MBR rootkit / ntos.exe / wsnpoem

#1 erst mal hallo

wie gesagt wen ich meinen pc starte kommen 3x ein fenster mit rundll
und wen ich ein spiel starte kommt auch so eine meldung.das is mein problem nr.1

dann wäre noch firefox was sich einfach beendet das is problem nr. 2

leider kenne ich mich mit so was nicht aus und bin einfach gesagt überfordert
und hoffe auf hilfe !!!

#2 Hallo, sunce
versuche, ein Log vom Hijackthis hier zu posten
http://virus-protect.org/hjtkurz.html

Beim Erststart:
Do a system scan and save a logfile - es öffnet sich der Editor

nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und im Sicherheits-Forum mit rechtem Mausklick "einfügen"
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:41:21, on 15.07.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
K:\Programme\SlySoft\CloneCD\CloneCDTray.exe
C:\Programme\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Little Fighter 2 Toolbar Helper - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - C:\Programme\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O2 - BHO: Burn4Free Toolbar Helper - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Programme\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Little Fighter 2 Toolbar - {C11483F7-D7D8-4804-98D8-6055470BB989} - C:\Programme\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O3 - Toolbar: Burn4Free Toolbar - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [CloneCDTray] "k:\Programme\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [XboxStat] "C:\Programme\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe"
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCfox000
O8 - Extra context menu item: &Windows Live Search - res://C:\Programme\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with Xilisoft Download YouTube Video - C:\Programme\Xilisoft\Download YouTube Video\upod_link.HTM
O8 - Extra context menu item: Easy-WebPrint - Drucken - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Easy-WebPrint - Schnelldruck - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint - Vorschau - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint - Zu Druckliste hinzufügen - res://C:\Programme\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\scieplugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/DE-DE/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5190378E-4CD3-4FE7-AD6F-32029D95C5A0}: NameServer = 192.168.0.1
O23 - Service: Kaspersky Personal Security Suite V (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Messenger USN Journal Reader-Service für freigegebene Ordner (usnjsvc) - Unknown owner - C:\Programme\MSN Messenger\usnsvc.exe (file missing)

--
End of file - 9415 bytes


so gut?

#4 «

du solltest formatieren und zwar fix ...und alle passworte ändern
oder willst du reinigen ? Das System ist jedoch schwer kompromitiert............

««
mit dem HijackThis löschen ("fixen")
Klicke: "Do a system scan only"
Setze ein Häckchen in das Kästchen vor den genannten Eintrag
und wähle fix checked.

Zitat

R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: Little Fighter 2 Toolbar Helper - {AB41010D-4804-4793-A6A2-3B5EBE2348DD} - C:\Programme\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)

O2 - BHO: Burn4Free Toolbar Helper - {D187A56B-A33F-4CBE-9D77-459FC0BAE012} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll (file missing)

O3 - Toolbar: Little Fighter 2 Toolbar - {C11483F7-D7D8-4804-98D8-6055470BB989} - C:\Programme\Little Fighter 2 Toolbar\v2.0.0.1\Little_Fighter_2_Toolbar.dll (file missing)

O3 - Toolbar: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)

O3 - Toolbar: Burn4Free Toolbar - {4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll (file missing)

O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL,UPF

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZCfox000

lade sdfix
http://virus-protect.org/artikel/tools/sdfix.html

unter C:\ findet man nun den SDFix-Ordner

boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet)

gehe in den Ordner C:\SDFix

RunThis.bat doppelt klicken
folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten
kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag,

««
dann lade combofix + poste den report
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#5 SDFix: Version 1.205
Run by Michael on 15.07.2008 at 18:20

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\Temp\ed47fa.$ - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem\audio.dll - Deleted
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted

[color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/mbr.exe]MBR Rootkit Detector[/url] by Gmer or [url=http://www.freedrweb.com/cureit]CureIt[/url] by Dr.Web[/color]

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$

Folder C:\WINDOWS\system32\wsnpoem - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 18:33:59
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.exe [468] 0x89DEEDA0

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\e0d08b835426133f]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\e0d08b835426133f]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_E0D08B835426133F]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\e0d08b835426133f]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.exe"
"DisplayName"="Microsoft DDE+ server"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,..
"p0"="C:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,..
"a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,3e,9f,e1,02,21,f4,0f,76,da,86,b5,a4,39,be,92,97,96,..
"ljej40"=hex:79,af,6a,90,75,db,a3,d0,05,f3,85,e3,0a,60,8b,f2,2a,b9,99,f6,29,..
"ljej41"=hex:ce,af,6a,90,0d,db,a3,d0,04,f3,84,e3,0b,60,8b,f2,2a,b9,99,f6,39,..
"ljej42"=hex:ce,af,6a,90,0d,db,a3,d0,04,f3,84,e3,0b,60,8b,f2,2a,b9,99,f6,39,..
"ljej43"=hex:ce,af,6a,90,0d,db,a3,d0,04,f3,84,e3,0b,60,8b,f2,2a,b9,99,f6,39,..
"ljej44"=hex:ce,af,6a,90,0d,db,a3,d0,04,f3,84,e3,0b,60,8b,f2,2a,b9,99,f6,39,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\SafeBoot\Minimal\e0d08b835426133f]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Control\SafeBoot\Network\e0d08b835426133f]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_E0D08B835426133F]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\e0d08b835426133f]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.exe"
"DisplayName"="Microsoft DDE+ server"
"ObjectName"="LocalSystem"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,..
"p0"="C:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,..
"a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

C:\WINDOWS\system32\.e0d08b835426133f
C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.AT.config 102 bytes
C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.core.dll 137728 bytes executable
C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.exe 41984 bytes executable
C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.ServerPlugin.config 45 bytes

scan completed successfully
hidden processes: 1
hidden services: 1
hidden files: 5


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe"="C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe:*:Enabled:Universe at War Earth Assault"
"C:\\Programme\\Messenger\\msmsgs.exe"="C:\\Programme\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 5 Jan 2008 0 ..SH. --- "C:\WINDOWS\SDED748F9.tmp"
Mon 11 Sep 2006 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"
Mon 11 Sep 2006 401 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv15.bak"
Tue 3 Oct 2006 50,280 A..H. --- "C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Programme\Gemeinsame Dateien\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sat 9 Sep 2006 444 A..H. --- "C:\Dokumente und Einstellungen\Michael\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"
Tue 18 Mar 2008 2,158 ...HR --- "C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!

das wäre das erste

-----------------------------------------------------------------------------
ComboFix 08-07-07.3 - Michael 2008-07-15 18:47:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1031.18.1600 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
* Resident AV is active


[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\wsnpoem
C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\wsnpoem
C:\Programme\FunWebProducts
C:\Programme\FunWebProducts\Shared\0219B765.dat
C:\Programme\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Programme\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Programme\FunWebProducts\Shared\Cache\MailStampBtn.htmlx
C:\Programme\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Programme\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Programme\internet explorer\msimg32.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((( Dateien erstellt von 2008-06-15 bis 2008-07-15 ))))))))))))))))))))))))))))))
.

2008-07-15 17:44 . 2008-07-15 17:45 <DIR> d-------- C:\WINDOWS\ERUNT
2008-07-15 17:32 . 2008-07-15 18:35 <DIR> d-------- C:\SDFix
2008-07-15 00:32 . 2008-07-15 00:32 <DIR> d-------- C:\Programme\Trend Micro
2008-07-14 01:39 . 2008-07-14 01:39 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared
2008-07-14 01:26 . 2008-07-14 01:26 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-14 00:41 . 2008-07-14 00:41 <DIR> d-------- C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\dvdcss
2008-07-12 01:43 . 2008-07-14 20:58 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan
2008-07-11 23:57 . 2008-07-14 21:28 <DIR> d-------- C:\Programme\Spybot - Search & Destroy
2008-07-11 23:57 . 2008-07-14 22:16 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-07-11 23:27 . 2008-07-11 23:27 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-07-10 01:05 . 2008-07-10 01:05 <DIR> d-------- C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\Xilisoft Corporation
2008-07-10 01:01 . 2008-07-10 01:01 <DIR> d-------- C:\Programme\Xilisoft
2008-07-04 16:54 . 2008-07-04 16:54 <DIR> d-------- C:\Programme\CCleaner
2008-06-27 13:27 . 2008-06-27 13:27 <DIR> d-------- C:\Dokumente und Einstellungen\LocalService\Anwendungsdaten\ICQ Toolbar
2008-06-27 12:37 . 2008-06-27 12:37 <DIR> dr------- C:\Dokumente und Einstellungen\LocalService\Favoriten

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-15 16:54 28,053,792 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-15 16:53 438,816 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-15 16:50 45,272 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-15 16:50 382,964 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-15 16:36 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Kaspersky Lab
2008-07-11 23:54 --------- d-----w C:\Programme\ICQToolbar
2008-06-25 17:27 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-06-23 20:18 --------- d-----w C:\Programme\Fish Tycoon
2008-06-23 20:14 --------- d-----w C:\Programme\Alcohol Soft
2008-06-23 20:01 --------- d-----w C:\Programme\Microsoft Games
2008-06-23 19:51 --------- d-----w C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\SpieleEntwicklungsKombinat
2008-06-23 19:50 --------- d-----w C:\Programme\TikGames
2008-06-14 16:49 --------- d-----w C:\Programme\Gemeinsame Dateien\Blizzard Entertainment
2008-05-19 00:24 --------- d-----w C:\Programme\MobMapUpdater
2007-02-25 10:29 316,928 ----a-w C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Schtrom360XtractV3.2.exe
2006-12-30 12:45 92,064 ----a-w C:\Dokumente und Einstellungen\Michael\mqdmmdm.sys
2006-12-30 12:45 9,232 ----a-w C:\Dokumente und Einstellungen\Michael\mqdmmdfl.sys
2006-12-30 12:45 79,328 ----a-w C:\Dokumente und Einstellungen\Michael\mqdmserd.sys
2006-12-30 12:45 66,656 ----a-w C:\Dokumente und Einstellungen\Michael\mqdmbus.sys
2006-12-30 12:45 6,208 ----a-w C:\Dokumente und Einstellungen\Michael\mqdmcmnt.sys
2006-12-30 12:45 5,936 ----a-w C:\Dokumente und Einstellungen\Michael\mqdmwhnt.sys
2006-12-30 12:45 4,048 ----a-w C:\Dokumente und Einstellungen\Michael\mqdmcr.sys
2006-12-30 12:45 25,600 ----a-w C:\Dokumente und Einstellungen\Michael\usbsermptxp.sys
2006-12-30 12:45 22,768 ----a-w C:\Dokumente und Einstellungen\Michael\usbsermpt.sys
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:57 15360]
"DAEMON Tools Lite"="C:\Programme\DAEMON Tools Lite\daemon.exe" [2008-04-01 11:39 486856]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-04-28 09:47 7573504]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-04-28 09:47 86016]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"Easy-PrintToolBox"="C:\Programme\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 03:10 409600]
"CloneCDTray"="k:\Programme\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 15:47 57344]
"XboxStat"="C:\Programme\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 19:05 734264]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 11:44 16120832 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2006-04-28 09:47 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:57 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe"=

R0 m5288;m5288;C:\WINDOWS\system32\DRIVERS\m5288.sys [2005-12-23 22:54]
R1 SSHDRV86;SSHDRV86;C:\WINDOWS\System32\drivers\SSHDRV86.sys [2007-05-13 11:21]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 14:36]
S2 MyWebSearchService;My Web Search Service;C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe []
S3 adxapie;adxapie;C:\DOKUME~1\TEMP~1.MIC\LOKALE~1\Temp\adxapie.sys []
S3 Tihid;Tihid;C:\WINDOWS\system32\drivers\Tihid.sys []
S3 XDva032;XDva032;C:\WINDOWS\System32\XDva032.sys []

.
Inhalt des "geplante Tasks" Ordners
"2008-07-15 16:41:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Programme\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-13 23:32:06 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Programme\Norton Security Scan\Nss.exe
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - C:\Programme\Burn4Free Toolbar\v3.3.0.1\Burn4Free_Toolbar.dll
HKCU-Run-MsnMsgr - C:\Programme\MSN Messenger\MsnMsgr.Exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 18:54:01
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

Scanne versteckte Prozesse...

C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.exe [928] 0x89DCA960

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...


C:\WINDOWS\system32\.e0d08b835426133f

Scan erfolgreich abgeschlossen
versteckte Dateien: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\e0d08b835426133f]
"ImagePath"="C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Programme\Google\Google Desktop Search\GoogleDesktopNetwork1.dll

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\ATL.DLL
-> C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.core.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Programme\Kaspersky Lab\Kaspersky Security Suite V\avp.exe
C:\Programme\Gemeinsame Dateien\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-07-15 18:57:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 16:57:27

10 Verzeichnis(se), 36,616,744,960 Bytes frei
13 Verzeichnis(se), 36,591,702,016 Bytes frei

154

--------------------------
habe oder hatte ich viele viren drauf

#6 Avenger
http://virus-protect.org/artikel/tools/avenger.html
setze ein Häkchen in: "Automatically disable any rootkits found"
Das Häkchen "Scan for Rootkits" sollte angehakt sein.
kopiere in das weisse Feld:

Zitat

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\e0d08b835426133f
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\e0d08b835426133f
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_E0D08B835426133F
HKLM\SYSTEM\CurrentControlSet\Services\e0d08b835426133f
HKLM\System\ControlSet004\Services\e0d08b835426133f
HKLM\SYSTEM\ControlSet005\Control\SafeBoot\Minimal\e0d08b835426133f
HKLM\SYSTEM\ControlSet005\Control\SafeBoot\Network\e0d08b835426133f
HKLM\SYSTEM\ControlSet005\Enum\Root\LEGACY_E0D08B835426133F
HKLM\SYSTEM\ControlSet005\Services\e0d08b835426133f
Files to delete:
C:\WINDOWS\Temp\bca4e2da.$$$
C:\WINDOWS\Temp\fa56d7ec.$$$
Folders to delete:
C:\WINDOWS\system32\.e0d08b835426133f

schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)

Klicke: Execute

bestätige, dass der Rechner neu gestartet wird - klicke "yes"

nach dem Neustart erscheint automatisch ein Log vom Avenger - (C:\avenger.txt), kopiere es ab - mit rechtem Mausklick - kopieren - einfügen


-----------------------------------------------------------------

http://virus-protect.org/artikel/tools/regsearch.html

und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

e0d08b835426133f

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

MyWebSearchService

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

My Web Search Service

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

-----------

dann wende noch mal sdfix im abgesicherten modus an + poste den report
__________
MfG Sabina

rund um die PC-Sicherheit

#7 Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "e0d08b835426133f" found!
DisplayName: Microsoft DDE+ server
ImagePath: C:\WINDOWS\system32\.e0d08b835426133f\e0d08b835426133f.exe
Start Type: 2 (Automatic)

Rootkit scan completed.

Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\e0d08b835426133f" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\e0d08b835426133f" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_E0D08B835426133F" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Services\e0d08b835426133f" deleted successfully.

Error: registry key "HKLM\System\ControlSet004\Services\e0d08b835426133f" not found!
Deletion of registry key "HKLM\System\ControlSet004\Services\e0d08b835426133f" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet005\Control\SafeBoot\Minimal\e0d08b835426133f" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet005\Control\SafeBoot\Network\e0d08b835426133f" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet005\Enum\Root\LEGACY_E0D08B835426133F" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet005\Services\e0d08b835426133f" deleted successfully.
File "C:\WINDOWS\Temp\bca4e2da.$$$" deleted successfully.
File "C:\WINDOWS\Temp\fa56d7ec.$$$" deleted successfully.
Folder "C:\WINDOWS\system32\.e0d08b835426133f" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
----------------------------------------------------------

#8 http://virus-protect.org/artikel/tools/regsearch.html

und doppelklicken, um zu starten.
in: "Enter search strings" (reinschreiben oder reinkopieren)

e0d08b835426133f

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

MyWebSearchService

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

in: "Enter search strings" (reinschreiben oder reinkopieren)

My Web Search Service

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

-----------

dann wende noch mal sdfix im abgesicherten modus an + poste den report
__________
MfG Sabina

rund um die PC-Sicherheit

#9 das is das erste

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 15.07.2008 23:37:45 for strings:
; '
e0d08b835426133f'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
-------------------------------------------------------
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 15.07.2008 23:40:14 for strings:
; 'mywebsearchservice'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MYWEBSEARCHSERVICE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]
"Service"="MyWebSearchService"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MyWebSearchService]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MyWebSearchService\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MyWebSearchService\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MyWebSearchService\Enum]
"0"="Root\\LEGACY_MYWEBSEARCHSERVICE\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_MYWEBSEARCHSERVICE]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]
"Service"="MyWebSearchService"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MyWebSearchService]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MyWebSearchService\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]
"Service"="MyWebSearchService"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService\Enum]
"0"="Root\\LEGACY_MYWEBSEARCHSERVICE\\0000"

; End Of The Log...
-------------------------------------------------
Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 15.07.2008 23:42:47 for strings:
; 'my web search service'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]
"DeviceDesc"="My Web Search Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MyWebSearchService]
"DisplayName"="My Web Search Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]
"DeviceDesc"="My Web Search Service"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MyWebSearchService]
"DisplayName"="My Web Search Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000]
"DeviceDesc"="My Web Search Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService]
"DisplayName"="My Web Search Service"

; End Of The Log...
-----------------------------------------

#10 ««

kopiere in den Avenger

Zitat

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MyWebSearchService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MyWebSearchService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyWebSearchService

dann boote gleich in den abgesicherten modus und wende sdfix noch mal an + poste den report
__________
MfG Sabina

rund um die PC-Sicherheit

#11 SDFix: Version 1.205
Run by Michael on 16.07.2008 at 00:49

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:


[color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/mbr.exe]MBR Rootkit Detector[/url] by Gmer or [url=http://www.freedrweb.com/cureit]CureIt[/url] by Dr.Web[/color]

Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$
Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 00:57:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:9b,c1,9e,b0,4e,be,a8,69,c7,aa,86,5a,7c,0e,c3,68,68,52,bb,93,86,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,..
"p0"="C:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,..
"a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vax347s\Config\jdgg40]
"ujdew"=hex:20,02,00,00,35,86,01,03,14,21,af,ce,8d,df,a1,ff,94,63,53,af,ed,..
"ljej40"=hex:4c,7a,ca,28,22,82,b7,8b,a8,2e,44,db,71,f1,d7,0e,07,dc,10,98,66,..
"ljej41"=hex:fb,7a,ca,28,5a,82,b7,8b,a9,2e,45,db,70,f1,d7,0e,07,dc,10,98,76,..
"ljej42"=hex:fb,7a,ca,28,5a,82,b7,8b,a9,2e,45,db,70,f1,d7,0e,07,dc,10,98,76,..
"ljej43"=hex:fb,7a,ca,28,5a,82,b7,8b,a9,2e,45,db,70,f1,d7,0e,07,dc,10,98,76,..
"ljej44"=hex:fb,7a,ca,28,5a,82,b7,8b,a9,2e,45,db,70,f1,d7,0e,07,dc,10,98,76,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:92,5b,79,56,29,52,ff,74,38,89,a7,69,19,d9,15,f7,9c,53,23,24,f2,..
"p0"="C:\Programme\DAEMON Tools Lite\"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:0b,9b,83,91,45,05,7e,73,95,00,83,8b,5d,6c,8c,cc,56,74,aa,98,6d,..
"a0"=hex:20,01,00,00,3a,96,ed,a0,e2,f0,bf,82,86,aa,b1,74,8a,66,09,fc,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:7f,80,51,67,3e,a2,02,9b,19,08,6c,84,f8,03,91,f5,2f,d2,2a,16,33,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:02,5b,df,59,61,b7,3a,d5,44,21,78,23,78,4a,db,80,3b,7b,99,ec,32,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe"="C:\\Programme\\Sega\\Universe At War Earth Assault\\UAWEA.exe:*:Enabled:Universe at War Earth Assault"
"C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Programme\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\MSN Messenger\\msnmsgr.exe"="C:\\Programme\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Programme\\MSN Messenger\\livecall.exe"="C:\\Programme\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

C:\WINDOWS\Temp\bca4e2da.$$$ Found
C:\WINDOWS\Temp\fa56d7ec.$$$ Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 5 Jan 2008 0 ..SH. --- "C:\WINDOWS\SDED748F9.tmp"
Mon 11 Sep 2006 4,348 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"
Mon 11 Sep 2006 401 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv15.bak"
Tue 3 Oct 2006 50,280 A..H. --- "C:\Programme\Gemeinsame Dateien\Adobe\ESD\DLMCleanup.exe"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Programme\Gemeinsame Dateien\Motorola Shared\MotPCSDrivers\difxapi.dll"
Sat 9 Sep 2006 444 A..H. --- "C:\Dokumente und Einstellungen\Michael\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"
Tue 18 Mar 2008 2,158 ...HR --- "C:\Dokumente und Einstellungen\Michael.MICHAEL-N.000\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!

#12 ««

Avenger hatte es entfernt , aber nun ist es wieder da

C:\WINDOWS\Temp\bca4e2da.$$$
C:\WINDOWS\Temp\fa56d7ec.$$$

««
http://www2.gmer.net/mbr/mbr.exe
Stealth MBR rootkit detector
scanne + poste den report - mbr.log

--------

dann scanne mit dr.web im abgesicherten modus + poste den report
http://virus-protect.org/cureit.html
__________
MfG Sabina

rund um die PC-Sicherheit

#13 Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x1749ddc1 size 0x1e4 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.


Dr.Web
---------
Scanstatistiken
-----------------------------------------------------------------------------
Gescannt: 1193
Infizierte Objekte: 0
Modifikationen: 0
Verdächtige: 0
Adware: 0
Dialers: 0
Scherzprogramme: 0
Riskware: 0
Hacktools: 0
Desinfiziert: 0
Gelöscht: 0
Umbenannt: 0
Verschoben: 0
Ignoriert: 0
Geschwindigkeit:: 3036 Kb/s
Dauer:: 00:00:58
-----------------------------------------------------------------------------

#14 ««
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als fix.bat mit 'Speichern unter' auf dem Desktop.
Gebe bei Dateityp 'Alle Dateien' an.
Du solltest jetzt auf dem Desktop diese Datei finden.

Zitat

mbr.exe –f

Doppelklick auf fix.bat
Es wird ein Log erstellt ( mbr.log )und poste dessen Inhalt

--------------------------

siehe: Rootkit im Master Boot Record (MBR)
http://virus-protect.org/artikel/tools/mbr.html

----------------------------

dann scanne noch mal mit sdfix im abges.Modus + poste den report
__________
MfG Sabina

rund um die PC-Sicherheit

#15 Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x1749ddc1 size 0x1e4 !
copy of MBR has been found in sector 62 !
--------
so richtig