AntivirXP 2008 - Virus

#1 Ok also habe meinen eigentlich fehler schon bemerkt der richtige post folgt heute im laufe des Tages hoffe ich habe da euer verständnis.

#2 Kein Problem.

Poste einfach die geforderten Logs

Grüessli Swiss

#3 Malwarebytes' Anti-Malware 1.27
Datenbank Version: 1127
Windows 5.1.2600 Service Pack 2

2008-09-09 15:53:47
mbam-log-2008-09-09 (15-53-47).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Durchsuchte Objekte: 139861
Laufzeit: 26 minute(s), 19 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 25
Infizierte Registrierungswerte: 10
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 1
Infizierte Dateien: 12

Infizierte Speicherprozesse:
C:\WINDOWS\system32\lphcls3j0ej8j.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\toolband.xttbpos00 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{77d6ddfa-7834-4541-b2b3-a8b0fb0e3924} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4bd2d6c3-31dc-b947-23d0-dc52ec4f0c4c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolband.xttbpos00.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ce67716-5803-4fb7-b344-0c7a17f93b5d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbug32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XP antivirus (Rogue.XPantivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64798514 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcls3j0ej8j (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcgs3j0ej8j (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Programme\XP Antivirus (Rogue.XPantivirus) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Programme\ICQToolbar\toolbaru.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winbug32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcls3j0ej8j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcls3j0ej8j.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

so also nach dem ich wie vorgeschlagen die punkte 1-4 durchgeführt habe ist mein Desktop wieder der alte und auch sonst springt keins meiner Schutzprogramme mehr an es scheint als hättet ihr meinen PC gerettet!!!!!

Danke dafür!!!!! kiss kiss sollte doch noch etwas sein hoffe ich kann mich wieder an euch wenden?

MfG Welsper

#4 Wo sind die andere 3 denn

Zitat

so also nach dem ich wie vorgeschlagen die punkte 1-4 durchgeführt habe

__________
MfG Argus

#5 oh sry hatte nochwas vergessen moment ich poste das noch sry

Malwarebytes' Anti-Malware 1.27
Datenbank Version: 1127
Windows 5.1.2600 Service Pack 2

2008-09-09 15:53:47
mbam-log-2008-09-09 (15-53-47).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Durchsuchte Objekte: 139861
Laufzeit: 26 minute(s), 19 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 25
Infizierte Registrierungswerte: 10
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 1
Infizierte Dateien: 12

Infizierte Speicherprozesse:
C:\WINDOWS\system32\lphcls3j0ej8j.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\toolband.xttbpos00 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{77d6ddfa-7834-4541-b2b3-a8b0fb0e3924} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4bd2d6c3-31dc-b947-23d0-dc52ec4f0c4c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolband.xttbpos00.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ce67716-5803-4fb7-b344-0c7a17f93b5d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbug32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XP antivirus (Rogue.XPantivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64798514 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcls3j0ej8j (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcgs3j0ej8j (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Programme\XP Antivirus (Rogue.XPantivirus) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Programme\ICQToolbar\toolbaru.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winbug32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcls3j0ej8j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcls3j0ej8j.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

ComboFix 08-09-05.10 - ,
ausgeführt von:: I:\ComboFix.exe

[color=red]Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !![/color]
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\KlnUuBeg.ini
C:\WINDOWS\system32\KlnUuBeg.ini2
C:\WINDOWS\system32\sgfvhuxx.ini

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((( Dateien erstellt von 2008-08-09 bis 2008-09-09 ))))))))))))))))))))))))))))))
.

2008-09-09 15:25 . 2008-09-09 15:25 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-09-09 15:25 . 2008-09-09 15:25 <DIR> d-------- C:\Programme\CCleaner
2008-09-09 15:25 . 2008-09-09 15:25 <DIR> d-------- C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\Malwarebytes
2008-09-09 15:25 . 2008-09-09 15:25 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-09-09 06:06 . 2008-09-09 06:06 88,878 --a------ C:\WINDOWS\system32\casino3.ico
2008-09-09 06:06 . 2008-09-09 06:06 88,878 --a------ C:\WINDOWS\system32\casino2.ico
2008-09-09 06:06 . 2008-09-09 06:06 88,878 --a------ C:\WINDOWS\system32\casino1.ico
2008-09-09 06:06 . 2008-09-09 06:06 15,360 --a------ C:\WINDOWS\system32\tdsspopup.dll
2008-09-09 06:06 . 2008-09-09 06:06 120 --a------ C:\WINDOWS\system32\tdsspopup3.url
2008-09-09 06:06 . 2008-09-09 06:06 120 --a------ C:\WINDOWS\system32\tdsspopup2.url
2008-09-09 06:06 . 2008-09-09 06:06 120 --a------ C:\WINDOWS\system32\tdsspopup1.url
2008-09-04 18:33 . 2008-09-04 18:34 36,352 --a------ C:\nowy.avi
2008-09-02 22:47 . 2008-09-02 23:00 <DIR> d-------- C:\Programme\MindArk
2008-09-01 00:58 . 2008-09-01 01:23 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-08-31 23:12 . 2008-08-31 23:12 361,728 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-31 23:12 . 2008-07-18 15:05 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-31 23:11 . 2008-08-31 23:12 <DIR> d-------- C:\Programme\TuneUp Utilities 2008
2008-08-31 23:11 . 2008-08-31 23:11 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software
2008-08-11 10:58 . 2008-08-11 10:58 <DIR> d-------- C:\Programme\DIFX
2008-08-11 10:49 . 2008-08-11 10:49 <DIR> d-------- C:\WINDOWS\system32\xlive
2008-08-11 10:49 . 2008-08-11 10:49 <DIR> d-------- C:\Programme\Sega

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 13:05 --------- d-----w C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\Skype
2008-09-07 22:11 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-07 22:11 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-07 20:35 --------- d-----w C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\teamspeak2
2008-09-01 03:02 --------- d-----w C:\Programme\MobMapUpdater
2008-09-01 03:01 --------- d-----w C:\Programme\WebTV 2.5
2008-09-01 02:51 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-08-31 21:10 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-28 20:36 --------- d-----w C:\Programme\World of Warcraft
2008-08-27 18:02 --------- d-----w C:\Programme\ICQ6
2008-08-11 08:36 --------- d-----w C:\Programme\Gemeinsame Dateien\logishrd
2008-07-22 15:18 --------- d-----w C:\Programme\Larian Studios
2008-07-16 13:33 --------- d--h--w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{A4B500C8-F3EB-4AD9-9762-515CCA35FD16}
2008-07-16 13:29 --------- d-----w C:\Programme\Kalypso
2008-07-16 13:21 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2008-07-16 10:55 --------- d-----w C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\Ubisoft
2008-07-14 11:53 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ubisoft
2008-07-14 11:38 --------- d-----w C:\Programme\free-downloads.net
2008-07-14 11:38 --------- d-----w C:\Programme\Conduit
2008-07-14 11:35 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-10 15:00 --------- d-----w C:\Programme\Diablo II
2008-07-09 15:51 --------- d-----w C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\SpieleEntwicklungsKombinat
2008-07-09 14:48 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SpieleEntwicklungsKombinat
2007-09-29 13:11 1,135,656,073 ----a-w C:\Programme\GameTribe.zip
.

------- Sigcheck -------

2005-03-02 20:19 578560 4c90159a69a5fd3eb39c71411f28fcff C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2005-03-02 20:09 578560 3751d7cf0e0a113d84414992146bce6a C:\WINDOWS\system32\user32.dll
2005-03-02 20:09 578560 3751d7cf0e0a113d84414992146bce6a C:\WINDOWS\system32\dllcache\user32.dll

2005-05-02 22:58 664576 8c907b730e9cfcfdf0157f3ea20d4424 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-05-02 22:56 663552 4f1584d375060d74dcde920fa51b0a29 C:\WINDOWS\system32\wininet.dll
2005-05-02 22:56 663552 4f1584d375060d74dcde920fa51b0a29 C:\WINDOWS\system32\dllcache\wininet.dll

2005-03-14 03:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2005-03-14 02:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\system32\dllcache\tcpip.sys
2005-03-14 02:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\system32\drivers\tcpip.sys

2005-07-28 09:44 507392 b43275980a34b38b621eca95d08c60fb C:\WINDOWS\system32\winlogon.exe

2005-03-02 10:11 2059264 ae8364004bbfd70461d2ef34888d3360 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2005-03-02 20:06 2059136 bdff8ffa77ee7df9758ef8c1e0da8eff C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2005-03-02 20:06 2017792 a3724446acb9de8d890cfabd146cd0ad C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-02 20:11 2181888 eb5538a452e0e99169e2b6cdb62ff9d2 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2005-03-02 20:06 2181632 7189a2391adc1f65c9ae87b0abe0f945 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2005-03-02 20:06 2138112 3ddc2bc3d32b2fc505d09b8b8974d5bb C:\WINDOWS\system32\ntoskrnl.exe

2005-04-07 20:46 1035264 64322e8399b205b7281ff883737a9b03 C:\WINDOWS\explorer.exe
2005-04-07 20:46 1035264 64322e8399b205b7281ff883737a9b03 C:\WINDOWS\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "C:\Programme\free-downloads.net\tbfree.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2008-02-14 14:54 1555480 --a------ C:\Programme\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "C:\Programme\free-downloads.net\tbfree.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yodm3D"="D:\Eigene Dateien\yodm3d\Yodm3D.exe" [2007-06-26 2058752]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-09-13 22880040]
"ICQ"="C:\Programme\ICQ6\ICQ.exe" [2008-08-24 173304]
"EA Core"="C:\Programme\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"DAEMON Tools Lite"="C:\Programme\DAEMON Tools Lite\daemon.exe" [2007-12-19 486856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"AlcoholAutomount"="C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-11 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-11 8523776]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LogitechQuickCamRibbon"="C:\Programme\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-11-11 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Programme\\Counter-Strike 1.6\\hl.exe"=
"D:\\Programme\\Counter-Strike 1.6\\hltv.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"D:\\Eigene Dateien\\Warcraft 3\\war3.exe"=
"C:\\Programme\\World of Warcraft\\BackgroundDownloader.exe"=
"D:\\Eigene Dateien\\Warcraft 3\\Warcraft III.exe"=
"C:\\Programme\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 NwSapAgent;SAP-Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 mdxgthkn;mdxgthkn;C:\DOKUME~1\SYSTEM~1\LOKALE~1\Temp\mdxgthkn.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-31 361728]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners
.
- - - - Entfernte verwaiste Registrierungseintr„ge - - - -

BHO-{BEBFF03A-71C6-49EC-AE57-6C613686401F} - (no file)
BHO-{cb26ab57-8e61-4d2e-a7cf-889f2e9eb447} - (no file)
WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
HKLM-Run-AtiPTA - atiptaxx.exe
ShellExecuteHooks-{7CE67716-5803-4FB7-B344-0C7A17F93B5D} - (no file)
Notify-AtiExtEvent - (no file)
Notify-ddcBtUkK - ddcBtUkK.dll


.
------- Zus„tzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\Mozilla\Firefox\Profiles\w52eo1fw.default\
FF -: plugin - C:\Programme\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 16:02:42
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\Gemeinsame Dateien\logishrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\logishrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Gemeinsame Dateien\logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-09-09 16:04:59 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-09-09 14:04:55

Pre-Run: 17 Verzeichnis(se), 39,140,945,920 Bytes frei
Post-Run: 20 Verzeichnis(se), 39,082,311,680 Bytes frei

219

ich hoffe es ist jetzt alles richtig.....

#6 Welsper

Nein hast du nicht. Es fehlen noch HijackThis.
Und doch, mach noch gleich Datfinbat:

>>
wende datfindbat an , es erscheinen verschiedene Logs, kopiere von jedem nur die letzten 3 Monate ab (sind nach Datum geordnet)
http://virus-protect.org/datfindbat.html

Gruss Swiss

#7 Tja,jetzt sind es zwei

Kopiere (selektiere en klick Ctrl-C) alle unterstehende

Zitat

C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino1.ico
C:\WINDOWS\system32\tdsspopup.dll
C:\WINDOWS\system32\tdsspopup3.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup1.url

im linken Fenster,wo steht "Paste List of Files/Folders to be moved"
Klicke auf den Roten MoveIt! knopf
Wenn das Tool fertig ist wird ein log erstellt (*******_******.log *steht fuer datum und zeit
In Datei C:\_OTMoveIt\MovedFiles\
Mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Argus

#8 Im linken Fenster von was ? hajick ???

(Hilfe)

#9 Welsper

Hier meint Arnold:
http://virus-protect.org/artikel/tools/otmoveIt.html

Gruss swiss

#10 OTMoveIt.exe
Download OTMoveIt2 zum Desktop
Oeffne:OTMoveIt.exe
(Vista benutzer, rechtsklick auf OTMoveit2.exe und waehle "Run as Administrator")

Kopiere (selektiere en klick Ctrl-C) alle unterstehende

Zitat

C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino1.ico
C:\WINDOWS\system32\tdsspopup.dll
C:\WINDOWS\system32\tdsspopup3.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup1.url

im linken Fenster,wo steht "Paste List of Files/Folders to be moved"
Klicke auf den Roten MoveIt! knopf
Wenn das Tool fertig ist wird ein log erstellt (*******_******.log *steht fuer datum und zeit
In Datei C:\_OTMoveIt\MovedFiles\
Mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Argus

#11 Malwarebytes' Anti-Malware 1.27
Datenbank Version: 1127
Windows 5.1.2600 Service Pack 2

2008-09-09 15:53:47
mbam-log-2008-09-09 (15-53-47).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Durchsuchte Objekte: 139861
Laufzeit: 26 minute(s), 19 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 25
Infizierte Registrierungswerte: 10
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 1
Infizierte Dateien: 12

Infizierte Speicherprozesse:
C:\WINDOWS\system32\lphcls3j0ej8j.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\toolband.xttbpos00 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{77d6ddfa-7834-4541-b2b3-a8b0fb0e3924} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4bd2d6c3-31dc-b947-23d0-dc52ec4f0c4c} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolband.xttbpos00.1 (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ce67716-5803-4fb7-b344-0c7a17f93b5d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winbug32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XP antivirus (Rogue.XPantivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{855f3b16-6d32-4fe6-8a56-bbb695989046} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64798514 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcls3j0ej8j (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhcgs3j0ej8j (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\Programme\XP Antivirus (Rogue.XPantivirus) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Programme\ICQToolbar\toolbaru.dll (Adware.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winbug32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcls3j0ej8j.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcls3j0ej8j.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Systemroot\Lokale Einstellungen\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

ComboFix 08-09-05.10 - ,
ausgeführt von:: I:\ComboFix.exe

[color=red]Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !![/color]
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\KlnUuBeg.ini
C:\WINDOWS\system32\KlnUuBeg.ini2
C:\WINDOWS\system32\sgfvhuxx.ini

.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV
-------\Service_TDSSserv


((((((((((((((((((((((( Dateien erstellt von 2008-08-09 bis 2008-09-09 ))))))))))))))))))))))))))))))
.

2008-09-09 15:25 . 2008-09-09 15:25 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-09-09 15:25 . 2008-09-09 15:25 <DIR> d-------- C:\Programme\CCleaner
2008-09-09 15:25 . 2008-09-09 15:25 <DIR> d-------- C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\Malwarebytes
2008-09-09 15:25 . 2008-09-09 15:25 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-09-09 06:06 . 2008-09-09 06:06 88,878 --a------ C:\WINDOWS\system32\casino3.ico
2008-09-09 06:06 . 2008-09-09 06:06 88,878 --a------ C:\WINDOWS\system32\casino2.ico
2008-09-09 06:06 . 2008-09-09 06:06 88,878 --a------ C:\WINDOWS\system32\casino1.ico
2008-09-09 06:06 . 2008-09-09 06:06 15,360 --a------ C:\WINDOWS\system32\tdsspopup.dll
2008-09-09 06:06 . 2008-09-09 06:06 120 --a------ C:\WINDOWS\system32\tdsspopup3.url
2008-09-09 06:06 . 2008-09-09 06:06 120 --a------ C:\WINDOWS\system32\tdsspopup2.url
2008-09-09 06:06 . 2008-09-09 06:06 120 --a------ C:\WINDOWS\system32\tdsspopup1.url
2008-09-04 18:33 . 2008-09-04 18:34 36,352 --a------ C:\nowy.avi
2008-09-02 22:47 . 2008-09-02 23:00 <DIR> d-------- C:\Programme\MindArk
2008-09-01 00:58 . 2008-09-01 01:23 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-08-31 23:12 . 2008-08-31 23:12 361,728 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-08-31 23:12 . 2008-07-18 15:05 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-08-31 23:11 . 2008-08-31 23:12 <DIR> d-------- C:\Programme\TuneUp Utilities 2008
2008-08-31 23:11 . 2008-08-31 23:11 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TuneUp Software
2008-08-11 10:58 . 2008-08-11 10:58 <DIR> d-------- C:\Programme\DIFX
2008-08-11 10:49 . 2008-08-11 10:49 <DIR> d-------- C:\WINDOWS\system32\xlive
2008-08-11 10:49 . 2008-08-11 10:49 <DIR> d-------- C:\Programme\Sega

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-09 13:05 --------- d-----w C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\Skype
2008-09-07 22:11 38,528 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-07 22:11 17,200 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-09-07 20:35 --------- d-----w C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\teamspeak2
2008-09-01 03:02 --------- d-----w C:\Programme\MobMapUpdater
2008-09-01 03:01 --------- d-----w C:\Programme\WebTV 2.5
2008-09-01 02:51 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-08-31 21:10 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-28 20:36 --------- d-----w C:\Programme\World of Warcraft
2008-08-27 18:02 --------- d-----w C:\Programme\ICQ6
2008-08-11 08:36 --------- d-----w C:\Programme\Gemeinsame Dateien\logishrd
2008-07-22 15:18 --------- d-----w C:\Programme\Larian Studios
2008-07-16 13:33 --------- d--h--w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{A4B500C8-F3EB-4AD9-9762-515CCA35FD16}
2008-07-16 13:29 --------- d-----w C:\Programme\Kalypso
2008-07-16 13:21 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2008-07-16 10:55 --------- d-----w C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\Ubisoft
2008-07-14 11:53 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Ubisoft
2008-07-14 11:38 --------- d-----w C:\Programme\free-downloads.net
2008-07-14 11:38 --------- d-----w C:\Programme\Conduit
2008-07-14 11:35 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-10 15:00 --------- d-----w C:\Programme\Diablo II
2008-07-09 15:51 --------- d-----w C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\SpieleEntwicklungsKombinat
2008-07-09 14:48 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SpieleEntwicklungsKombinat
2007-09-29 13:11 1,135,656,073 ----a-w C:\Programme\GameTribe.zip
.

------- Sigcheck -------

2005-03-02 20:19 578560 4c90159a69a5fd3eb39c71411f28fcff C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2005-03-02 20:09 578560 3751d7cf0e0a113d84414992146bce6a C:\WINDOWS\system32\user32.dll
2005-03-02 20:09 578560 3751d7cf0e0a113d84414992146bce6a C:\WINDOWS\system32\dllcache\user32.dll

2005-05-02 22:58 664576 8c907b730e9cfcfdf0157f3ea20d4424 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
2005-05-02 22:56 663552 4f1584d375060d74dcde920fa51b0a29 C:\WINDOWS\system32\wininet.dll
2005-05-02 22:56 663552 4f1584d375060d74dcde920fa51b0a29 C:\WINDOWS\system32\dllcache\wininet.dll

2005-03-14 03:17 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2005-03-14 02:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\system32\dllcache\tcpip.sys
2005-03-14 02:55 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\system32\drivers\tcpip.sys

2005-07-28 09:44 507392 b43275980a34b38b621eca95d08c60fb C:\WINDOWS\system32\winlogon.exe

2005-03-02 10:11 2059264 ae8364004bbfd70461d2ef34888d3360 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2005-03-02 20:06 2059136 bdff8ffa77ee7df9758ef8c1e0da8eff C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2005-03-02 20:06 2017792 a3724446acb9de8d890cfabd146cd0ad C:\WINDOWS\system32\ntkrnlpa.exe

2005-03-02 20:11 2181888 eb5538a452e0e99169e2b6cdb62ff9d2 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2005-03-02 20:06 2181632 7189a2391adc1f65c9ae87b0abe0f945 C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2005-03-02 20:06 2138112 3ddc2bc3d32b2fc505d09b8b8974d5bb C:\WINDOWS\system32\ntoskrnl.exe

2005-04-07 20:46 1035264 64322e8399b205b7281ff883737a9b03 C:\WINDOWS\explorer.exe
2005-04-07 20:46 1035264 64322e8399b205b7281ff883737a9b03 C:\WINDOWS\system32\dllcache\explorer.exe
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "C:\Programme\free-downloads.net\tbfree.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2008-02-14 14:54 1555480 --a------ C:\Programme\free-downloads.net\tbfree.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "C:\Programme\free-downloads.net\tbfree.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yodm3D"="D:\Eigene Dateien\yodm3d\Yodm3D.exe" [2007-06-26 2058752]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-09-13 22880040]
"ICQ"="C:\Programme\ICQ6\ICQ.exe" [2008-08-24 173304]
"EA Core"="C:\Programme\Electronic Arts\EADM\Core.exe" [2008-06-13 2752512]
"DAEMON Tools Lite"="C:\Programme\DAEMON Tools Lite\daemon.exe" [2007-12-19 486856]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"AlcoholAutomount"="C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Programme\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-11 81920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-11 8523776]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"LogitechQuickCamRibbon"="C:\Programme\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"LogitechCommunicationsManager"="C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-11-11 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3ivx"= 3ivxVfWCodec.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
"VIDC.VP31"= vp31vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Programme\\Counter-Strike 1.6\\hl.exe"=
"D:\\Programme\\Counter-Strike 1.6\\hltv.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"D:\\Eigene Dateien\\Warcraft 3\\war3.exe"=
"C:\\Programme\\World of Warcraft\\BackgroundDownloader.exe"=
"D:\\Eigene Dateien\\Warcraft 3\\Warcraft III.exe"=
"C:\\Programme\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 NwSapAgent;SAP-Agent;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 UxTuneUp;TuneUp Designerweiterung;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 mdxgthkn;mdxgthkn;C:\DOKUME~1\SYSTEM~1\LOKALE~1\Temp\mdxgthkn.sys [ ]
S3 SetupNTGLM7X;SetupNTGLM7X;E:\NTGLM7X.sys [ ]
S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-08-31 361728]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhalt des "geplante Tasks" Ordners
.
- - - - Entfernte verwaiste Registrierungseintr„ge - - - -

BHO-{BEBFF03A-71C6-49EC-AE57-6C613686401F} - (no file)
BHO-{cb26ab57-8e61-4d2e-a7cf-889f2e9eb447} - (no file)
WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
HKLM-Run-AtiPTA - atiptaxx.exe
ShellExecuteHooks-{7CE67716-5803-4FB7-B344-0C7A17F93B5D} - (no file)
Notify-AtiExtEvent - (no file)
Notify-ddcBtUkK - ddcBtUkK.dll


.
------- Zus„tzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Systemroot\Anwendungsdaten\Mozilla\Firefox\Profiles\w52eo1fw.default\
FF -: plugin - C:\Programme\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-09 16:02:42
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\Gemeinsame Dateien\logishrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Gemeinsame Dateien\logishrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Gemeinsame Dateien\logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-09-09 16:04:59 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-09-09 14:04:55

Pre-Run: 17 Verzeichnis(se), 39,140,945,920 Bytes frei
Post-Run: 20 Verzeichnis(se), 39,082,311,680 Bytes frei

219

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40:57, on 09.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Logitech\QuickCam\Quickcam.exe
C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe
D:\Eigene Dateien\yodm3d\Yodm3D.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\ICQ6\ICQ.exe
C:\Programme\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Gemeinsame Dateien\Logishrd\LQCVFX\COCIManager.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Programme\Alwil Software\Avast4\ashSimpl.exe
C:\Programme\Windows NT\Zubehör\WORDPAD.EXE
C:\Programme\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
D:\Neuer Ordner\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT1098640
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Programme\free-downloads.net\tbfree.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Programme\free-downloads.net\tbfree.dll
O3 - Toolbar: (no name) - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - (no file)
O3 - Toolbar: free-downloads.net Toolbar - {ecdee021-0d17-467f-a1ff-c7a115230949} - C:\Programme\free-downloads.net\tbfree.dll
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Programme\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Programme\Gemeinsame Dateien\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Yodm3D] D:\Eigene Dateien\yodm3d\Yodm3D.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ICQ] "C:\Programme\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [EA Core] "C:\Programme\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programme\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Programme\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Programme\Gemeinsame Dateien\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: TuneUp Drive Defrag-Dienst (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2004\WinStylerThemeSvc.exe

--
End of file - 8411 bytes



die daten C:\WINDOWS\system32\casino3.ico
C:\WINDOWS\system32\casino2.ico
C:\WINDOWS\system32\casino1.ico
C:\WINDOWS\system32\tdsspopup.dll
C:\WINDOWS\system32\tdsspopup3.url
C:\WINDOWS\system32\tdsspopup2.url
C:\WINDOWS\system32\tdsspopup1.url

habe ich per tuneup von Hand gelöscht hoffe das geht auch weil ich gebe zu das ich mit dem Programm OTMoveIt2 nicht wirklich klarkomme srysry

#12 Schliesse alle Fenster und starte Hijack This
Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

Zitat

O3 - Toolbar: (no name) - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)

klicke: Fix checked
Dein Internet Explorer muss geschlossen wenn Du Fix Checked klickst

Du benutzt zwei Virenscanner eins zuviel

CombiFix entfernen
Start > Ausführen>Kopiere rein ComboFix /U OK
Entferne auf C:\combofix.txt
Entferne auf C:\ :\combofix

Update MBAM und scanne nochmal

Benutze ATF Cleaner

Doppelklick ATFcleaner um das Program zu starten
Auf tab “Main“ Select All anhaaken.
Klicke den Knopf Empty selected

Wenn man Opera als browser hat:
Klicke auf tab “Opera“ Select All anhaaken.
Willst du die durch Opera aufgehobene passwörter behalten
Dan klickt man im Fenster was erscheint auf “No“
Klicke den Knopf Empty selected

Wenn man [b ]Firefox [/b] als browser hat:
Klicke auf tab “Firefox“ Select All anhaaken.
Willst du die durch Firefox aufgehobene passwörter behalten
Dan klickt man im Fenster was erscheint auf “No“
Klicke den Knopf Empty selected

Geh zum tab“Main“und klicke Exit um das Program
zu schliessen.

SDFix
Download SDFix zum Desktop

Starte dein Recher in
abgesicherten Modus

SDFix.zip entpacken
unter C:\ findet man nun den SDFix-Ordner

Doppelklick RunThis.bat
Schreibe: Y folge allen Anweisungen
Dann wird der Rechner neustarten
SDFix entfernt jetzt die gefundene Objekte
Kopiere den Inhalt des Berichts SophosReport.txt ” der jetzt auf dein Desktop steht in diesen Thread
__________
MfG Argus

#13 Arnold darf ich dich etwas fragen während ich hier deinen Anweisungen folge ?

#14 Natürlich darfst du das
__________
MfG Argus

#15 was sagen dir daten die ich dir schicke ich meine kannst du daraus etwas bestimmtes erlesen zum Beispiel ob mein system invsiert ist und wenn ja wie schlimm oder was bringen sie dir?
(die frage ist nicht böse gemeint ist nur Hobby und berufliches intresse denn auch wenn du es mir wahrscheinlich nicht glaubst ich mach ne Ausbildung zum IT-Systemelektroniker^^)