Antivirxp08 - Wie bekomme ich ihn los?

#0
28.08.2008, 17:39
...neu hier

Beiträge: 7
#1 Hallo,

ich hatte mir einen Trojaner oder Virus eingefangen und bin nun nicht sicher ob er weg ist. Habe schon hier im Forum gelesen und sowohl MBAM als auch Hijack laufen lassen. Wär echt nett, wenn ihr da mal drauf schaut und mir sagt, ob ich noch etwas machen muss. Auf jeden Fall kann ich mittlerweile wenigstens wieder meinen Hintergrund selbst auswählen :-)
Hier die Log Dateien der beiden Programme.

MBAM: (beim ersten Suchen, habe die Funde beseitigen lassen)

Malwarebytes' Anti-Malware 1.25
Datenbank Version: 1090
Windows 5.1.2600 Service Pack 3

15:55:15 28.08.2008
mbam-log-08-28-2008 (15-55-15).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 47841
Laufzeit: 4 minute(s), 1 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 4
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 4
Infizierte Verzeichnisse: 11
Infizierte Dateien: 13

Infizierte Speicherprozesse:
C:\WINXP\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\rhcnamj0e92e (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\rhcnamj0e92e\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINXP\system32\blphcjamj0e92e.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINXP\system32\drivers\svchost.exe (Trojan.Agent) -> Delete on reboot.
C:\WINXP\HOSTS (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINXP\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINXP\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINXP\system32\tdssserf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINXP\system32\tdssmain.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINXP\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINXP\system32\tdsslog.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINXP\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINXP\system32\lphcjamj0e92e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINXP\system32\phcjamj0e92e.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINXP\system32\pphcjamj0e92e.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.



Hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:42, on 28.08.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINXP\Explorer.EXE
C:\WINXP\system32\spoolsv.exe
C:\Programme\Norton\NavNT\vptray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Atguard\iamapp.exe
C:\WINXP\system32\rundll32.exe
C:\Programme\BitDefender\BitDefender 2009\bdagent.exe
C:\WINXP\system32\ctfmon.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Norton\NavNT\defwatch.exe
C:\Programme\Atguard\iamserv.exe
C:\Programme\Norton\NavNT\rtvscan.exe
C:\WINXP\system32\nvsvc32.exe
C:\Programme\Internet-Tools\Smartsurfer\SmurfService.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\UAService7.exe
C:\WINXP\system32\MsgSys.EXE
C:\Programme\Outlook Express\msimn.exe
C:\WINXP\system32\wscntfy.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\BitDefender\BitDefender 2009\seccenter.exe
C:\Programme\BitDefender\BitDefender 2009\vsserv.exe
C:\WINXP\System32\svchost.exe
C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Update Service\livesrv.exe
C:\Programme\tolls\Malwarebytes' Anti-Malware\mbam.exe
C:\WINXP\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\Tools\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\Tools\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Programme\BitDefender\BitDefender 2009\IEToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\Programme\Norton\NavNT\vptray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AudioDeck] C:\Programme\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\Tools\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BDAgent] "C:\Programme\BitDefender\BitDefender 2009\bdagent.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Programme\BitDefender\BitDefender 2009\IEShow.exe"
O4 - HKLM\..\RunServices: [win updates] wugrds.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [win updates] wugrds.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [win updates] wugrds.exe (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\Tools\FlashGet\jc_all.htm
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\Tools\FlashGet\jc_link.htm
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Internet-Tools\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Internet-Tools\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINXP\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\Tools\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\Tools\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\Internet-Tools\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\Internet-Tools\ICQ6\ICQ.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\INTERN~2\yahoo\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\INTERN~2\yahoo\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188644850540
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188644811674
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {96512D57-F751-4088-A689-5778FCC77F7A} (Photo Uploader Control) - http://www.studivz.net/lib/photouploader/PhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1219665234
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp05.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.com/de/download/NpFv415.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\Software\..\Telephony: DomainName = lan
O17 - HKLM\System\CCS\Services\Tcpip\..\{55C7F9F9-A70F-4CB5-8399-41E68EFD1084}: NameServer = 192.168.121.252,192.168.121.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{56FC3DD2-1E57-44AB-AB00-A74D51959DE2}: NameServer = 130.149.19.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{849E68A9-6FD7-4C01-A0B2-15995C2F46B1}: NameServer = 130.149.19.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CAD04F0-E84A-41F1-B479-EDB1246B6778}: NameServer = 192.168.168.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = lan
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\Norton\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\PROGRAMME\TELEDAT\de_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Programme\Atguard\iamserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Programme\Gemeinsame Dateien\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\Norton\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartSurfer Manager (SmartSurferManager) - United Internet AG - C:\Programme\Internet-Tools\Smartsurfer\SmurfService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINXP\system32\UAService7.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Programme\BitDefender\BitDefender 2009\vsserv.exe

--
End of file - 12142 bytes


Vielen Dank schon mal für eure Hilfe.
Seitenanfang Seitenende
28.08.2008, 18:34
Moderator

Beiträge: 7805
#2 Reiche bitte ein Combofix Report nach.
__________
MfG Ralf
SEO-Spam Hunter
Seitenanfang Seitenende
29.08.2008, 00:14
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#3 das sieht boese aus...ein fetter Backdoor...
http://virus-protect.org/artikel/spyware/tdssserv-sys.html

Zitat

O4 - HKLM\..\RunServices: [win updates] wugrds.exe

O4 - HKUS\S-1-5-18\..\Run: [win updates] wugrds.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [win updates] wugrds.exe (User 'Default user')
hier findest du combofix
http://virus-protect.org/artikel/tools/combofix.html

dann auch gleich ein Log von sdfix posten, bitte
http://virus-protect.org/artikel/tools/sdfix.html
unter C:\ findet man nun den SDFix-Ordner

boote in den abgesicherten Modus (die Taste F8 drücken, während der Rechner neustartet)
gehe in den Ordner C:\SDFix
RunThis.bat doppelt klicken
folge allen Anweisungen, während gescannt wird - dann wird der Rechner neustarten
kopiere mit der rechten Maustaste den Text ab, der erscheint - und in den Beitrag
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
29.08.2008, 02:16
...neu hier

Themenstarter

Beiträge: 7
#4 Hier ist der Combofix Report


ComboFix 08-08-27.06 - jenius 2008-08-29 1:55:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1031.18.671 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\jenius\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

[color=red]Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !![/color]
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\macromedia\Flash Player\#SharedObjects\U4HBYKW6\bin.clearspring.com
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\macromedia\Flash Player\#SharedObjects\U4HBYKW6\bin.clearspring.com\clearspring.sol
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Dokumente und Einstellungen\jenius\Cookies\jenius@2o7[2].txt
C:\Dokumente und Einstellungen\jenius\Cookies\jenius@87.237.123[3].txt
C:\Dokumente und Einstellungen\jenius\Cookies\jenius@asn.advolution[1].txt
C:\Dokumente und Einstellungen\jenius\Cookies\jenius@de.ebayrtm[1].txt
C:\Dokumente und Einstellungen\jenius\Cookies\jenius@lxk235.lexmark[2].txt
C:\Dokumente und Einstellungen\jenius\Cookies\jenius@statcounter[1].txt
C:\WINXP\pi.exe
C:\WINXP\system32\_000006_.tmp.dll
C:\WINXP\system32\_000007_.tmp.dll
C:\WINXP\system32\_000008_.tmp.dll
C:\WINXP\system32\_000009_.tmp.dll
C:\WINXP\system32\_000010_.tmp.dll
C:\WINXP\system32\_000013_.tmp.dll
C:\WINXP\system32\_000014_.tmp.dll
C:\WINXP\system32\AdCache
C:\WINXP\system32\mdm.exe

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_tdssserv


((((((((((((((((((((((( Dateien erstellt von 2008-07-28 bis 2008-08-29 ))))))))))))))))))))))))))))))
.

2008-08-29 02:07 . 2008-08-29 02:07 0 --a----t- C:\Temp\Perflib_Perfdata_b24.dat
2008-08-29 02:05 . 2008-08-29 02:05 <DIR> d-------- C:\Temp\WPDNSE
2008-08-29 02:05 . 2008-08-29 02:05 53,248 --a------ C:\Temp\catchme.dll
2008-08-29 01:39 . 2008-08-29 01:47 <DIR> d-------- C:\WINXP\SxsCaPendDel
2008-08-29 01:27 . 2008-08-29 01:27 850 --a------ C:\WINXP\system32\ProductTweaks.xml
2008-08-29 01:27 . 2008-08-29 01:27 385 --a------ C:\WINXP\system32\user_gensett.xml
2008-08-28 17:22 . 2008-08-29 02:05 <DIR> d-------- C:\Temp\tmp00007994
2008-08-28 16:44 . 2008-08-28 16:44 <DIR> d-------- C:\WINXP\system32\logs
2008-08-28 16:43 . 2008-08-28 16:44 <DIR> d-------- C:\Programme\BitDefender
2008-08-28 16:19 . 2008-08-29 01:37 <DIR> d-------- C:\Programme\Gemeinsame Dateien\BitDefender
2008-08-28 16:14 . 2008-08-28 16:16 <DIR> d-------- C:\Temp\plugtmp
2008-08-28 16:08 . 2008-08-28 16:08 <DIR> d-------- C:\Programme\Trend Micro
2008-08-28 15:49 . 2008-08-28 15:49 <DIR> d-------- C:\Programme\tolls
2008-08-28 15:49 . 2008-08-28 15:49 <DIR> d-------- C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Malwarebytes
2008-08-28 15:49 . 2008-08-28 15:49 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-28 15:49 . 2008-08-17 15:01 38,472 --a------ C:\WINXP\system32\drivers\mbamswissarmy.sys
2008-08-28 15:49 . 2008-08-17 15:01 17,144 --a------ C:\WINXP\system32\drivers\mbam.sys
2008-08-28 13:16 . 2008-08-28 14:02 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-08-28 12:52 . 2008-08-28 17:45 <DIR> d-------- C:\Temp\hsperfdata_jenius
2008-08-28 04:08 . 2008-08-28 04:08 <DIR> d-------- C:\Programme\Spyware Doctor
2008-08-28 04:08 . 2008-08-28 04:08 <DIR> d-------- C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\PC Tools
2008-08-28 04:08 . 2008-08-28 13:32 <DIR> d-a------ C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-08-28 04:08 . 2008-06-10 21:22 81,288 --a------ C:\WINXP\system32\drivers\iksyssec.sys
2008-08-28 04:08 . 2008-06-02 15:19 66,952 --a------ C:\WINXP\system32\drivers\iksysflt.sys
2008-08-28 04:08 . 2008-06-02 15:19 42,376 --a------ C:\WINXP\system32\drivers\ikfilesec.sys
2008-08-28 04:08 . 2008-06-02 15:19 29,576 --a------ C:\WINXP\system32\drivers\kcom.sys
2008-08-28 04:06 . 2008-08-29 02:05 <DIR> d-------- C:\Temp\DRDld
2008-08-28 04:05 . 2008-08-29 02:05 86,528 --a------ C:\WINXP\system32\drivers\ipqhso16yqa.sys
2008-08-28 03:49 . 2008-08-28 14:01 <DIR> d-------- C:\Programme\Enigma Software Group
2008-08-28 03:22 . 2008-08-28 03:22 <DIR> d-------- C:\Programme\Lavasoft
2008-08-28 03:22 . 2008-08-28 03:22 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-28 03:22 . 2008-08-28 03:23 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-08-27 17:34 . 2008-08-27 17:34 <DIR> d-------- C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\InfraRecorder
2008-08-27 02:54 . 2008-05-01 16:34 331,776 -----c--- C:\WINXP\system32\dllcache\msadce.dll
2008-08-27 02:53 . 2008-04-11 21:04 691,712 -----c--- C:\WINXP\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 00:05 --------- d-----w C:\WINXP\system32\config\systemprofile\Anwendungsdaten\SmartSurfer
2008-08-28 11:16 --------- d-----w C:\Programme\Tools
2008-08-27 17:45 --------- d-----w C:\Dokumente und Einstellungen\NetworkService\Anwendungsdaten\SmartSurfer
2008-08-27 15:43 --------- d-----w C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\SmartSurfer
2008-08-27 00:58 --------- d-----w C:\Programme\Microsoft Silverlight
2008-08-26 18:12 --------- d-----w C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\OpenOffice.org2
2008-07-29 08:43 7,680 ----a-w C:\WINXP\system32\uigxnp.dll
2008-07-29 08:43 149,120 ----a-w C:\WINXP\system32\drivers\uigxrdr.SYS
2008-07-07 20:26 253,952 ----a-w C:\WINXP\system32\es.dll
2008-06-24 16:42 74,240 ----a-w C:\WINXP\system32\mscms.dll
2008-06-23 16:14 826,368 ----a-w C:\WINXP\system32\wininet.dll
2008-06-20 17:46 247,296 ----a-w C:\WINXP\system32\mswsock.dll
2005-08-19 16:09 88 ----a-w C:\Dokumente und Einstellungen\jenius\PATCHINFO.BIN
2001-11-23 04:08 712,704 ----a-w C:\WINXP\inf\OTHER\AUDIO3D.DLL
1999-03-11 17:22 99,840 ----a-w C:\Programme\Gemeinsame Dateien\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Programme\Gemeinsame Dateien\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Programme\Gemeinsame Dateien\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Programme\Gemeinsame Dateien\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Programme\Gemeinsame Dateien\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Programme\Gemeinsame Dateien\IRASRIAL.DLL
2008-05-23 18:31 32,768 --sha-w C:\WINXP\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008051220080519\index.dat
2008-05-23 18:31 32,768 --sha-w C:\WINXP\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008052320080524\index.dat
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINXP\system32\ctfmon.exe" [2008-04-14 07:52 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\Programme\Norton\NavNT\vptray.exe" [2001-09-24 07:59 73728]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2003-12-18 10:50 38912]
"iamapp"="C:\PROGRA~1\Atguard\iamapp.exe" [1999-10-12 15:52 90624]
"NvCplDaemon"="C:\WINXP\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"AudioDeck"="C:\Programme\VIA\VIAudioi\SBADeck\ADeck.exe" [2007-08-09 15:48 528384]
"QuickTime Task"="C:\Programme\Tools\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 10:50 20992 C:\WINXP\LOGI_MWX.EXE]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 07:53 110592 C:\WINXP\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
""="del" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll
"VIDC.VP31"= vp31vfw.dll
"VIDC.VQC6"= V2210dec.dll
"vidc.dvsd"= dvc.dll
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipqhso16yqa.sys]
@="\??\C:\WINXP\system32\drivers\ipqhso16yqa.sys"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"EPSONStatusAgent2"=2 (0x2)
"de_serv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINXP\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Internet-Tools\\ICQ6\\ICQ.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 videX32;videX32;C:\WINXP\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R1 Iamdrv;Iamdrv;C:\Programme\Atguard\iamdrv.sys [1999-10-12 15:54]
R1 uigxrdr;uigxrdr;C:\WINXP\system32\DRIVERS\uigxrdr.sys [2008-07-29 10:43]
R2 AVMPORT;AVMPORT;C:\WINXP\system32\drivers\avmport.sys [2001-10-23 01:00]
R2 iamServ;WRQ IAM;C:\Programme\Atguard\iamserv.exe [1999-10-12 15:51]
R2 ipqhso16yqa.sys;ipqhso16yqa.sys;C:\WINXP\system32\drivers\ipqhso16yqa.sys [2008-08-29 02:05]
R2 SmartSurferManager;SmartSurfer Manager;C:\Programme\Internet-Tools\Smartsurfer\SmurfService.exe [2007-08-01 13:07]
R2 WG1N;SyGate for NT, WG1N;C:\WINXP\system32\Drivers\WG1N.sys [2002-01-07 13:29]
R2 WG2N;SyGate for NT, WG2N;C:\WINXP\system32\Drivers\WG2N.sys [2002-01-07 13:29]
R3 AVMCOWAN;AVMCOWAN;C:\WINXP\system32\DRIVERS\AVMCOWAN.sys [2004-03-12 01:00]
R3 AVMWAN;NDIS WAN CAPI Treiber;C:\WINXP\system32\DRIVERS\avmwan.sys [2001-11-08 02:00]
R3 DNSFILT;DNSFILT;C:\Programme\Atguard\DNSFILT.SYS [1999-10-12 15:54]
R3 FWFILT;FWFILT;C:\Programme\Atguard\FWFILT.SYS [1999-10-12 15:55]
R3 HTTPFILT;HTTPFILT;C:\Programme\Atguard\HTTPFILT.SYS [1999-10-12 15:54]
R3 NDISFILT;NDISFILT;C:\Programme\Atguard\NDISFILT.SYS [1999-10-12 15:56]
R3 SaiHFF0C;SaiHFF0C;C:\WINXP\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 11:59]
R3 SaiUFF0C;SaiUFF0C;C:\WINXP\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 11:59]
S1 hidfltr;HID Filter Driver;C:\WINXP\system32\drivers\MWhid.sys [2004-07-22 12:44]
S2 MustekMA1908Driver;MustekMA1908Driver;C:\WINXP\system32\drivers\ma1908.sys []
S2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINXP\system32\DRIVERS\nvtvsnd.sys []
S3 cFosNT;cFosNT;C:\WINXP\system32\Drivers\cFosNT.sys [2005-05-01 00:00]
S3 fxusbase;Teledat X120 (WinXP/2000);C:\WINXP\system32\DRIVERS\fxusbase.sys [2001-11-08 02:00]
S3 ldiskl;ldiskl;c:\Temp\ldiskl.sys []
S3 NETPPPOI;PPP over ISDN;C:\WINXP\system32\DRIVERS\NETPPPOI.SYS [2001-10-04 16:08]
S3 SaiNtHid;%SAINTHID_NAME%;C:\WINXP\system32\DRIVERS\SaiNtHid.sys [2003-04-10 11:42]
S3 SaiNtSub;SaiNtSub;C:\WINXP\system32\DRIVERS\SaiNtSub.sys [2003-04-10 11:42]
S3 SFC4;SFC4;C:\WINXP\system32\drivers\SFC4.sys [1998-09-16 09:07]
S3 V2210VID;DigitalCam Pro;C:\WINXP\system32\DRIVERS\V2210vid.sys [2002-10-31 06:04]
S3 VendorJoystickEnabler;Creative GamePad Cobra Device Driver;C:\WINXP\system32\drivers\crgame.sys [2001-10-04 14:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{397eb901-28b5-11dd-b516-806d6172696f}]
\Shell\AutoRun\command - E:\Bin\Assetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51a65110-d4f1-11dc-99a3-0010dc717895}]
\Shell\AutoRun\command - D:\stdhost_boa_cwfk.exe
\Shell\verb\command - D:\stdhost_boa_cwfk.exe
.
Inhalt des "geplante Tasks" Ordners

2008-08-25 C:\WINXP\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - Entfernte verwaiste Registrierungseintr„ge - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-RunServices-win updates - wugrds.exe
HKU-Default-Run-win updates - wugrds.exe


.
------- Zus„tzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Mozilla\Firefox\Profiles\guc4uuds.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
FF -: plugin - C:\Programme\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Programme\Internet-Tools\Opera\program\plugins\npdsplay.dll
FF -: plugin - C:\Programme\Internet-Tools\Opera\program\plugins\npqtplugin.dll
FF -: plugin - C:\Programme\Internet-Tools\Opera\program\plugins\npqtplugin2.dll
FF -: plugin - C:\Programme\Internet-Tools\Opera\program\plugins\npqtplugin3.dll
FF -: plugin - C:\Programme\Internet-Tools\Opera\program\plugins\npwmsdrm.dll
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Programme\Tools\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - C:\Programme\Tools\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - C:\Programme\Tools\QuickTime\Plugins\npqtplugin3.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 02:05:29
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

Prozess: C:\WINXP\system32\winlogon.exe
-> C:\WINXP\System32\NavLogon.dll
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINXP\system32\rundll32.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Programme\Norton\NavNT\defwatch.exe
C:\WINXP\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\WINXP\system32\nvsvc32.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\WINXP\system32\UAService7.exe
C:\WINXP\system32\wscntfy.exe
C:\WINXP\system32\verclsid.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-29 2:13:21 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-08-29 00:13:17

Pre-Run: 10 Verzeichnis(se), 226,625,114,112 Bytes frei
Post-Run: 13 Verzeichnis(se), 226,841,964,544 Bytes frei

240



Hier dann zu später Stunde noch der Report von sdfix


SDFix: Version 1.219
Run by jenius on 29.08.2008 at 02:26

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINXP\system32\e2.exe - Deleted



Folder C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#w*w.redtube.com - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 02:38:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00027281223a]
"000e6d743e3d"=hex:b0,41,61,b6,76,00,29,cb,9a,29,b8,a6,8e,a2,80,30
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00027281223a]
"001979cd65c1"=hex:6e,e4,85,93,8c,d4,f2,67,ba,d6,59,d3,c8,45,8d,8c
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:b1908b02
"s1"=dword:e0bd8731
"s2"=dword:53557f29
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:e6,3d,01,39,cc,30,46,a2,18,3f,b4,06,a1,0b,b7,d1,11,25,23,e8,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,40,61,ff,5c,41,f9,b2,52,68,94,d9,4d,d4,f9,15,a8,96,..
"khjeh"=hex:0d,3b,8a,7e,3d,11,0e,f2,38,d8,d9,7a,4a,64,63,52,0a,d0,7e,18,fe,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:45,a5,85,5c,28,fd,90,e3,bb,e7,60,59,f2,55,3a,82,52,b9,38,98,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:e6,3d,01,39,cc,30,46,a2,18,3f,b4,06,a1,0b,b7,d1,11,25,23,e8,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,40,61,ff,5c,41,f9,b2,52,68,94,d9,4d,d4,f9,15,a8,96,..
"khjeh"=hex:0d,3b,8a,7e,3d,11,0e,f2,38,d8,d9,7a,4a,64,63,52,0a,d0,7e,18,fe,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:45,a5,85,5c,28,fd,90,e3,bb,e7,60,59,f2,55,3a,82,52,b9,38,98,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:e6,3d,01,39,cc,30,46,a2,18,3f,b4,06,a1,0b,b7,d1,11,25,23,e8,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,40,61,ff,5c,41,f9,b2,52,68,94,d9,4d,d4,f9,15,a8,96,..
"khjeh"=hex:0d,3b,8a,7e,3d,11,0e,f2,38,d8,d9,7a,4a,64,63,52,0a,d0,7e,18,fe,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:45,a5,85,5c,28,fd,90,e3,bb,e7,60,59,f2,55,3a,82,52,b9,38,98,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:e6,3d,01,39,cc,30,46,a2,18,3f,b4,06,a1,0b,b7,d1,11,25,23,e8,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,40,61,ff,5c,41,f9,b2,52,68,94,d9,4d,d4,f9,15,a8,96,..
"khjeh"=hex:0d,3b,8a,7e,3d,11,0e,f2,38,d8,d9,7a,4a,64,63,52,0a,d0,7e,18,fe,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:45,a5,85,5c,28,fd,90,e3,bb,e7,60,59,f2,55,3a,82,52,b9,38,98,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:e6,3d,01,39,cc,30,46,a2,18,3f,b4,06,a1,0b,b7,d1,11,25,23,e8,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,40,61,ff,5c,41,f9,b2,52,68,94,d9,4d,d4,f9,15,a8,96,..
"khjeh"=hex:0d,3b,8a,7e,3d,11,0e,f2,38,d8,d9,7a,4a,64,63,52,0a,d0,7e,18,fe,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:45,a5,85,5c,28,fd,90,e3,bb,e7,60,59,f2,55,3a,82,52,b9,38,98,98,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\00027281223a]
"001979cd65c1"=hex:6e,e4,85,93,8c,d4,f2,67,ba,d6,59,d3,c8,45,8d,8c
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Programme\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:e6,3d,01,39,cc,30,46,a2,18,3f,b4,06,a1,0b,b7,d1,11,25,23,e8,76,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,40,61,ff,5c,41,f9,b2,52,68,94,d9,4d,d4,f9,15,a8,96,..
"khjeh"=hex:0d,3b,8a,7e,3d,11,0e,f2,38,d8,d9,7a,4a,64,63,52,0a,d0,7e,18,fe,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:45,a5,85,5c,28,fd,90,e3,bb,e7,60,59,f2,55,3a,82,52,b9,38,98,98,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINXP\\system32\\sessmgr.exe"="C:\\WINXP\\system32\\sessmgr.exe:*;)isabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Internet-Tools\\ICQ6\\ICQ.exe"="C:\\Programme\\Internet-Tools\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Programme\\iTunes\\iTunes.exe"="C:\\Programme\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"="C:\\Programme\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"="C:\\Programme\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 28 Aug 2008 4,096 A..H. --- "C:\Dokumente und Einstellungen\All Users\Dokumente\._FixVundo.exe"
Thu 28 Aug 2008 4,096 A..H. --- "C:\Dokumente und Einstellungen\All Users\Dokumente\._mbam-setup.exe"
Sun 27 Jun 2004 4,348 ..SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\DRMv1.bak"
Sun 24 Oct 2004 400 ..SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\v2ks.bla.bak"
Sun 24 Oct 2004 48 ..SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\v2ks.sec.bak"
Sun 24 Oct 2004 400 ..SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\v3ks.bla.bak"
Wed 7 Feb 2007 0 A.SH. --- "C:\Dokumente und Einstellungen\All Users\DRM\Cache\Indiv01.tmp"
Sat 4 Feb 2006 39,936 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Vorlagen\~WRL0002.tmp"
Mon 17 Apr 2006 39,936 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Vorlagen\~WRL0003.tmp"
Fri 13 Jan 2006 39,936 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Vorlagen\~WRL0004.tmp"
Sun 23 Apr 2006 39,936 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Vorlagen\~WRL0005.tmp"
Wed 4 Apr 2007 38,400 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Vorlagen\~WRL0006.tmp"
Wed 27 Jun 2007 41,472 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Vorlagen\~WRL0007.tmp"
Wed 8 Dec 2004 383,488 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Word\~WRL0004.tmp"
Wed 8 Dec 2004 389,120 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Word\~WRL2217.tmp"
Wed 8 Dec 2004 386,560 ...H. --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\Microsoft\Word\~WRL3904.tmp"
Thu 21 Apr 2005 444 ...HR --- "C:\Dokumente und Einstellungen\jenius\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!


Bitte nicht wieder das Wort böse benutzen :-)
Danke für die Mühen.
Dieser Beitrag wurde am 29.08.2008 um 02:45 Uhr von Dave_bln editiert.
Seitenanfang Seitenende
29.08.2008, 15:14
Moderator

Beiträge: 5694
#5 Dave_bln

>>
http://virus-protect.org/artikel/tools/regsearch.html
in: "Enter search strings" (reinschreiben oder reinkopieren) ¨


ipqhso16yqa.sys


in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.

Gruss Swiss
Seitenanfang Seitenende
29.08.2008, 16:21
...neu hier

Themenstarter

Beiträge: 7
#6 Das müsste dann das hier sein.

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 29.08.2008 16:02:15 for strings:
; 'ipqhso16yqa.sys'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPQHSO16YQA.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000]
"Service"="ipqhso16yqa.sys"
"DeviceDesc"="ipqhso16yqa.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000\Control]
"ActiveService"="ipqhso16yqa.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ipqhso16yqa.sys\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ipqhso16yqa.sys\Enum]
"0"="Root\\LEGACY_IPQHSO16YQA.SYS\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Minimal\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Minimal\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Network\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Network\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Enum\Root\LEGACY_IPQHSO16YQA.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000]
"Service"="ipqhso16yqa.sys"
"DeviceDesc"="ipqhso16yqa.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPQHSO16YQA.SYS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000]
"Service"="ipqhso16yqa.sys"
"DeviceDesc"="ipqhso16yqa.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPQHSO16YQA.SYS\0000\Control]
"ActiveService"="ipqhso16yqa.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipqhso16yqa.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipqhso16yqa.sys]
; Contents of value:
; \??\C:\WINXP\system32\drivers\ipqhso16yqa.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,\
58,00,50,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,72,00,69,00,76,00,65,00,72,00,73,00,5c,00,69,00,70,00,71,00,68,00,73,00,\
6f,00,31,00,36,00,79,00,71,00,61,00,2e,00,73,00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipqhso16yqa.sys\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipqhso16yqa.sys\Enum]
"0"="Root\\LEGACY_IPQHSO16YQA.SYS\\0000"

; End Of The Log...
Seitenanfang Seitenende
31.08.2008, 11:18
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#7 Hallo Dave_bln

1.
das hier ist nicht "koscher" - D:\stdhost_boa_cwfk.exe

wende Flash_Disinfector an - der Stick muss eingestöpselt sein - infizierten Stick mit FlashDis. "behandeln"
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

2.
Avenger

http://virus-protect.org/artikel/tools/avenger.html

setze ein Häkchen in: "Automatically disable any rootkits found"
Das Häkchen "Scan for Rootkits" sollte jedoch angehakt sein.

kopiere in das weisse Feld:

Zitat

Drivers to disable:
ipqhso16yqa
Drivers to delete:
ipqhso16yqa
registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPQHSO16YQA.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Minimal\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Network\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Network\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Enum\Root\LEGACY_IPQHSO16YQA.SYS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipqhso16yqa.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPQHSO16YQA.SYS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipqhso16yqa.sys
Files to delete:
C:\WINXP\system32\drivers\ipqhso16yqa.sys
Folders to delete:
C:\Temp\DRDld
C:\Programme\Enigma Software Group
schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)

Klicke: Execute

bestätige, dass der Rechner neu gestartet wird - klicke "yes"

nach dem Neustart erscheint automatisch ein Log vom Avenger - (C:\avenger.txt), kopiere es ab - mit rechtem Mausklick - kopieren - einfügen

------------

ComboFix entfernen
Start - Ausführen - Kopiere rein: Combofix /U - klicke "OK"

entferne auch alles vom Avenger

-------------

scanne mit deinem Bitdefender im abgesicherten Modus !

-------------

sdfix
http://virus-protect.org/artikel/tools/sdfix.html

im Normalmodus
RunThis.bat doppelt klicken

3 : wird Sophos geladen
bei Option 6 - erfolgt ein Fullscan + löschen der infizierten Dateien
"SophosReport.txt" (im SDFix-Ordner) - abkopieren und in den Beitrag,

Tonstudio wird sich weiter um deinen Thread kümmern - ich melde mich ab - Ferien ;)
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
31.08.2008, 20:27
...neu hier

Themenstarter

Beiträge: 7
#8 Sabina, vielen Dank für deine Hilfe und die Zeit, die du dir genommen hast. Ich wünsche dir schöne Ferien.

Avanger

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "ipqhso16yqa"
Disablement of driver "ipqhso16yqa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ipqhso16yqa" not found!
Deletion of driver "ipqhso16yqa" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ipqhso16yqa.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\ipqhso16yqa.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ipqhso16yqa.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\ipqhso16yqa.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\ipqhso16yqa.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_IPQHSO16YQA.SYS" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ipqhso16yqa.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Minimal\ipqhso16yqa.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Network\ipqhso16yqa.sys" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Network\ipqhso16yqa.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Control\SafeBoot\Network\ipqhso16yqa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Enum\Root\LEGACY_IPQHSO16YQA.SYS" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\ipqhso16yqa.sys" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipqhso16yqa.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipqhso16yqa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipqhso16yqa.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipqhso16yqa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPQHSO16YQA.SYS" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPQHSO16YQA.SYS" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipqhso16yqa.sys" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipqhso16yqa.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINXP\system32\drivers\ipqhso16yqa.sys" deleted successfully.

Error: folder "C:\Temp\DRDld" not found!
Deletion of folder "C:\Temp\DRDld" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\Programme\Enigma Software Group" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Sophos

Sophos Anti-Virus
Version 4.33.0 [Win32/Intel]
Virus data version 4.33E, September 2008
Includes detection for 491491 viruses, trojans and worms
Copyright (c) 1989-2008 Sophos Plc, www.sophos.com

System time 19:10:52, System date 31 August 2008
Command line qualifiers are: -f -remove -nc -nb -dn --stop-scan -idedir=C:\SDFix\IDE -p=C:\SDFix\SophosReport.txt

>>> Virus 'Troj/Rootkit-DL' found in file C:\System Volume Information\_restore{FE068AD2-B8CB-4A2B-9C2C-C0E8726A4C91}\RP6\A0001061.sys
Removal successful
>>> Virus 'Troj/Rootkit-DL' found in file C:\System Volume Information\_restore{FE068AD2-B8CB-4A2B-9C2C-C0E8726A4C91}\RP6\A0001201.sys
Removal successful
>>> Virus 'Troj/Rootkit-DL' found in file C:\System Volume Information\_restore{FE068AD2-B8CB-4A2B-9C2C-C0E8726A4C91}\RP8\A0001284.sys
Removal successful
>>> Virus 'Troj/Rootkit-DL' found in file C:\System Volume Information\_restore{FE068AD2-B8CB-4A2B-9C2C-C0E8726A4C91}\RP8\A0001301.sys
Removal successful
Could not open C:\WINXP\system32\drivers\dtscsi.sys
Could not open C:\WINXP\system32\drivers\sptd.sys
Could not open C:\WINXP\system32\drivers\sptd6909.sys

1 boot sector swept.
36590 files swept in 1 hour, 6 minutes and 9 seconds.
3 errors were encountered.
4 viruses were discovered.
4 files out of 36590 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.


Danke fürs Lesen und Helfen.
Seitenanfang Seitenende
31.08.2008, 20:43
Ehrenmitglied
Avatar Sabina

Beiträge: 29434
#9 der Rootkit ist weg ;)

1.
deaktiviere die Systemwiederherstellung, dann wieder aktivieren

2.
wende rootkitbuster an + berichte
http://virus-protect.org/artikel/tools/rootkitbuster.html

3.
wende trend sysclean an
einmal die viruspattern und dann die spywarepattern
poste hier beide Reporte
http://virus-protect.org/sysclean_trendmicro.html
__________
MfG Sabina

rund um die PC-Sicherheit
Seitenanfang Seitenende
01.09.2008, 01:07
...neu hier

Themenstarter

Beiträge: 7
#10 Sabina, jetzt aber ab mit dir in die Ferien, sonst bekomme ich noch ein schlechtes Gewissen :-)


Rootkit hat nichts gefunden
+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 2.2.0.1014
+----------------------------------------------------

--== Dump Hidden MBR and Hidden File on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.

--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.



Sysclean

/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2008-08-31, 23:43:57, Auto-clean mode specified.
2008-08-31, 23:43:57, Initialized Rootkit Driver version 2.2.0.1014.
2008-08-31, 23:43:57, Running scanner "C:\sysclean\TSC.BIN"...
2008-08-31, 23:44:39, Scanner "C:\sysclean\TSC.BIN" has finished running.
2008-08-31, 23:44:39, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)
Windows XP(Build 2600: Service Pack 3)

Start time : So Aug 31 2008 23:43:57

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : So Aug 31 2008 23:44:32
Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-08-31, 23:44:39, Running scanner "C:\sysclean\VSCANTM.BIN"...
2008-09-01, 00:34:26, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.
2008-09-01, 00:34:26, VSCANTM Log:

2008-09-01, 00:34:26, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 8/31/2008 23:44:39
VSAPI Engine Version : 8.900-1001
VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 509 (322387/322387 Patterns) (2008/08/31) (550900)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.509

100208 files have been read.
100208 files have been checked.
100178 files have been scanned.
303639 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/1/2008 00:34:25 49 minutes 45 seconds (2985.55 seconds) has elapsed.(29.794 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-09-01, 00:34:26, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 8/31/2008 23:44:39
VSAPI Engine Version : 8.900-1001
VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 509 (322387/322387 Patterns) (2008/08/31) (550900)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.509

100208 files have been read.
100208 files have been checked.
100178 files have been scanned.
303639 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/1/2008 00:34:25 49 minutes 45 seconds (2985.55 seconds) has elapsed.(29.794 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-09-01, 00:34:26, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 8/31/2008 23:44:39
VSAPI Engine Version : 8.900-1001
VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 509 (322387/322387 Patterns) (2008/08/31) (550900)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.509

100208 files have been read.
100208 files have been checked.
100178 files have been scanned.
303639 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 9/1/2008 00:34:25 49 minutes 45 seconds (2985.55 seconds) has elapsed.(29.794 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-09-01, 00:34:26, Running SSAPI scanner ""...
2008-09-01, 00:58:13, SSAPI Log:

SSAPI Scanner Version: 1.0.1003
SSAPI Engine Version: 5.2.1032
SSAPI Pattern Version: 6.83
SSAPI Anti-Rootkit Version: 2.2.0.1014

Spyware Scan Started: 09/01/2008 00:34:30


SSAPI requires the system to reboot.
Detected Items:
[CLEAN SUCCESS][Cookie_Atwola] Internet Explorer Cache\atwola.com,Cookie:jenius@atwola.com/,C:\Dokumente und Einstellungen\jenius\Cookies\jenius@atwola[1].txt
Detected: 1 items.
Cleaned Success: 1 items.
Clean Failed: 0 items.

Spyware Scan Ended: 09/01/2008 00:58:13
Scan Complete. Time=1426.428223.
Seitenanfang Seitenende
01.09.2008, 09:25
Moderator

Beiträge: 5694
#11 Dave_bln

Hast du noch Probleme?

>>
Mach einen Onlinescan mit ESET:
http://virus-protect.org/artikel/tools/eset-nod.html

>>
Poste ein neues Log von HJT.

Gruss Swiss
Seitenanfang Seitenende
01.09.2008, 15:19
...neu hier

Themenstarter

Beiträge: 7
#12 Hey Swiss,
also meiner Meinung nach läuft er normal, kann nichts auffälliges finden. ESET meldet auch nichts. Hier ist noch das neue Log von HJT.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16:24, on 01.09.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Atguard\iamapp.exe
C:\WINXP\system32\rundll32.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINXP\system32\ctfmon.exe
C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Programme\Atguard\iamserv.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\UAService7.exe
C:\WINXP\system32\wscntfy.exe
C:\WINXP\System32\dllhost.exe
C:\WINXP\system32\msiexec.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\knlwrap.exe
C:\PROGRA~1\GEMEIN~1\INSTAL~1\engine\6\INTEL3~1\ikernel.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\Tools\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\Atguard\iamapp.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Programme\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Alles mit FlashGet laden - C:\Programme\Tools\FlashGet\jc_all.htm
O8 - Extra context menu item: Mit FlashGet laden - C:\Programme\Tools\FlashGet\jc_link.htm
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINXP\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINXP\bdoscandel.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Internet-Tools\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Internet-Tools\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINXP\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\Tools\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\Tools\FlashGet\flashget.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\Internet-Tools\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\Internet-Tools\ICQ6\ICQ.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\INTERN~2\yahoo\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\INTERN~2\yahoo\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188644850540
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188644811674
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {96512D57-F751-4088-A689-5778FCC77F7A} (Photo Uploader Control) - http://www.studivz.net/lib/photouploader/PhotoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1219665234
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IP-Uploader Control) - http://asp05.photoprintit.de/microsite/1119/defaults/activex/ImageUploader3.cab
O16 - DPF: {E55FD215-A32E-43FE-A777-A7E8F165F551} (Flatcast Viewer 4.15) - http://www.flatcast.com/de/download/NpFv415.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\Software\..\Telephony: DomainName = lan
O17 - HKLM\System\CCS\Services\Tcpip\..\{55C7F9F9-A70F-4CB5-8399-41E68EFD1084}: NameServer = 192.168.121.252,192.168.121.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{56FC3DD2-1E57-44AB-AB00-A74D51959DE2}: NameServer = 130.149.19.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{849E68A9-6FD7-4C01-A0B2-15995C2F46B1}: NameServer = 130.149.19.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CAD04F0-E84A-41F1-B479-EDB1246B6778}: NameServer = 192.168.168.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain = lan
O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain = lan
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\Norton\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\PROGRAMME\TELEDAT\de_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: WRQ IAM (iamServ) - WRQ, Inc. - C:\Programme\Atguard\iamserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\Norton\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINXP\system32\UAService7.exe

--
End of file - 10600 bytes
Seitenanfang Seitenende
01.09.2008, 17:08
Moderator

Beiträge: 5694
#13 Dave_bln

Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

Zitat

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Internet-Tools\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\Internet-Tools\ICQLite\ICQLite.exe (file missing)
klicke: Fix checked
Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst

Systemwiederherstellung
Info:
http://virus-protect.org/systemwiederherstellung.html
Arbeitsplatz --> Rechtsklick, dann auf Eigenschaften --> Reiter Systemwiederherstellung -->
Häkchen setzen bei Systemwiederherstellung auf allen Laufwerken deaktivieren. - dann wieder aktivieren

Java
Dein Java software ist veraltet,
Download Java Runtime Environment (JRE) 6u7 zum Desktop

Entferne ueber "Start -> Einstellungen -> Systemsteuerung -> Software
Die aeltere Versionen von Java Runtime Environment (JRE of J2SE)
Nachdem alles entfernt wurde --->Rechner neu starten
Schliesse alle Programme auch dein Webbrowser
Installiere jetzt vom Desktop aus ---> jre-6u7-windows-i586-p.exe


Gruss Swiss
Seitenanfang Seitenende
01.09.2008, 22:56
...neu hier

Themenstarter

Beiträge: 7
#14 Supi :-) Vielen lieben Dank für deine Hilfe. Dann bin ich wohl jetzt wieder ohne Virus und ähnliches und hoffentlich bleibe ich es auch recht lange.
Dankeschön.
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: