Verdacht auf Trojaner "Vundo.gen!E" - irgendwas stimmt nicht |
||
---|---|---|
#0
| ||
29.06.2008, 10:27
...neu hier
Beiträge: 4 |
||
|
||
29.06.2008, 12:03
Moderator
Beiträge: 5694 |
#2
Hallo,
>> cleaner anwenden http://www.virus-protect.org/ccleaner.html >> Schliesse alle Fenster und starte Hijack This Klicke: Do a Systemscan only Setze ein Häckchen in das Kästchen vor dem genannten Eintrag bei Zitat F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\iftuyszv.exe,und wähle fix checked. Starte den Rechner neu. «« wende Qoofix an http://virus-protect.org/artikel/tools/quofixhttp.html «« wende an: + poste den report http://virus-protect.org/findqoologic.html «« wende navilog, Option 1 und dann Option 2 an http://virus-protect.org/artikel/tools/navilog.html «« lade sdfix http://virus-protect.org/artikel/tools/sdfix.html unter C:\ findet man nun den SDFix-Ordner boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet) gehe in den Ordner C:\SDFix RunThis.bat doppelt klicken folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag >> wende Combofix an - Warnmeldung wegklicken + poste den report http://virus-protect.org/artikel/tools/combofix.html Gruss Swiss Dieser Beitrag wurde am 29.06.2008 um 12:10 Uhr von Tonstudio editiert.
|
|
|
||
29.06.2008, 16:12
...neu hier
Themenstarter Beiträge: 4 |
#3
So, vielen Dank für die Hilfe, habe nn fast eine Stunde dran rum gebastelt und komme nicht weiter.
Ich habe mir ein zweites Administratoren-Konto eröffnen müssen, weil das "alte" Administratoren-Konto extrem langsam lief und man ewig auf Reaktionen des PCs warten musste. Es existirt weiterhin, aber mit diesem neuen Administratoren-Konto kann ich wenigstens in Ruhe arbeiten. Zitat Tonstudio posteteIch habe, selbst mit dem neuen Admin-Konto, immer noch ungefragte Pop-Ups und Werbeeinblendungen, die definitiv keine regulären Pop-Ups sind. Zitat Tonstudio posteteFindqoologic lässt sich nicht starten da es sich gleich wieder schließt und keinen Textfile erstellt. Bin gerade sehr verzweifelt und hoffe jede Minute ungeduldig auf eine mögliche Lösung um meine Festplate endlich wieder sauber zu bekommen ohne sie formatieren zu müsen. Hier nochmal ein aktuelles LogFile: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:20:30, on 29.06.2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16681) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Windows\System32\rundll32.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Packard Bell\FIJI\ABoard.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\PDFCreator\PDFCreator.exe C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe C:\Program Files\Packard Bell\FIJI\AOSD.exe C:\Windows\system32\Taskmgr.exe C:\Windows\System32\rundll32.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Program Files\Internet Explorer\ieuser.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\conime.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil9e.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://format.packardbell.com/cgi-bin/redirect/?country=DE&range=AD&phase=8&key=IESTART R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://format.packardbell.com/cgi-bin/redirect/?country=DE&range=AD&phase=8&key=IESTART R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file) O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file) O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file) O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file) O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file) O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file) O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file) O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file) O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file) O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file) O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file) O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file) O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file) O2 - BHO: (no name) - {83D52716-0EC6-4E14-8A33-614DC2E278AA} - C:\Windows\system32\hgGVLecA.dll O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file) O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file) O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file) O2 - BHO: (no name) - {BA2A2046-75A4-47C0-A09C-F0DCC706D39B} - C:\Windows\system32\hggdDVMd.dll O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file) O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file) O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file) O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file) O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file) O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file) O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file) O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\CDG Ripper\msdxm.ocx O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" O4 - HKLM\..\Run: [MSPService] C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe O4 - HKLM\..\Run: [ACTIVBOARD] C:\Program Files\Packard Bell\FIJI\aboard.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\hggdDVMd.dll,#1 O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\Admin\AppData\Local\Temp\tuvSkLFu.dll,#1 O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user') O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll O13 - Gopher Prefix: O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab O16 - DPF: {A672558F-A878-4D5A-A921-627C091CEB63} (Flatcast Producer 4.16) - http://80.237.209.20/objects/NpFp41629.dll O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1206119377 O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F554} (Flatcast Viewer 4.16) - http://data.flatcast.com/data/objects/NpFv41629.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe -- End of file - 11884 bytes Dieser Beitrag wurde am 29.06.2008 um 16:24 Uhr von yinyangsoul editiert.
|
|
|
||
29.06.2008, 17:30
Ehrenmitglied
Beiträge: 29434 |
#4
Hallo yinyangsoul
>> wende Combofix an - Warnmeldung wegklicken + poste den report http://virus-protect.org/artikel/tools/combofix.html __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
29.06.2008, 19:40
...neu hier
Themenstarter Beiträge: 4 |
#5
Zitat Sabina posteteSo, Combo-Fix angewandt und folgendes LogFile erhalten: ComboFix 08-06-20.4 - Admin 2008-06-29 16:41:57.1 - NTFSx86 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.2092 [GMT 2:00] ausgeführt von:: C:\Users\Admin\Downloads\ComboFix.exe * Neuer Wiederherstellungspunkt wurde erstellt . (((((((((((((((((((((((((((((((((((( Weitere L”schungen )))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf C:\Temp\1cb C:\Temp\1cb\syscheck.log C:\Users\Patrick\AppData\Local\oawau.dat C:\Users\Patrick\AppData\Local\oawau.exe C:\Users\Patrick\AppData\Local\oawau_nav.dat C:\Users\Patrick\AppData\Local\oawau_navps.dat C:\Users\Patrick\AppData\Local\qadvxbt_navfx.dat C:\Users\Patrick\ctfmon.exe C:\Windows\accesss.exe C:\Windows\astctl32.ocx C:\Windows\avpcc.dll C:\Windows\clrssn.exe C:\Windows\cpan.dll C:\Windows\ctfmon32.exe C:\Windows\ctrlpan.dll C:\Windows\default.htm C:\Windows\directx32.exe C:\Windows\dnsrelay.dll C:\Windows\editpad.exe C:\Windows\explore.exe C:\Windows\explorer32.exe C:\Windows\funniest.exe C:\Windows\funny.exe C:\Windows\gfmnaaa.dll C:\Windows\helpcvs.exe C:\Windows\iedll.exe C:\Windows\iexplorer.exe C:\Windows\inetinf.exe C:\Windows\internet.exe C:\Windows\loader.exe C:\Windows\mrofinu1188.exe.tmp C:\Windows\msconfd.dll C:\Windows\msspi.dll C:\Windows\mssys.exe C:\Windows\msupdate.exe C:\Windows\mswsc10.dll C:\Windows\mswsc20.dll C:\Windows\mtwirl32.dll C:\Windows\notepad32.exe C:\Windows\olehelp.exe C:\Windows\qttasks.exe C:\Windows\quicken.exe C:\Windows\rundll16.exe C:\Windows\rundll32.vbe C:\Windows\searchword.dll C:\Windows\sistem.exe C:\Windows\svchost32.exe C:\Windows\svcinit.exe C:\Windows\systeem.exe C:\Windows\system32\28463 C:\Windows\system32\28463\HHJE.001 C:\Windows\system32\28463\HHJE.002 C:\Windows\system32\28463\HHJE.009 C:\Windows\system32\28463\HHJE.009.tmp C:\Windows\system32\28463\WNFX.001 C:\Windows\system32\28463\WNFX.002 C:\Windows\system32\28463\WNFX.005 C:\Windows\system32\28463\WNFX.006 C:\Windows\system32\28463\WNFX.007 C:\Windows\system32\28463\WNFX.exe C:\Windows\System32\AceLVGgh.ini C:\Windows\System32\AceLVGgh.ini2 C:\Windows\System32\fslelypn.ini C:\Windows\system32\hgGVLecA.dll C:\Windows\system32\hljwugsf.bin C:\Windows\system32\iracpgul.dll C:\Windows\system32\mcrh.tmp C:\Windows\system32\MSINET.oca C:\Windows\system32\npylelsf.dll C:\Windows\system32\pac.txt C:\Windows\system32\phegjyer.ini C:\Windows\system32\qqdbfobv.dll C:\Windows\system32\reyjgehp.dll C:\Windows\systemcritical.exe C:\Windows\time.exe C:\Windows\users32.exe C:\Windows\waol.exe C:\Windows\win32e.exe C:\Windows\win64.exe C:\Windows\winajbm.dll C:\Windows\window.exe C:\Windows\winmgnt.exe C:\Windows\x.exe C:\Windows\xplugin.dll C:\Windows\xxxvideo.hta C:\Windows\y.exe . ((((((((((((((((((((((( Dateien erstellt von 2008-05-28 bis 2008-06-29 )))))))))))))))))))))))))))))) . 2008-06-29 16:00 . 2008-06-29 16:04 <DIR> d-------- C:\Find-Qoologic 2008-06-29 15:11 . 2008-06-29 15:11 <DIR> d-------- C:\Users\Admin\AppData\Roaming\Roxio 2008-06-29 15:10 . 2008-06-29 15:10 <DIR> dr------- C:\Users\Admin\Searches 2008-06-29 15:10 . 2008-06-29 15:10 <DIR> dr------- C:\Users\Admin\Contacts 2008-06-29 15:10 . 2008-06-29 15:10 <DIR> d-------- C:\Users\Admin\AppData\Roaming\CyberLink 2008-06-29 15:10 . 2008-06-28 19:28 34,304 --a------ C:\Windows\System32\hggdDVMd.dll 2008-06-29 15:09 . 2008-06-29 15:10 <DIR> dr------- C:\Users\Admin\Videos 2008-06-29 15:09 . 2008-06-29 15:10 <DIR> dr------- C:\Users\Admin\Saved Games 2008-06-29 15:09 . 2008-06-29 15:10 <DIR> dr------- C:\Users\Admin\Pictures 2008-06-29 15:09 . 2008-06-29 15:10 <DIR> dr------- C:\Users\Admin\Music 2008-06-29 15:09 . 2008-06-29 15:10 <DIR> dr------- C:\Users\Admin\Links 2008-06-29 15:09 . 2008-06-29 16:39 <DIR> dr------- C:\Users\Admin\Downloads 2008-06-29 15:09 . 2008-06-29 15:59 <DIR> dr------- C:\Users\Admin\Documents 2008-06-29 15:09 . 2006-11-02 14:37 <DIR> d-------- C:\Users\Admin\AppData\Roaming\Media Center Programs 2008-06-29 15:09 . 2008-06-29 15:10 <DIR> d--h----- C:\Users\Admin\AppData 2008-06-29 15:09 . 2008-06-29 15:10 <DIR> d-------- C:\Users\Admin 2008-06-29 14:09 . 2008-06-29 14:09 34,304 --a------ C:\Windows\System32\wvUkKDwW.dll 2008-06-29 14:09 . 2008-06-29 14:09 537 --a------ C:\Users\Patrick\979.bat 2008-06-29 10:18 . 2008-06-29 10:18 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-28 20:18 . 2008-06-28 20:19 73 --a------ C:\Windows\musiceditor.INI 2008-06-28 19:28 . 2008-06-28 19:28 <DIR> d-------- C:\Windows\System32\yrt 2008-06-28 19:28 . 2008-06-28 19:28 <DIR> d-------- C:\Windows\System32\rov 2008-06-28 19:28 . 2008-06-28 19:28 <DIR> d-------- C:\Windows\System32\pRI 2008-06-28 19:28 . 2008-06-28 19:28 <DIR> d-------- C:\Windows\System32\modtrux18 2008-06-28 19:28 . 2008-06-28 19:28 <DIR> d-------- C:\Windows\System32\cTMO 2008-06-28 19:28 . 2008-06-28 19:28 <DIR> d-------- C:\Temp\syschk3 2008-06-28 19:28 . 2008-06-29 16:42 <DIR> d-------- C:\Temp 2008-06-28 19:28 . 2008-06-28 19:28 52,224 ---hs---- C:\Start.exe 2008-06-28 19:28 . 2008-06-28 19:28 536 --a------ C:\Users\Patrick\75.bat 2008-06-27 21:23 . 2008-06-27 21:23 77 --a------ C:\Windows\System32\9136.bat 2008-06-27 06:19 . 2008-06-27 06:19 <DIR> d-------- C:\Program Files\Foto-Mosaik 2008-06-27 06:18 . 2008-06-27 06:18 837,582 --a------ C:\Users\Patrick\Setup-Foto-Mosaik.exe 2008-06-26 20:23 . 2008-06-26 20:23 77 --a------ C:\Windows\System32\6882.bat 2008-06-26 11:36 . 2008-06-26 11:38 4,603,444 --a------ C:\Users\Patrick\OZP85-09 - Skin - Madonna.zip 2008-06-26 11:31 . 2008-06-26 11:37 4,401,403 --a------ C:\Users\Patrick\OZP85-05 - Over And Over - Madonna.zip 2008-06-26 11:31 . 2008-06-26 11:36 4,102,322 --a------ C:\Users\Patrick\OZP85-02 - Candy Perfume Girl - Madonna.zip 2008-06-25 14:47 . 2008-06-25 14:47 77 --a------ C:\Windows\System32\5306.bat 2008-06-24 20:13 . 2008-06-24 20:13 77 --a------ C:\Windows\System32\4378.bat 2008-06-24 20:06 . 2008-06-24 20:06 77 --a------ C:\Windows\System32\5154.bat 2008-06-23 20:06 . 2008-06-23 20:06 77 --a------ C:\Windows\System32\4813.bat 2008-06-23 11:05 . 2008-06-23 11:05 77 --a------ C:\Windows\System32\1287.bat 2008-06-22 21:25 . 2008-06-22 21:26 <DIR> d-------- C:\Program Files\DivX 2008-06-22 12:24 . 2008-06-22 12:24 77 --a------ C:\Windows\System32\7531.bat 2008-06-20 23:28 . 2008-06-20 23:28 77 --a------ C:\Windows\System32\9833.bat 2008-06-20 06:51 . 2008-06-20 06:51 77 --a------ C:\Windows\System32\4329.bat 2008-06-19 20:06 . 2008-06-19 20:06 77 --a------ C:\Windows\System32\4335.bat 2008-06-18 22:32 . 2008-06-18 22:39 345 --a------ C:\Windows\BeatBox.INI 2008-06-18 22:32 . 2008-06-18 22:39 337 --a------ C:\Windows\Sampler.INI 2008-06-18 22:32 . 2008-06-18 22:39 28 --a------ C:\Windows\Robota.INI 2008-06-18 20:05 . 2008-06-18 20:05 77 --a------ C:\Windows\System32\6349.bat 2008-06-17 18:29 . 2008-06-17 18:29 77 --a------ C:\Windows\System32\1227.bat 2008-06-17 08:36 . 2008-06-17 08:36 77 --a------ C:\Windows\System32\6508.bat 2008-06-16 20:06 . 2008-06-16 20:06 77 --a------ C:\Windows\System32\9116.bat 2008-06-16 12:44 . 2008-06-16 12:44 77 --a------ C:\Windows\System32\7467.bat 2008-06-15 01:14 . 2008-06-15 01:14 77 --a------ C:\Windows\System32\9526.bat 2008-06-14 09:28 . 2008-04-23 06:27 1,244,672 --a------ C:\Windows\System32\mcmde.dll 2008-06-14 09:28 . 2008-04-23 07:11 428,032 --a------ C:\Windows\System32\EncDec.dll 2008-06-14 09:28 . 2008-04-23 07:12 292,352 --a------ C:\Windows\System32\psisdecd.dll 2008-06-14 09:28 . 2008-04-23 07:12 218,624 --a------ C:\Windows\System32\psisrndr.ax 2008-06-14 09:28 . 2008-04-23 07:12 80,896 --a------ C:\Windows\System32\MSNP.ax 2008-06-14 09:28 . 2008-04-23 07:11 68,608 --a------ C:\Windows\System32\Mpeg2Data.ax 2008-06-14 09:28 . 2008-04-23 07:11 57,856 --a------ C:\Windows\System32\MSDvbNP.ax 2008-06-13 19:25 . 2008-06-13 19:25 77 --a------ C:\Windows\System32\4383.bat 2008-06-12 20:07 . 2008-06-12 20:07 77 --a------ C:\Windows\System32\8902.bat 2008-06-12 06:13 . 2008-06-12 06:13 77 --a------ C:\Windows\System32\4165.bat 2008-06-11 19:37 . 2008-06-11 19:37 77 --a------ C:\Windows\System32\3728.bat 2008-06-10 19:09 . 2008-06-10 19:09 77 --a------ C:\Windows\System32\8047.bat 2008-06-10 06:19 . 2008-06-10 06:19 76,208 --a------ C:\Users\Patrick\cdgplugin.exe 2008-06-10 06:05 . 2008-06-10 06:06 <DIR> d-------- C:\Program Files\CDG Ripper 2008-06-10 06:05 . 2008-06-10 06:05 3,925,136 --a------ C:\Users\Patrick\cdd101.exe 2008-06-10 05:59 . 2008-06-10 05:59 <DIR> d-------- C:\Program Files\Mp3+G Toolz 2008-06-09 22:32 . 2008-06-09 22:32 77 --a------ C:\Windows\System32\4004.bat 2008-06-09 11:32 . 2008-06-09 11:32 <DIR> d-------- C:\Users\Andrea.Patrick-PC\AppData\Roaming\CyberLink 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Videos 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Searches 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Saved Games 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Pictures 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Music 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Links 2008-06-09 11:30 . 2008-06-29 14:36 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Downloads 2008-06-09 11:30 . 2008-06-29 14:38 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Documents 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> dr------- C:\Users\Andrea.Patrick-PC\Contacts 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> d-------- C:\Users\Andrea.Patrick-PC\AppData\Roaming\Roxio 2008-06-09 11:30 . 2006-11-02 14:37 <DIR> d-------- C:\Users\Andrea.Patrick-PC\AppData\Roaming\Media Center Programs 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> d--h----- C:\Users\Andrea.Patrick-PC\AppData 2008-06-09 11:30 . 2008-06-09 11:30 <DIR> d-------- C:\Users\Andrea.Patrick-PC 2008-06-07 22:23 . 2008-06-07 22:23 77 --a------ C:\Windows\System32\3040.bat 2008-06-07 13:07 . 2008-06-29 15:09 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\OpenOffice.org2 2008-06-07 13:04 . 2008-06-07 13:05 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4 2008-06-07 13:01 . 2008-06-07 13:02 119,746,270 --a------ C:\Users\Patrick\OOo_2.4.0_Win32Intel_install_de.exe 2008-06-06 22:51 . 2008-06-06 22:51 <DIR> d--h----- C:\Users\All Users\CanonBJ 2008-06-06 17:29 . 2008-06-24 20:08 260,475,795 --a------ C:\Windows\MEMORY.DMP 2008-06-06 16:04 . 2008-06-06 16:04 77 --a------ C:\Windows\System32\6891.bat 2008-06-05 19:10 . 2008-06-05 19:10 77 --a------ C:\Windows\System32\7019.bat 2008-06-04 18:24 . 2008-06-04 18:24 77 --a------ C:\Windows\System32\9955.bat 2008-06-03 20:02 . 2008-06-03 20:02 77 --a------ C:\Windows\System32\6317.bat 2008-06-02 19:36 . 2008-06-02 19:36 77 --a------ C:\Windows\System32\7460.bat 2008-06-01 02:55 . 2008-06-01 02:58 <DIR> d-------- C:\Program Files\PDFCreator 2008-06-01 02:55 . 2005-10-15 12:32 196,608 --a------ C:\Windows\System32\pdfcmnnt.dll 2008-06-01 02:55 . 1998-07-06 17:55 158,208 --a------ C:\Windows\System32\MSCMCDE.DLL 2008-06-01 02:55 . 1998-06-24 00:00 137,000 --a------ C:\Windows\System32\MSMAPI32.OCX 2008-06-01 02:55 . 1998-07-06 17:56 125,712 --a------ C:\Windows\System32\VB6DE.DLL 2008-06-01 02:55 . 1998-07-06 17:55 64,512 --a------ C:\Windows\System32\MSCC2DE.DLL 2008-06-01 02:55 . 1998-07-06 00:00 23,552 --a------ C:\Windows\System32\MSMPIDE.DLL 2008-06-01 01:40 . 2008-06-01 01:45 <DIR> d-------- C:\Users\Patrick\AppData\Roaming\SmartDraw 2008-06-01 01:37 . 2008-06-01 01:40 <DIR> d-------- C:\Program Files\SmartDraw 2008 2008-05-31 17:29 . 2008-05-31 17:29 77 --a------ C:\Windows\System32\1977.bat 2008-05-30 20:28 . 2008-05-30 20:28 77 --a------ C:\Windows\System32\8467.bat 2008-05-29 18:10 . 2008-05-29 18:10 77 --a------ C:\Windows\System32\1600.bat . (((((((((((((((((((((((((((((((((((( Find3M Bericht )))))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-29 13:09 --------- d-----w C:\Users\Patrick\AppData\Roaming\Vidalia 2008-06-29 13:07 --------- d-----w C:\Users\Patrick\AppData\Roaming\tor 2008-06-29 12:29 --------- d-----w C:\Program Files\Norton 360 2008-06-29 11:56 --------- d-----w C:\Program Files\PowerArchiver 2008-06-28 22:14 --------- d-----w C:\Program Files\Microsoft Picture It! PhotoPub 2008-06-26 19:35 --------- d-----w C:\Program Files\DC++ 2008-06-12 01:09 --------- d-----w C:\Program Files\Windows Mail 2008-06-10 04:05 737,280 ----a-w C:\Windows\iun6002.exe 2008-06-10 03:56 --------- d-----w C:\Program Files\Doblon 2008-06-09 21:07 --------- d-----w C:\Program Files\Mp3+G Toolz 2 2008-06-06 15:29 329,608,083 ----a-w C:\Windows\DUMP5012.tmp 2008-06-03 18:18 --------- d-----w C:\Program Files\Zattoo 2008-05-31 16:19 --------- d-----w C:\Users\Patrick\AppData\Roaming\uTorrent 2008-05-22 22:20 200,704 ----a-w C:\Windows\System32\ssldivx.dll 2008-05-22 22:20 1,044,480 ----a-w C:\Windows\System32\libdivx.dll 2008-05-14 19:32 --------- d-----w C:\Program Files\uTorrent 2008-05-13 19:33 10,639,944 ----a-w C:\Users\Patrick\setup (1).exe 2008-05-13 19:33 --------- d-----w C:\Program Files\Padus 2008-05-13 19:19 --------- d-----w C:\Program Files\Alex Feinman 2008-05-13 19:15 387,313 ----a-w C:\Users\Patrick\ISORecorderV3RC1x86.zip 2008-05-13 19:14 408,326 ----a-w C:\Users\Patrick\ISORecorderV3RC1x64.zip 2008-05-13 19:00 197,526,904 ----a-w C:\Users\Patrick\Nero-8.3.2.1_deu_trial.exe 2008-05-10 03:30 14,848 ----a-w C:\Windows\System32\wshrm.dll 2008-05-10 01:21 113,664 ----a-w C:\Windows\system32\drivers\rmcast.sys 2008-05-08 17:33 --------- d-----w C:\Program Files\Google 2008-05-08 03:33 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-08 03:30 --------- d-----w C:\Users\Patrick\AppData\Roaming\Packard Bell 2008-05-08 03:28 --------- d-----w C:\Users\Patrick\AppData\Roaming\Roxio 2008-05-08 03:26 11,681,616 ----a-w C:\Users\Patrick\NapsterSetup-DE-3.8.1.4.exe 2008-05-07 20:22 --------- d-----w C:\Program Files\WMA-MP3.com 2008-05-07 20:20 --------- d-----w C:\Program Files\LitexMedia 2008-05-07 20:19 8,965,619 ----a-w C:\Users\Patrick\all2mp3.exe 2008-05-02 01:24 --------- d-----w C:\Users\Patrick\AppData\Roaming\Winamp 2008-05-01 21:09 --------- d-----w C:\Program Files\Winamp 2008-05-01 02:04 --------- d-----w C:\Program Files\Vidalia Bundle 2008-04-30 21:41 --------- d-----w C:\Users\Patrick\AppData\Roaming\CoreFTP 2008-04-30 21:38 --------- d-----w C:\Program Files\CoreFTP 2008-04-30 21:36 --------- d-----w C:\Users\Patrick\AppData\Roaming\FileZilla 2008-04-28 19:27 18,912 ----a-w C:\Windows\system32\drivers\lmvac.sys 2008-04-26 08:02 1,327,104 ----a-w C:\Windows\System32\quartz.dll 2008-04-25 04:23 826,368 ----a-w C:\Windows\System32\wininet.dll 2008-04-25 04:23 56,320 ----a-w C:\Windows\System32\iesetup.dll 2008-04-25 04:23 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll 2008-04-25 04:22 26,624 ----a-w C:\Windows\System32\ieUnatt.exe 2008-04-12 06:09 4,465,532 ----a-w C:\Users\Patrick\FriendAdder.com ComboPack 3.26.exe 2008-04-11 18:49 6,004,224 ----a-w C:\Users\Patrick\MySpaceMusicPromoterInstaller.exe 2008-04-11 14:23 401,553 ----a-w C:\Users\Patrick\friendtools.zip 2008-04-11 09:00 19 ----a-w C:\Users\Patrick\key.dat 2008-04-11 09:00 19 ----a-w C:\Users\Patrick\key - Kopie (1).dat 2008-03-24 01:37 316,928 ----a-w C:\Users\Patrick\rar.exe 2008-03-16 01:29 0 ----a-w C:\Users\Patrick\AppData\Roaming\wklnhst.dat 2008-02-02 08:40 3,750,215 ----a-w C:\Users\Patrick\PHP0802-05 - Spears, Britney - Piece Of Me.zip 2008-02-02 08:39 3,778,588 ----a-w C:\Users\Patrick\MRH43-12 - Spears, Britney - Pieces Of Me.zip 2008-01-31 21:48 174 --sha-w C:\Program Files\desktop.ini 2007-09-29 20:54 827,392 ----a-w C:\Users\Patrick\friendtools.exe . (((((((((((((((((((((((((((( Autostart Punkte der Registrierung )))))))))))))))))))))))))))))))))))))))) . . REGEDIT4 *Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt. [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}] 2008-06-28 19:28 34304 --a------ C:\Windows\system32\hggdDVMd.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-03-14 21:58 1232896] "WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 14:34 2159104 C:\Windows\System32\oobefldr.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 11:57 3784704 C:\Windows\RtHDVCpl.exe] "NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-07-06 21:15 86016] "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-07-06 21:15 8466432] "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-07-06 21:15 81920] "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-01-11 12:40 232184] "MSPService"="C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe" [2007-06-13 00:36 102400] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 23:59 115816] "toolbar_eula_launcher"="C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe" [2007-02-20 18:20 28672] "ACTIVBOARD"="C:\Program Files\Packard Bell\FIJI\aboard.exe" [2007-01-18 14:03 79416] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 20:49 36352] "NapsterShell"="C:\Program Files\Napster\napster.exe" [ ] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 03:23 443968] C:\Users\Patrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 15:41:28 393216] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ PDFCreator.lnk - C:\Program Files\PDFCreator\PDFCreator.exe [2008-06-01 02:55:39 2641920] Privoxy.lnk - C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 16:30:54 250368] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "LogonHoursAction"= 2 (0x2) "DontDisplayLogonHoursWarnings"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{BA2A2046-75A4-47C0-A09C-F0DCC706D39B}"= C:\Windows\system32\hggdDVMd.dll [2008-06-28 19:28 34304] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.mkdmp3enc"= C:\PROGRA~1\CYBERL~1\MAGICS~1\Kernel\Burner\MKDMP3Enc.ACM [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules] "{1BB9FEA9-E6A1-4172-A8DB-816C04227BA3}"= C:\Program Files\CyberLink\MagicSports\MagicSports.exe:CyberLink MagicSports "{9B603293-7C45-4052-A9E9-E608AB3393B5}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "{F4F86E34-9983-4268-8643-1E3A78FF3EDF}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server "TCP Query User{3DCC6682-1562-4F08-ADE3-D3ECE634DF53}C:\\program files\\estsoft\\alftp\\alftp.exe"= UDP:C:\program files\estsoft\alftp\alftp.exe:ALFTP "UDP Query User{7A4EBAE1-7D6E-49DC-B30B-641D3C5FD72D}C:\\program files\\estsoft\\alftp\\alftp.exe"= TCP:C:\program files\estsoft\alftp\alftp.exe:ALFTP "{5D5DBC5F-F495-4975-846C-224B32E777C8}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "{C973251C-F73B-43E0-B62A-70752E433C5B}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger "TCP Query User{FC88185F-9F1F-43F8-ABF7-9877E7CD09D9}D:\\dc++\\dcplusplus.exe"= UDP:\dc++\dcplusplus.exeC++ "UDP Query User{BC488BBB-9747-47A5-9506-D721B22FF127}D:\\dc++\\dcplusplus.exe"= TCP:\dc++\dcplusplus.exeC++ "TCP Query User{34D3839A-C38B-493E-8731-7A905EFE2950}C:\\program files\\dc++\\dcplusplus.exe"= UDP:C:\program files\dc++\dcplusplus.exeC++ "UDP Query User{5FE15278-500C-4B1F-B75B-86687F4F9591}C:\\program files\\dc++\\dcplusplus.exe"= TCP:C:\program files\dc++\dcplusplus.exeC++ "{9650D09E-D3E6-436D-AF34-A41B46F927E9}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent "{C434DE95-6CEF-433C-9C88-39A1C712BEC8}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile] "EnableFirewall"= 0 (0x0) "DoNotAllowExceptions"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System] "DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic| [HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile] "EnableFirewall"= 0 (0x0) R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2006-12-28 07:48] R3 LTXMD_VAC;Litex Media Virtual Audio Cabel (WDM);C:\Windows\system32\drivers\lmvac.sys [2008-04-28 21:27] R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-01-09 23:32] R3 UMPass;Microsoft UMPass-tREIBER;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 10:55] S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18] S4 nvrd32;NVIDIA nForce RAID Driver ;C:\Windows\system32\drivers\nvrd32.sys [2006-12-22 20:07] *Newly Created Service* - COMHOST . Inhalt des "geplante Tasks" Ordners "2008-06-29 17:30:00 C:\Windows\Tasks\Erweiterte Garantie.job" - C:\Program Files\Packard Bell\SetupmyPC\PBCarNot.exe "2008-06-29 17:32:43 C:\Windows\Tasks\SDMsgUpdate (TE).job" - C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X "2008-06-29 02:57:29 C:\Windows\Tasks\User_Feed_Synchronization-{85B9A6ED-88E7-4F38-BAC0-C03319C461FB}.job" - C:\Windows\system32\msfeedssync.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-29 19:33:53 Windows 6.0.6000 NTFS Scanne versteckte Prozesse... Scanne versteckte Autostart Eintr„ge... Scanne versteckte Dateien... Scan erfolgreich abgeschlossen versteckte Dateien: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\Windows\Explorer.exe -> C:\Windows\system32\hggdDVMd.dll -> G:\Windows\system32\MLANG.dll . ------------------------ Other Running Processes ------------------------ . C:\Windows\System32\audiodg.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Windows\System32\WUDFHost.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE C:\Program Files\Symantec\LiveUpdate\LUALL.EXE C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Windows\System32\conime.exe C:\Windows\System32\rundll32.exe C:\Program Files\Packard Bell\FIJI\AOSD.exe C:\Windows\System32\taskmgr.exe C:\Windows\System32\rundll32.exe C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe C:\Windows\System32\dllhost.exe . ************************************************************************** . Zeit der Fertigstellung: 2008-06-29 19:38:37 - machine was rebooted [Admin] ComboFix-quarantined-files.txt 2008-06-29 17:38:15 13 Verzeichnis(se), 75,119,251,456 Bytes frei 21 Verzeichnis(se), 71,201,615,872 Bytes frei 398 --- E O F --- 2008-06-26 18:53:42 |
|
|
||
29.06.2008, 20:05
Ehrenmitglied
Beiträge: 29434 |
#6
««
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als cfscript.txt mit 'Speichern unter' auf dem Desktop. Gib an "Alle Dateien" - Speichern Zitat KILLALL::Man sollte jetzt auf dem Desktop diese Datei cfscript.txt finden. cfscript.txt und mit der rechten Maustaste auf das Symbol von Combofix ziehen danach: Combofix noch einmal anwenden «« poste das neue log von Combofix «« wende datfindbat an, poste alle Logs bis März 2008 (sind nach Datum geordnet) http://virus-protect.org/datfindbat.html «« wende navilog an, zuerst Option 1, dann Option 2 http://virus-protect.org/artikel/tools/navilog.html poste hier den report von option 2 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
29.06.2008, 20:33
Ehrenmitglied
Beiträge: 29434 |
#7
du hast das script nicht korrekt angewendet oder erstellt...bitte noch mal, aber korrekt
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
29.06.2008, 20:37
...neu hier
Themenstarter Beiträge: 4 |
#8
Beim Starten von datfindbat erhalte ich folgende Fehlermeldung:
Die Datei c:\dirdat.txt konnte nicht gefunden werden Und dann bricht das Programm ab. |
|
|
||
29.06.2008, 20:38
Ehrenmitglied
Beiträge: 29434 |
#9
bitte wende erst noch mal das combofix script an aber korrekt , alles der Reihe nach.
__________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
30.06.2008, 10:57
Ehrenmitglied
Beiträge: 29434 |
#10
Hallo,
du bekommst es nicht gebacken vielleicht fällt dir auch auf, dass das Log von Combofix immer das gleiche ist...nichts wird gelöscht ------------ «« mit dem HijackThis löschen ("fixen") Klicke: "Do a system scan only" Setze ein Häckchen in das Kästchen vor den genannten Eintrag und wähle fix checked. + starte den Rechner neu. Zitat O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)also versuchen wir es so: http://virus-protect.org/artikel/tools/otmoveIt.html Download OTMoveIt zum Desktop OTMoveIt öffne: OTMoveIt.exe OTMoveIt Kopiere rein: im linken Fenster ,wo steht: Paste List of Files/Folders to Move Zitat C:\Users\Patrick\svchost.exeKlicke auf den Roten MoveIt! Text im rechten Fenster / Results Mit rechtem Mausklick abkopieren und im Forenbeitrag mit rechtem Mausklick "einfügen" 2. wende vistascan an + poste den report http://virus-protect.org/artikel/tools/windowsscan.html 3. wende navilog an, zuerst Option 1, dann Option 2 http://virus-protect.org/artikel/tools/navilog.html poste hier den report von option 2 __________ MfG Sabina rund um die PC-Sicherheit |
|
|
||
Heute früh hab ich ganz dumm aus der Wäsche geguckt als ich an den Rechner gegangen bin. Der Rechner lief 5 Stunden lang über nacht (ich war eingeschlafen als ich eine DVD geguckt hatte). Ich hatte aber kein Internet an (Internet Explorer geschlossen, kein ICQ oder ähnliche Programme liefen im Hintergrund, auch kein Filesharingprogramm odr dergleichen lief).
Ich habe Windows Vista.
Gestern war noch alles wunderbar, keine Fehler kein gar nichts, aber nun öffnen sich immer wieder ungefragt Internetfenster mit irgendwelcher Werbung für Antiviren-Scans oder für Online-Casinos.
Eine Systemmeldung zeigte heute an, dass der Trojaner "Vundo.gen!E" gefunden worden war.
Nun hab ich mal einen LogFile erstellt mit HiJack This, vielleicht kennt sich ja einer von euch besser aus als ich und kann mir anhand dessen sagen was da nicht stimmen könnte und vorallem wie ich den Trojaner wieder runter bekomme.
Ich wäre euch sehr dankbar wenn ihr mir helfen könntet.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:49, on 29.06.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Packard Bell\FIJI\ABoard.exe
C:\Program Files\Packard Bell\FIJI\AOSD.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Users\Patrick\svchost.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://format.packardbell.com/cgi-bin/redirect/?country=DE&range=AD&phase=8&key=IESTART
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\iftuyszv.exe,
O1 - Hosts: ::1 localhost
O3 - Toolbar: Norton-Symbolleiste anzeigen - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\CDG Ripper\msdxm.ocx
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [MSPService] C:\Program Files\CyberLink\MagicSports\Kernel\MagicSports\MSPMirage.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TP CfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\SymCuw.exe" -G:{2D617065-1C52-4240-B5BC-C0AE12157777} -T:Config
O4 - HKLM\..\Run: [toolbar_eula_launcher] C:\Program Files\Packard Bell\GOOGLE_EULA\EULALauncher.exe
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Program Files\Packard Bell\FIJI\aboard.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ddccaYrP.dll,#1
O4 - HKLM\..\Run: [runner1] C:\Windows\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [78552e26] rundll32.exe "C:\Windows\system32\npylelsf.dll",b
O4 - HKLM\..\Run: [BM7b661dba] Rundll32.exe "C:\Windows\system32\iracpgul.dll",s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [SmpcSys] C:\Program Files\Packard Bell\SetUpMyPC\SmpSys.exe
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Host Process] C:\Users\Patrick\svchost.exe
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [Vidalia] "C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKCU\..\Run: [oawau] c:\users\patrick\appdata\local\oawau.exe oawau
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Patrick\lsass.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {A672558F-A878-4D5A-A921-627C091CEB63} (Flatcast Producer 4.16) - http://80.237.209.20/objects/NpFp41629.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1206119377
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F554} (Flatcast Viewer 4.16) - http://data.flatcast.com/data/objects/NpFv41629.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10333 bytes