color]
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\tuvtrrs.dll
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\printer.exe
C:\Programme\outerinfo
C:\Programme\outerinfo\OinFP.exe
C:\Programme\outerinfo\OiUninstaller.exe
C:\Programme\spoolsv.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\drvnopr.dll
C:\WINDOWS\system32\drvpicr.dll
C:\WINDOWS\system32\gezzcsm.dat
C:\WINDOWS\system32\gezzcsm_nav.dat
C:\WINDOWS\system32\gezzcsm_navps.dat
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\tuvtrrs.dll
C:\WINDOWS\system32\vtsqq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\nm


((((((((((((((((((((((( Dateien erstellt von 2007-12-28 bis 2008-01-28 ))))))))))))))))))))))))))))))
.

2008-01-28 17:45 . 2007-11-06 13:22 195,064 --a------ C:\WINDOWS\system32\ikmapi.dll
2008-01-28 17:45 . 2007-11-06 13:22 113,144 --a------ C:\WINDOWS\system32\ikproc.dll
2008-01-28 17:34 . 2008-01-28 17:34 <DIR> d-------- C:\Programme\Ikarus
2008-01-26 16:36 . 2008-01-26 16:36 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-26 16:36 . 2008-01-26 16:36 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-01-26 16:33 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-01-26 16:33 . 2007-02-27 14:31 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-01-26 16:32 . 2008-01-26 16:32 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Motorola Shared
2008-01-26 16:28 . 2008-01-26 16:30 25,842,736 --a------ C:\wmp11-windowsxp-x86-DE-DE.exe
2008-01-26 16:13 . 2008-01-26 16:15 2,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-22 16:22 . 2008-01-22 16:22 39,424 --a------ C:\WINDOWS\system32\yayayvt.dll
2008-01-22 08:35 . 2008-01-22 08:35 39,424 --a------ C:\WINDOWS\system32\mljkjkl.dll
2008-01-21 23:45 . 2008-01-21 23:45 269,334 --a------ C:\WINDOWS\system32\ihkbahgfedsj.bmp
2008-01-21 18:53 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-01-21 18:53 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-01-21 18:53 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2008-01-21 18:53 . 2006-07-28 09:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2008-01-21 18:53 . 2007-03-05 12:42 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2008-01-21 18:50 . 2008-01-21 18:50 <DIR> d-------- C:\Programme\OpenAL
2008-01-21 18:50 . 2007-09-12 18:29 782,336 -ra------ C:\WINDOWS\system32\tmp128.tmp
2008-01-21 18:50 . 2007-09-12 18:29 782,336 -ra------ C:\WINDOWS\system32\tmp127.tmp
2008-01-21 18:50 . 2008-01-21 18:50 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-01-21 18:46 . 2008-01-21 18:46 269,334 --a------ C:\WINDOWS\system32\hkrmhoj.bmp
2008-01-21 18:44 . 2008-01-21 18:44 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-01-21 18:44 . 2008-01-21 18:45 <DIR> d-------- C:\Programme\AGEIA Technologies
2008-01-21 18:33 . 2008-01-21 18:33 23,552 --a------ C:\WINDOWS\system32\winrnt32.dll
2008-01-20 19:53 . 2008-01-20 19:53 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\EPSON

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 18:15 --------- d-----w C:\Programme\cFosSpeed
2008-01-28 16:28 --------- d-----w C:\Programme\ICQToolbar
2008-01-26 15:36 --------- d-----w C:\Programme\Motorola Phone Tools
2008-01-26 15:30 --------- d-----w C:\Programme\Avanquest update
2008-01-22 18:38 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\ICQ Toolbar
2008-01-21 17:41 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-01-19 16:51 --------- d-----w C:\Programme\Nokia
2008-01-19 16:51 --------- d-----w C:\Programme\Gemeinsame Dateien\Nokia
2008-01-15 19:53 --------- d-----w C:\Programme\ICQ6
2007-12-24 22:29 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Azureus
2007-12-24 13:14 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\LimeWire
2007-12-24 00:24 --------- d-----w C:\Programme\Gemeinsame Dateien\Nero
2007-12-24 00:21 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero
2007-12-23 22:30 --------- d-----w C:\Programme\Azureus
2007-12-22 11:15 --------- d-----w C:\Programme\LimeWire
2007-12-18 20:09 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-12-18 20:07 --------- d-----w C:\Programme\Samsung
2006-12-07 23:08 110,934 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_06_02_05_50_small.dmp.zip
2006-11-23 22:53 24,192 -c--a-w C:\Dokumente und Einstellungen\Administrator\usbsermptxp.sys
2006-11-23 22:53 22,768 -c--a-w C:\Dokumente und Einstellungen\Administrator\usbsermpt.sys
2006-11-06 13:07 92,064 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmmdm.sys
2006-11-06 13:07 9,232 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmmdfl.sys
2006-11-06 13:07 79,328 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmserd.sys
2006-11-06 13:07 66,656 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmbus.sys
2006-11-06 13:07 6,208 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmcmnt.sys
2006-11-06 13:07 5,936 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmwhnt.sys
2006-11-06 13:07 4,048 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmcr.sys
2006-09-06 02:45 455 -c--a-w C:\Programme\INSTALL.LOG
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7886E23A-F87D-4425-9123-7B9668612A06}]
C:\WINDOWS\system32\awtqr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-11-11 13:00 15360]
"IncrediMail"="C:\Programme\IncrediMail\bin\IncMail.exe" [2006-10-25 13:21 204843]
"msnmsgr"="C:\Programme\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
"Outerinfo"="C:\Programme\Outerinfo\Outerinfo.exe" [2007-12-21 17:29 602112]
"OuterinfoUpdate"="C:\Programme\Outerinfo\OuterinfoUpdate.exe" [2007-12-21 17:27 87552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"LVCOMSX"="C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe" [2006-11-15 22:01 244512]
"D-Link AirPlus Xtreme G"="C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 16:00 2502656]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"NBKeyScan"="O:\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"cFosSpeed"="C:\Programme\cFosSpeed\cFosSpeed.exe" [2007-08-22 15:12 854992]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="O:\Nero\Nero 8\InCD\NBHGui.exe" [2007-08-04 10:30 2043688]
"InCD"="O:\Nero\Nero 8\InCD\InCD.exe" [2007-08-04 10:29 1056552]
"MSDrive"="C:\WINDOWS\system32\drvnop.dll" [ ]
"Ikarus-GuardX"="C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe" [2007-11-06 13:22 702968]
"avp"="C:\WINDOWS\system32\winver.exe" [2004-11-11 13:00 5632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-11-11 13:00 15360]
"Nokia.PCSync"="C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr]
C:\WINDOWS\system32\awtqr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32]
winrnt32.dll 2008-01-21 18:33 23552 C:\WINDOWS\system32\winrnt32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuvuv]
wvuuvuv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\GuardX]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ntguard.sys]
@=""

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Administrator^Startmenü^Programme^Autostart^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a--c--- 2007-09-11 09:18 1465280 C:\Programme\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a--c--- 2006-05-10 10:12 90112 C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-08-15 19:15 271672 C:\Programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 00:00 28672 C:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a--c--- 2002-07-02 16:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Programme\MSN Messenger\msnmsgr.exe" /background
"Steam"="c:\gamez\steam\steam.exe" -silent
"ICQ"="C:\Programme\ICQ6\ICQ.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"LogitechQuickCamRibbon"="C:\Programme\Logitech\QuickCam10\QuickCam10.exe" /hide
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe"
"TomTomHOME.exe"="C:\Programme\TomTom HOME\TomTomHOME.exe" -s
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LogitechCommunicationsManager"="C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\Communications_Helper.exe"
"GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
"PCSuiteTrayApplication"=C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"RemoteControl"=C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
"SoundMan"=SOUNDMAN.EXE

R2 GuardX;GuardX;"C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe" [2007-11-06 13:22]
R2 NTGUARD;NTGUARD;C:\Programme\Ikarus\virus utilities\bin\NTGUARD.SYS [2007-11-06 13:22]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-11-11 13:00]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 14:27]
S0 CanonDrv;CanonDrv;C:\WINDOWS\system32\Drivers\CanonDrv.sys []
S2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 09:06]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 14:31]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 16:06]
S3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbfa0999-2a0d-11dc-8efc-000f3dade931}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e672cdda-35cc-11dc-8f01-000f3dade931}]
\Shell\AutoRun\command - O:\InstallTomTomHOME.exe

.
Inhalt des "geplante Tasks" Ordners
"2008-01-25 19:28:21 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- C:\Programme\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-16 05:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programme\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 19:16:11
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

? [1444]

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\winrnt32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\cFosSpeed\spd.exe
C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe
O:\Nero\Nero 8\InCD\InCDsrv.exe
C:\Programme\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe
C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Programme\cFosSpeed\cFosSpeed.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
O:\Nero\Nero 8\InCD\NBHGui.exe
O:\Nero\Nero 8\InCD\InCD.exe
C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Programme\Olympus\DeviceDetector\DevDtct2.exe
O:\Nero\Nero 8\Nero BackItUp\NBService.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Programme\Outerinfo\OuterinfoUpdate.exe
C:\WINDOWS\system32\winver.exe
C:\WINDOWS\system32\winver.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\cmd.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-01-28 19:21:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-28 18:21:21
.
2008-01-09 23:03:00 --- E O F ---

#4 Sashinho

««
Entferne auf C:\ Qoobox-->Papierkorb leeren

««
HijackThis
Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

Zitat

O2 - BHO: (no name) - {7886E23A-F87D-4425-9123-7B9668612A06} - C:\WINDOWS\system32\awtqr.dll
O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - C:\WINDOWS\system32\tuvtrrs.dll
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvnop.dll,startup
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: awtqr - C:\WINDOWS\system32\awtqr.dll
O20 - Winlogon Notify: tuvtrrs - C:\WINDOWS\SYSTEM32\tuvtrrs.dll
O20 - Winlogon Notify: winrnt32 - C:\WINDOWS\SYSTEM32\winrnt32.dll
O20 - Winlogon Notify: wvuuvuv - wvuuvuv.dll (file missing)

klicke: Fix checked
Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst

cfscript.txt

1.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

KILLALL::

file::
C:\WINDOWS\system32\yayayvt.dll
C:\WINDOWS\system32\mljkjkl.dll
C:\WINDOWS\system32\ihkbahgfedsj.bmp
C:\WINDOWS\system32\tmp128.tmp
C:\WINDOWS\system32\tmp127.tmp
C:\WINDOWS\system32\hkrmhoj.bmp
C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\awtqr.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7886E23A-F87D-4425-9123-7B9668612A06}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Outerinfo"=-
"OuterinfoUpdate"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSDrive"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqr]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrnt32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuvuv]

Folder::
C:\Programme\Outerinfo

2.
CFScript.txt mit der rechten Maustaste auf das Symbol von Combofix ziehen

Combofix noch mal anwenden - tippe 1.
Nach neustart des Rechners,poste das log von ComboFix]

3.
Erstellen eines Hijackthis-Logfiles
Entferne Version HijackThis v2.0.0 (BETA)
Als erstes mach ein neuen Ordner auf C:\ z.b. C:\HijackThis,download HijackThis.exe dahin
Download: HijackThis202
Doppelklick HijackThis.exe und installiere das Tool in C:\Programme
Am Ende steht auf dein Desktop eine verknüpfung
Starte Hijack This und klicke “Do a system scan and safe a logfile”
Save log --> hijackthis.log - Save - es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Argus

#5 ComboFix

ComboFix 08-01-28.2 - Administrator 2008-01-29 12:40:12.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.126 [GMT 1:00]
Se ejecuta desde: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe

[color=red]ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! [/color]
.

(((((((((((((((((((((((((((((((((((( Otras eliminaciones )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mljkjkl.dll
C:\WINDOWS\system32\nsvxtaju.dll
C:\WINDOWS\system32\ssqomjh.dll
C:\WINDOWS\system32\ujatxvsn.ini
C:\WINDOWS\system32\yayayvt.dll

.
(((((((((((((((((( Archivos creados desde 2007-12-28 - 2008-01-29 )))))))))))))))))))))))))))))))))
.

2008-01-28 22:50 . 2008-01-28 22:50 11,264 --a------ C:\Programme\13001234.exe
2008-01-28 19:19 . 2008-01-28 19:21 38 --a------ C:\WINDOWS\system32\a.bat
2008-01-28 18:37 . 2008-01-28 22:41 <DIR> d-------- C:\zzzzzz
2008-01-28 17:45 . 2007-11-06 13:22 195,064 --a------ C:\WINDOWS\system32\ikmapi.dll
2008-01-28 17:45 . 2007-11-06 13:22 113,144 --a------ C:\WINDOWS\system32\ikproc.dll
2008-01-28 17:34 . 2008-01-28 17:34 <DIR> d-------- C:\Programme\Ikarus
2008-01-26 16:36 . 2008-01-26 16:36 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-26 16:36 . 2008-01-26 16:36 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-01-26 16:33 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-01-26 16:33 . 2007-02-27 14:31 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-01-26 16:32 . 2008-01-26 16:32 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Motorola Shared
2008-01-26 16:28 . 2008-01-26 16:30 25,842,736 --a------ C:\wmp11-windowsxp-x86-DE-DE.exe
2008-01-26 16:13 . 2008-01-26 16:15 2,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-21 23:45 . 2008-01-21 23:45 269,334 --a------ C:\WINDOWS\system32\ihkbahgfedsj.bmp
2008-01-21 18:53 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-01-21 18:53 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-01-21 18:53 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2008-01-21 18:53 . 2006-07-28 09:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2008-01-21 18:53 . 2007-03-05 12:42 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2008-01-21 18:50 . 2008-01-21 18:50 <DIR> d-------- C:\Programme\OpenAL
2008-01-21 18:50 . 2007-09-12 18:29 782,336 -ra------ C:\WINDOWS\system32\tmp128.tmp
2008-01-21 18:50 . 2007-09-12 18:29 782,336 -ra------ C:\WINDOWS\system32\tmp127.tmp
2008-01-21 18:50 . 2008-01-21 18:50 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-01-21 18:46 . 2008-01-21 18:46 269,334 --a------ C:\WINDOWS\system32\hkrmhoj.bmp
2008-01-21 18:44 . 2008-01-21 18:44 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-01-21 18:44 . 2008-01-21 18:45 <DIR> d-------- C:\Programme\AGEIA Technologies
2008-01-21 18:33 . 2008-01-21 18:33 23,552 --a------ C:\WINDOWS\system32\winrnt32.dll
2008-01-20 19:53 . 2008-01-20 19:53 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\EPSON

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 11:40 --------- d-----w C:\Programme\cFosSpeed
2008-01-28 22:00 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\ICQ Toolbar
2008-01-28 20:30 --------- d-----w C:\Programme\ICQToolbar
2008-01-26 15:36 --------- d-----w C:\Programme\Motorola Phone Tools
2008-01-26 15:30 --------- d-----w C:\Programme\Avanquest update
2008-01-21 17:50 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-01-21 17:41 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-01-19 16:51 --------- d-----w C:\Programme\Nokia
2008-01-19 16:51 --------- d-----w C:\Programme\Gemeinsame Dateien\Nokia
2008-01-15 19:53 --------- d-----w C:\Programme\ICQ6
2007-12-24 22:29 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Azureus
2007-12-24 13:14 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\LimeWire
2007-12-24 00:24 --------- d-----w C:\Programme\Gemeinsame Dateien\Nero
2007-12-24 00:21 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero
2007-12-23 22:30 --------- d-----w C:\Programme\Azureus
2007-12-22 11:15 --------- d-----w C:\Programme\LimeWire
2007-12-18 20:09 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-12-18 20:07 --------- d-----w C:\Programme\Samsung
2007-11-07 09:27 729,600 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2006-12-07 23:08 110,934 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_06_02_05_50_small.dmp.zip
2006-11-23 22:53 24,192 -c--a-w C:\Dokumente und Einstellungen\Administrator\usbsermptxp.sys
2006-11-23 22:53 22,768 -c--a-w C:\Dokumente und Einstellungen\Administrator\usbsermpt.sys
2006-11-06 13:07 92,064 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmmdm.sys
2006-11-06 13:07 9,232 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmmdfl.sys
2006-11-06 13:07 79,328 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmserd.sys
2006-11-06 13:07 66,656 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmbus.sys
2006-11-06 13:07 6,208 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmcmnt.sys
2006-11-06 13:07 5,936 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmwhnt.sys
2006-11-06 13:07 4,048 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmcr.sys
2006-09-06 02:45 455 -c--a-w C:\Programme\INSTALL.LOG
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-11-11 13:00 15360]
"IncrediMail"="C:\Programme\IncrediMail\bin\IncMail.exe" [2006-10-25 13:21 204843]
"msnmsgr"="C:\Programme\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"LVCOMSX"="C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe" [2006-11-15 22:01 244512]
"D-Link AirPlus Xtreme G"="C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 16:00 2502656]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"NBKeyScan"="O:\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"cFosSpeed"="C:\Programme\cFosSpeed\cFosSpeed.exe" [2007-08-22 15:12 854992]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="O:\Nero\Nero 8\InCD\NBHGui.exe" [2007-08-04 10:30 2043688]
"InCD"="O:\Nero\Nero 8\InCD\InCD.exe" [2007-08-04 10:29 1056552]
"Ikarus-GuardX"="C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe" [2007-11-06 13:22 702968]
"avp"="C:\WINDOWS\system32\winver.exe" [2004-11-11 13:00 5632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-11-11 13:00 15360]
"Nokia.PCSync"="C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Device Detector 3.lnk - C:\Programme\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 20:20:17 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\GuardX]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ntguard.sys]
@=""

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Administrator^Startmenü^Programme^Autostart^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a--c--- 2007-09-11 09:18 1465280 C:\Programme\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a--c--- 2006-05-10 10:12 90112 C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-08-15 19:15 271672 C:\Programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 00:00 28672 C:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a--c--- 2002-07-02 16:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Programme\MSN Messenger\msnmsgr.exe" /background
"Steam"="c:\gamez\steam\steam.exe" -silent
"ICQ"="C:\Programme\ICQ6\ICQ.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"LogitechQuickCamRibbon"="C:\Programme\Logitech\QuickCam10\QuickCam10.exe" /hide
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe"
"TomTomHOME.exe"="C:\Programme\TomTom HOME\TomTomHOME.exe" -s
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LogitechCommunicationsManager"="C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\Communications_Helper.exe"
"GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
"PCSuiteTrayApplication"=C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"RemoteControl"=C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
"SoundMan"=SOUNDMAN.EXE

R2 GuardX;GuardX;"C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe" [2007-11-06 13:22]
R2 NTGUARD;NTGUARD;C:\Programme\Ikarus\virus utilities\bin\NTGUARD.SYS [2007-11-06 13:22]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-11-11 13:00]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 14:27]
S0 CanonDrv;CanonDrv;C:\WINDOWS\system32\Drivers\CanonDrv.sys []
S2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 09:06]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 14:31]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 16:06]
S3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbfa0999-2a0d-11dc-8efc-000f3dade931}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e672cdda-35cc-11dc-8f01-000f3dade931}]
\Shell\AutoRun\command - O:\InstallTomTomHOME.exe

.
Contenido de carpeta 'Tareas Programadas'
"2008-01-25 19:28:21 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- C:\Programme\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-16 05:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programme\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 12:45:04
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-01-29 12:47:40
ComboFix-quarantined-files.txt 2008-01-29 11:47:32
ComboFix2.txt 2008-01-28 23:00:03
ComboFix3.txt 2008-01-28 18:21:27
.
2008-01-09 23:03:00 --- E O F ---



HJthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:07:17, on 29.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe
C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
C:\Programme\cFosSpeed\cFosSpeed.exe
C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe
O:\Nero\Nero 8\InCD\NBHGui.exe
O:\Nero\Nero 8\InCD\InCD.exe
C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Olympus\DeviceDetector\DevDtct2.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\cFosSpeed\spd.exe
C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe
O:\Nero\Nero 8\InCD\InCDsrv.exe
C:\Programme\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
O:\Nero\Nero 8\Nero BackItUp\NBService.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Hijack This\hijackthis.exe

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [LVCOMSX] "C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "O:\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [cFosSpeed] C:\Programme\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] O:\Nero\Nero 8\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] O:\Nero\Nero 8\InCD\InCD.exe
O4 - HKLM\..\Run: [Ikarus-GuardX] C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\system32\winver.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Programme\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Programme\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Programme\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Download All Files by HiDownload - C:\Programme\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Programme\HiDownload\HDGet.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://static.ak.studivz.net/photouploader/ImageUploader4.cab?nocache=20071128-1
O17 - HKLM\System\CCS\Services\Tcpip\..\{00339863-FAEB-4B2B-A9F1-B1FCB38B98FD}: NameServer = 195.94.90.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{00339863-FAEB-4B2B-A9F1-B1FCB38B98FD}: NameServer = 195.94.90.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{00339863-FAEB-4B2B-A9F1-B1FCB38B98FD}: NameServer = 195.94.90.10
O17 - HKLM\System\CS3\Services\Tcpip\..\{00339863-FAEB-4B2B-A9F1-B1FCB38B98FD}: NameServer = 195.94.90.10
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:\Programme\cFosSpeed\spd.exe
O23 - Service: GuardX - Ikarus Security Software GmbH - C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - O:\Nero\Nero 8\InCD\InCDsrv.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\programme\gemeinsame dateien\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - O:\Nero\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Windows Media Player-Netzwerkfreigabedienst (WMPNetworkSvc) - Unknown owner - C:\Programme\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 9244 bytes

#6 Sashinho

erstelle eine neue cfscript.txt (Änderung der ersten zulassen)



ziehe sie wieder auf das Combofix-Symbol - Combofix wieder anwenden + 1 tippen
poste das neue Log von Combofix

Zitat

KILLALL::

File::
C:\Programme\13001234.exe
C:\WINDOWS\system32\a.bat

Folder::
C:\zzzzzz

__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#7 ComboFix 08-01-28.2 - Administrator 2008-01-29 19:31:34.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.188 [GMT 1:00]
Se ejecuta desde: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe

[color=red]ADVERTENCIA - ESTE EQUIPO NO TIENE INSTALADA LA CONSOLA DE RECUPERACION! [/color]
.

(((((((((((((((((( Archivos creados desde 2007-12-28 - 2008-01-29 )))))))))))))))))))))))))))))))))
.

2008-01-29 13:06 . 2008-01-29 13:07 <DIR> d-------- C:\Programme\Hijack This
2008-01-28 22:50 . 2008-01-28 22:50 11,264 --a------ C:\Programme\13001234.exe
2008-01-28 19:19 . 2008-01-28 19:21 38 --a------ C:\WINDOWS\system32\a.bat
2008-01-28 18:37 . 2008-01-28 22:41 <DIR> d-------- C:\zzzzzz
2008-01-28 17:45 . 2007-11-06 13:22 195,064 --a------ C:\WINDOWS\system32\ikmapi.dll
2008-01-28 17:45 . 2007-11-06 13:22 113,144 --a------ C:\WINDOWS\system32\ikproc.dll
2008-01-28 17:34 . 2008-01-28 17:34 <DIR> d-------- C:\Programme\Ikarus
2008-01-26 16:36 . 2008-01-26 16:36 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-26 16:36 . 2008-01-26 16:36 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-01-26 16:33 . 2006-11-13 14:45 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-01-26 16:33 . 2007-02-27 14:31 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys
2008-01-26 16:32 . 2008-01-26 16:32 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Motorola Shared
2008-01-26 16:28 . 2008-01-26 16:30 25,842,736 --a------ C:\wmp11-windowsxp-x86-DE-DE.exe
2008-01-26 16:13 . 2008-01-26 16:15 2,898 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-21 23:45 . 2008-01-21 23:45 269,334 --a------ C:\WINDOWS\system32\ihkbahgfedsj.bmp
2008-01-21 18:53 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2008-01-21 18:53 . 2006-09-28 16:05 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2008-01-21 18:53 . 2006-07-28 09:30 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2008-01-21 18:53 . 2006-07-28 09:30 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2008-01-21 18:53 . 2007-03-05 12:42 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2008-01-21 18:50 . 2008-01-21 18:50 <DIR> d-------- C:\Programme\OpenAL
2008-01-21 18:50 . 2007-09-12 18:29 782,336 -ra------ C:\WINDOWS\system32\tmp128.tmp
2008-01-21 18:50 . 2007-09-12 18:29 782,336 -ra------ C:\WINDOWS\system32\tmp127.tmp
2008-01-21 18:50 . 2008-01-21 18:50 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-01-21 18:46 . 2008-01-21 18:46 269,334 --a------ C:\WINDOWS\system32\hkrmhoj.bmp
2008-01-21 18:44 . 2008-01-21 18:44 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-01-21 18:44 . 2008-01-21 18:45 <DIR> d-------- C:\Programme\AGEIA Technologies
2008-01-21 18:33 . 2008-01-21 18:33 23,552 --a------ C:\WINDOWS\system32\winrnt32.dll
2008-01-20 19:53 . 2008-01-20 19:53 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\EPSON

.
(((((((((((((((((((((((((((((((((((((( Reporte Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 18:31 --------- d-----w C:\Programme\cFosSpeed
2008-01-28 22:00 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\ICQ Toolbar
2008-01-28 20:30 --------- d-----w C:\Programme\ICQToolbar
2008-01-26 15:36 --------- d-----w C:\Programme\Motorola Phone Tools
2008-01-26 15:30 --------- d-----w C:\Programme\Avanquest update
2008-01-21 17:50 110,592 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-01-21 17:41 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-01-19 16:51 --------- d-----w C:\Programme\Nokia
2008-01-19 16:51 --------- d-----w C:\Programme\Gemeinsame Dateien\Nokia
2008-01-15 19:53 --------- d-----w C:\Programme\ICQ6
2007-12-24 22:29 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Azureus
2007-12-24 13:14 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\LimeWire
2007-12-24 00:24 --------- d-----w C:\Programme\Gemeinsame Dateien\Nero
2007-12-24 00:21 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Nero
2007-12-23 22:30 --------- d-----w C:\Programme\Azureus
2007-12-22 11:15 --------- d-----w C:\Programme\LimeWire
2007-12-18 20:09 --------- d--h--w C:\Programme\InstallShield Installation Information
2007-12-18 20:07 --------- d-----w C:\Programme\Samsung
2007-11-07 09:27 729,600 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:42 1,293,312 ----a-w C:\WINDOWS\system32\quartz.dll
2006-12-07 23:08 110,934 -c--a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_06_02_05_50_small.dmp.zip
2006-11-23 22:53 24,192 -c--a-w C:\Dokumente und Einstellungen\Administrator\usbsermptxp.sys
2006-11-23 22:53 22,768 -c--a-w C:\Dokumente und Einstellungen\Administrator\usbsermpt.sys
2006-11-06 13:07 92,064 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmmdm.sys
2006-11-06 13:07 9,232 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmmdfl.sys
2006-11-06 13:07 79,328 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmserd.sys
2006-11-06 13:07 66,656 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmbus.sys
2006-11-06 13:07 6,208 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmcmnt.sys
2006-11-06 13:07 5,936 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmwhnt.sys
2006-11-06 13:07 4,048 -c--a-w C:\Dokumente und Einstellungen\Administrator\mqdmcr.sys
2006-09-06 02:45 455 -c--a-w C:\Programme\INSTALL.LOG
.

((((((((((((((((((((((((((((((((( Cargando Puntos Reg ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vacías & entradas legítimas predeterminadas no son mostradas

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-11-11 13:00 15360]
"IncrediMail"="C:\Programme\IncrediMail\bin\IncMail.exe" [2006-10-25 13:21 204843]
"msnmsgr"="C:\Programme\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00 90112]
"LVCOMSX"="C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\LVComSX.exe" [2006-11-15 22:01 244512]
"D-Link AirPlus Xtreme G"="C:\Programme\D-Link\AirPlus Xtreme G\AirPlusCFG.exe" [2003-11-04 16:00 2502656]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"NBKeyScan"="O:\Nero\Nero 8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 09:25 1828136]
"cFosSpeed"="C:\Programme\cFosSpeed\cFosSpeed.exe" [2007-08-22 15:12 854992]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="O:\Nero\Nero 8\InCD\NBHGui.exe" [2007-08-04 10:30 2043688]
"InCD"="O:\Nero\Nero 8\InCD\InCD.exe" [2007-08-04 10:29 1056552]
"Ikarus-GuardX"="C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe" [2007-11-06 13:22 702968]
"avp"="C:\WINDOWS\system32\winver.exe" [2004-11-11 13:00 5632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-11-11 13:00 15360]
"Nokia.PCSync"="C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17 1241088]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Device Detector 3.lnk - C:\Programme\Olympus\DeviceDetector\DevDtct2.exe [2007-10-23 20:20:17 118784]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\GuardX]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ntguard.sys]
@=""

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Administrator^Startmenü^Programme^Autostart^OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk]
path=C:\Dokumente und Einstellungen\Administrator\Startmenü\Programme\Autostart\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a--c--- 2007-09-11 09:18 1465280 C:\Programme\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a--c--- 2006-05-10 10:12 90112 C:\Programme\ATI Technologies\ATI.ACE\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a--c--- 2007-08-15 19:15 271672 C:\Programme\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 00:00 28672 C:\Programme\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
--a--c--- 2002-07-02 16:56 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Programme\MSN Messenger\msnmsgr.exe" /background
"Steam"="c:\gamez\steam\steam.exe" -silent
"ICQ"="C:\Programme\ICQ6\ICQ.exe" silent

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" -atboottime
"LogitechQuickCamRibbon"="C:\Programme\Logitech\QuickCam10\QuickCam10.exe" /hide
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe"
"TomTomHOME.exe"="C:\Programme\TomTom HOME\TomTomHOME.exe" -s
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LogitechCommunicationsManager"="C:\Programme\Gemeinsame Dateien\Logitech\LComMgr\Communications_Helper.exe"
"GrooveMonitor"="C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
"PCSuiteTrayApplication"=C:\Programme\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
"RemoteControl"=C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
"SoundMan"=SOUNDMAN.EXE

R2 NTGUARD;NTGUARD;C:\Programme\Ikarus\virus utilities\bin\NTGUARD.SYS [2007-11-06 13:22]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-11-11 13:00]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2003-10-22 14:27]
S0 CanonDrv;CanonDrv;C:\WINDOWS\system32\Drivers\CanonDrv.sys []
S2 GuardX;GuardX;"C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe" [2007-11-06 13:22]
S2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys []
S3 APLMp50;APLMp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\APLMp50.sys [2005-02-16 09:06]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-02-27 14:31]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2006-04-07 16:06]
S3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cbfa0999-2a0d-11dc-8efc-000f3dade931}]
\Shell\AutoRun\command - I:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e672cdda-35cc-11dc-8f01-000f3dade931}]
\Shell\AutoRun\command - O:\InstallTomTomHOME.exe

*Newly Created Service* - PSEXESVC
.
Contenido de carpeta 'Tareas Programadas'
"2008-01-25 19:28:21 C:\WINDOWS\Tasks\1-Klick-Wartung.job"
- C:\Programme\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-16 05:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programme\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 19:35:36
Windows 5.1.2600 Service Pack 2 NTFS

escaneando procesos ocultos ...

escaneando entradas ocultas de autostart ...

escaneando archivos ocultos ...

el escaneo se completo con exito
archivos ocultos: 0

**************************************************************************
.
Tiempo completado: 2008-01-29 19:37:32
ComboFix-quarantined-files.txt 2008-01-29 18:37:16
ComboFix2.txt 2008-01-29 18:24:28
ComboFix3.txt 2008-01-29 11:47:41
ComboFix4.txt 2008-01-28 23:00:03
ComboFix5.txt 2008-01-28 18:21:27
.
2008-01-09 23:03:00 --- E O F ---

#8 Sashinho

du bist der dritte heute, wo die Combofix nix loescht

Avenger
http://www.virus-protect.org/artikel/tools/avenger.html

Input script manually (anhaken)
die "Lupe" rechts anklicken - View/edit script (wird sich öffnen)

reinkopieren:

Zitat

Files to delete:
C:\WINDOWS\system32\yayayvt.dll
C:\WINDOWS\system32\mljkjkl.dll
C:\WINDOWS\system32\ihkbahgfedsj.bmp
C:\WINDOWS\system32\tmp128.tmp
C:\WINDOWS\system32\tmp127.tmp
C:\WINDOWS\system32\hkrmhoj.bmp
C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\awtqr.dll
C:\Programme\13001234.exe
C:\WINDOWS\system32\a.bat

Folders to Delete:
C:\zzzzzz
C:\Programme\Outerinfo

Klicke die grüne Ampel
- das Script wird nun ausgeführt, dann wird der PC nach Bestätigung (yes) neustarten

poste das Log vom Avenger

»»
scanne mit bitdefender + poste den scanreport
http://board.protecus.de/t8642.htm
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/

#9 Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nxgrygow

*******************

Script file located at: \??\C:\WINDOWS\wcyeohct.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\yayayvt.dll not found!
Deletion of file C:\WINDOWS\system32\yayayvt.dll failed!

Could not process line:
C:\WINDOWS\system32\yayayvt.dll
Status: 0xc0000034



File C:\WINDOWS\system32\mljkjkl.dll not found!
Deletion of file C:\WINDOWS\system32\mljkjkl.dll failed!

Could not process line:
C:\WINDOWS\system32\mljkjkl.dll
Status: 0xc0000034

File C:\WINDOWS\system32\ihkbahgfedsj.bmp deleted successfully.
File C:\WINDOWS\system32\tmp128.tmp deleted successfully.
File C:\WINDOWS\system32\tmp127.tmp deleted successfully.
File C:\WINDOWS\system32\hkrmhoj.bmp deleted successfully.
File C:\WINDOWS\system32\winrnt32.dll deleted successfully.


File C:\WINDOWS\system32\awtqr.dll not found!
Deletion of file C:\WINDOWS\system32\awtqr.dll failed!

Could not process line:
C:\WINDOWS\system32\awtqr.dll
Status: 0xc0000034

File C:\Programme\13001234.exe deleted successfully.
File C:\WINDOWS\system32\a.bat deleted successfully.
Folder C:\zzzzzz deleted successfully.


Folder C:\Programme\Outerinfo not found!
Deletion of folder C:\Programme\Outerinfo failed!

Could not process line:
C:\Programme\Outerinfo
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

#10 1.
ComboFix entfernen
Start - Ausführen - Kopiere rein: Combofix /U - klicke "OK"

2.
scanne mit Kaspersky + poste den report
http://www.virus-protect.org/artikel/tools/kaspersky.html
__________
Gruss
Pinguin

bin dabei, meine Seite + Proggies zu aktualisieren: http://www.virus-protect.org/