tr/dropper.gen von antivir gefunden

#46 Weisst du noch wo du dieses Programm geladen hast? Auf einer vertrauenswürdigen Seite?
C:\Programme\Programme\frostwire-4.17.0.windows.exe

Erstelle einen Ordner mit dem Namen: test auf dem Desktop.

Gehe ins Quarantäneverzeichniss von Avira (im Control Center die Registerkarte Quarantäne) und lass die Datei wiederherstellen in diesem erstellen Ordner test.

Dannach lade die Datei von da her auf www.virustotal.com/de hoch und lass sie prüfen. Poste das Ergbenis.

>>
Zudem prüfe folgende Datei:
c:\windows\Internet Logs\vsmon_on_demand_2009_01_16_10_55_40_full.dmp.zip

Gruss Swiss

#47 Guten Morgen, Swiss,

vielen Dank für Deine Antwort.

Mit meinem ersten Online-Gang heute morgen, fand Antivir wieder die "C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\FR3WUB7O\a[1].rar'"-Datei. the torture never stops.
Zu Deiner Frage: Genau weiss ich das nicht mehr, aber es müsste direkt bei Frostwire gewesen sein.
Zu Deinen Anweisungen: Die frostwire-4.17.0.windows.exe wurde schon mal überprüft; letztes Ergebnis 0/34. Habe sie trotzdem überprüfen lassen. Erstaunlicherweise hat die Avira-Engine jetzt nichts zu bemängeln:

Datei frostwire-4.17.0.windows.exe empfangen 2009.01.17 10:00:10 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 3/35 (8.58%)

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.73 2009.01.17 -
AhnLab-V3 2009.1.15.0 2009.01.16 -
AntiVir 7.9.0.55 2009.01.16 -
Authentium 5.1.0.4 2009.01.16 -
Avast 4.8.1281.0 2009.01.16 -
BitDefender 7.2 2009.01.17 -
CAT-QuickHeal 10.00 2009.01.17 -
ClamAV 0.94.1 2009.01.17 Adware.Mywebsearch-12
Comodo 933 2009.01.16 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.16 -
F-Secure 8.0.14470.0 2009.01.17 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.17 -
Ikarus T3.1.1.45.0 2009.01.17 -
K7AntiVirus 7.10.593 2009.01.16 -
Kaspersky 7.0.0.125 2009.01.17 -
McAfee 5497 2009.01.16 -
McAfee+Artemis 5497 2009.01.16 -
Microsoft 1.4205 2009.01.17 -
NOD32 3772 2009.01.16 a variant of Win32/AdInstaller
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.16 -
PCTools 4.4.2.0 2009.01.16 -
Prevx1 V2 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.16 -
Sophos 4.37.0 2009.01.17 -
Sunbelt 3.2.1835.2 2009.01.16 MyWebSearch Toolbar
Symantec 10 2009.01.17 -
TheHacker 6.3.1.4.220 2009.01.14 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.16 -
ViRobot 2009.1.17.1563 2009.01.17 -
VirusBuster 4.5.11.0 2009.01.16 -
weitere Informationen
File size: 14946782 bytes
MD5...: f0da740d74ed5689ec8733f70043f938
SHA1..: 3bd8db470ae6e4d2d18fd533ec7475797e668846
SHA256: 8e804625183cda3b0b3ac086d7ee605fd51557cf203aa9cd54996f99339d829b
SHA512: c6eb7236bcec060f17bbd33fcd531735cc7af282ed01876bd0f6b9a6f19188ce
1e34f3ce4fc536566677539335efa0d36e11a55c4c22295a2ee1c4cf0baf868d
ssdeep: 196608:UDkHVbkiyqKh/55eNJ/s6a+ZZw9wV6uw2bPG2aRXwN4S6X0GUJ4tg5TAS
hYtQvqHHVh1S5e3/sJ/uVbPG2YXwXuthtVcxz0
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40312c
timedatestamp.....: 0x45d6f9a7 (Sat Feb 17 12:48:39 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5872 0x5a00 6.39 62612e88ac94e2a0a44f0ddf24c69052
.rdata 0x7000 0x110c 0x1200 5.07 6972ae4f547bcf9a62f7d01981d18815
.data 0x9000 0x1b7f4 0x400 5.06 632065c9652ea5cbfc44b8c9b84c9376
.ndata 0x25000 0xa000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0x2f000 0x5268 0x5400 5.34 498d7239c978b1df28d5fc2a11753d9b

( 8 imports )
> KERNEL32.dll: CloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, ExitProcess, lstrcmpiA, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, MulDiv, ReadFile, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
> USER32.dll: ScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, ShowWindow, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, wsprintfA
> GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
> SHELL32.dll: SHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
> ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
> COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create
> ole32.dll: OleInitialize, OleUninitialize, CoCreateInstance
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

( 0 exports )


Zu c:\windows\Internet Logs\vsmon_on_demand_2009_01_16_10_55_40_full.dmp.zip. Ich habe keinen blassen Schimmer wo die Datei herkommt, und was die eigentlich macht.


Datei vsmon_on_demand_2009_01_16_10_55_ empfangen 2009.01.17 10:17:09 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 0/39 (0%)

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.73 2009.01.17 -
AhnLab-V3 2009.1.15.0 2009.01.16 -
AntiVir 7.9.0.55 2009.01.16 -
Authentium 5.1.0.4 2009.01.16 -
Avast 4.8.1281.0 2009.01.16 -
AVG 8.0.0.229 2009.01.16 -
BitDefender 7.2 2009.01.17 -
CAT-QuickHeal 10.00 2009.01.17 -
ClamAV 0.94.1 2009.01.17 -
Comodo 933 2009.01.16 -
DrWeb 4.44.0.09170 2009.01.17 -
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.16 -
F-Secure 8.0.14470.0 2009.01.17 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.17 -
Ikarus T3.1.1.45.0 2009.01.17 -
K7AntiVirus 7.10.593 2009.01.16 -
Kaspersky 7.0.0.125 2009.01.17 -
McAfee 5497 2009.01.16 -
McAfee+Artemis 5497 2009.01.16 -
Microsoft 1.4205 2009.01.17 -
NOD32 3772 2009.01.16 -
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.16 -
PCTools 4.4.2.0 2009.01.16 -
Prevx1 V2 2009.01.17 -
Rising 21.12.52.00 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.16 -
Sophos 4.37.0 2009.01.17 -
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.17 -
TheHacker 6.3.1.4.220 2009.01.14 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.16 -
ViRobot 2009.1.17.1563 2009.01.17 -
VirusBuster 4.5.11.0 2009.01.16 -
weitere Informationen
File size: 20494019 bytes
MD5...: cfacb61eba3e24327eda48afb0298cf8
SHA1..: 5f12b65271cbcef87c3fb5064d14f183f82de7d7
SHA256: da3f63e9d4902302413400d139050d823f7a0ab41bb15e5ee2016650742d5a53
SHA512: 1eca41d67b244402b371d22163a829bc1a2f8871d957d136624a62c8b981266f
32cf06da90221cecdbd3518face069fd92b47080b3a222f0d6ebb1a527d6e0e7
ssdeep: 393216:zr17mVWqUiXCTP00zp2cvA+ZkDZAkWLNC4UHYVsO3UMJkfBTgluyn3Oou
oFl1X:XIgs0zp2cIIOnWLY4bVsO3UMJWT4uy3d
PEiD..: -
TrID..: File type identification
Google Earth saved working session (60.0%)
ZIP compressed archive (40.0%)
PEInfo: -


Ich hoffe, diese Auswertung bringt etwas mehr Erhellung.
Vielen Dank nochmal für Deine Bemühungen.
Gruss, Bramvan

#48 Da es sich hier um eine Installations EXE handem wird. kannst du sie ja löschen:
C:\Programme\Programme\frostwire-4.17.0.windows.exe

>>
Hmm diese Rar erstellt sich immer wieder im Temp Ordner.
Benutze den ATF Cleaner an lasse alles löschen.

>>
Geh nacher in das Verzeichnis:
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\
und schau ob der Inhalt gelöscht wurde.

>>
Lade bitte SDfix, wende es im abgesicherten Modus an + poste hier den Report, der nach Neustart erscheint
http://virus-protect.org/artikel/tools/sdfix.html

>>
Dann im Normalmodus:

RunThis.bat doppelt klicken


reinschreiben: 3
--> wird Sophos geladen

Option 6 - es erfolgt ein Fullscan + löschen der infizierten Dateien

"SophosReport.txt" (im SDFix-Ordner) - abkopieren und in den Beitrag


Gruss Swiss

#49 Hallo Swiss,


hier die Ergebnisse:
C:\Dokumente und Einstellungen\NetworkService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\ der Inhalt wurde gelöscht, die rar-Datei hatte Antivir sowieso schon in Quarantäne gestellt. Aber
im Verzeichnis C:\Dokumente und Einstellungen\Meister\Lokale Einstellungen\Temp finden sich drei Dateien, die sich nicht löschen lassen, da sie von einem Programm benutzt werden: Perflib_Perfdata_100.dat, Perflib_Perfdata_e50.dat, Perflib_Perfdata_e58.dat
Im Verzeichnis C:\Windows\Temp finden sich fünf Dateien, die sich nicht löschen lassen, da sie von einem Programm benutzt werden:
CLML_AGENT_LOG1.txt, Perflib_Perfdata_6a4.dat, sqlite_wQEPmaMNdfOmsio, ZLT0412c.TMP, ZLT04129.TMP.

Hier die Log von SDFix im abgesicherten Modus:

SDFix: Version 1.240
Run by Administrator on 17.01.2009 at 13:47

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found



Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 13:55:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%ProgramFiles%\\AOL 9.0\\aol.exe"="%ProgramFiles%\\AOL 9.0\\aol.exe:*:Enabled:AOL"
"%ProgramFiles%\\Ahead\\SIPPS\\SIPPS.exe"="%ProgramFiles%\\Ahead\\SIPPS\\SIPPS.exe:*:Enabled:SIPPS"
"%ProgramFiles%\\sipgate X-Lite\\sipgateXLite.exe"="%ProgramFiles%\\sipgate X-Lite\\sipgateXLite.exe:*:Enabled:sipgateXLite"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"="C:\\Programme\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe:*isabled:Far Cry"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :



Files with Hidden Attributes :

Thu 17 Apr 2008 222 A.SHR --- "C:\BOOT.BAK"
Wed 4 Aug 2004 93,184 A.SH. --- "C:\Programme\Internet Explorer\IEXPLORE.EXE"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Programme\Messenger\msmsgs.exe"
Wed 4 Aug 2004 4,639 A.SH. --- "C:\Programme\Windows Media Player\mplayer2.exe"
Wed 11 Aug 2004 73,728 A.SH. --- "C:\Programme\Windows Media Player\wmplayer.exe"
Sat 17 Jan 2009 1,977 ...HR --- "C:\Dokumente und Einstellungen\Meister\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!


Hier die Log von Sophos:

Sophos Anti-Virus
Version 4.37.0 [Win32/Intel]
Virus data version 4.37E, January 2009
Includes detection for 585774 viruses, trojans and worms
Copyright (c) 1989-2009 Sophos Plc, www.sophos.com

System time 14:03:06, System date 17 January 2009
Command line qualifiers are: -f -remove -nc -nb -dn --stop-scan -idedir=C:\SDFix\IDE -p=C:\SDFix\SophosReport.txt

IDE directory is: C:\SDFix\IDE

File swizz-og.ide is older than 90 days
File agen-hrd.ide is older than 90 days
File agen-hrx.ide is older than 90 days
File agen-hry.ide is older than 90 days
File agen-hsk.ide is older than 90 days
File agen-hro.ide is older than 90 days
File agen-hrf.ide is older than 90 days
File agen-htv.ide is older than 90 days
File agen-hto.ide is older than 90 days
File agen-htk.ide is older than 90 days
File agen-hqg.ide is older than 90 days
File agen-hqm.ide is older than 90 days
File agen-hqq.ide is older than 90 days
File agen-hqs.ide is older than 90 days
File agen-hqw.ide is older than 90 days
File agen-hrp.ide is older than 90 days
File agen-hsm.ide is older than 90 days
File agen-hrh.ide is older than 90 days
File agen-hri.ide is older than 90 days
File agen-hrl.ide is older than 90 days
File agen-hrm.ide is older than 90 days
File agen-htc.ide is older than 90 days
File agen-hrs.ide is older than 90 days
File agen-hrw.ide is older than 90 days
File agen-hst.ide is older than 90 days
File agen-hud.ide is older than 90 days
File agen-hub.ide is older than 90 days
File agen-hty.ide is older than 90 days
File autoit-t.ide is older than 90 days
File autoit-v.ide is older than 90 days
File autor-je.ide is older than 90 days
File autor-kl.ide is older than 90 days
File autor-ke.ide is older than 90 days
File autor-kf.ide is older than 90 days
File autor-jo.ide is older than 90 days
File autor-jw.ide is older than 90 days
File autor-jy.ide is older than 90 days
File autor-jd.ide is older than 90 days
File autor-jv.ide is older than 90 days
File autor-ju.ide is older than 90 days
File autor-jp.ide is older than 90 days
File autor-jm.ide is older than 90 days
File autor-jl.ide is older than 90 days
File autor-jk.ide is older than 90 days
File autor-ji.ide is older than 90 days
File autor-jf.ide is older than 90 days
File backd-ac.ide is older than 90 days
File backsp-a.ide is older than 90 days
File backd-ab.ide is older than 90 days
File banhos-z.ide is older than 90 days
File bank-ene.ide is older than 90 days
File bank-enm.ide is older than 90 days
File bank-eni.ide is older than 90 days
File bank-end.ide is older than 90 days
File banhos-y.ide is older than 90 days
File bankd-dj.ide is older than 90 days
File bho-hc.ide is older than 90 days
File buzus-o.ide is older than 90 days
File buzus-p.ide is older than 90 days
File bront-dw.ide is older than 90 days
File click-ez.ide is older than 90 days
File delban-a.ide is older than 90 days
File delf-fbc.ide is older than 90 days
File dloa-bss.ide is older than 90 days
File dloa-btz.ide is older than 90 days
File dloa-bsq.ide is older than 90 days
File dloa-btl.ide is older than 90 days
File dload-dk.ide is older than 90 days
File dload-di.ide is older than 90 days
File dorf-bu.ide is older than 90 days
File dropr-ac.ide is older than 90 days
File fakea-dh.ide is older than 90 days
File dwnl-hih.ide is older than 90 days
File dwnl-hht.ide is older than 90 days
File dwnl-hie.ide is older than 90 days
File fakea-ht.ide is older than 90 days
File fakev-fy.ide is older than 90 days
File fakea-ho.ide is older than 90 days
File fakea-ed.ide is older than 90 days
File fakea-eb.ide is older than 90 days
File fakea-hu.ide is older than 90 days
File fakea-dm.ide is older than 90 days
File fakea-hq.ide is older than 90 days
File fakea-hd.ide is older than 90 days
File gaman-ci.ide is older than 90 days
File geezo-e.ide is older than 90 days
File gaman-ch.ide is older than 90 days
File he4hoo-g.ide is older than 90 days
File hostin-a.ide is older than 90 days
File ircb-acr.ide is older than 90 days
File injec-cx.ide is older than 90 days
File ircb-acn.ide is older than 90 days
File killa-ey.ide is older than 90 days
File linea-gc.ide is older than 90 days
File linea-gk.ide is older than 90 days
File linea-fl.ide is older than 90 days
File linea-fs.ide is older than 90 days
File linea-fy.ide is older than 90 days
File meredr-a.ide is older than 90 days
File ntroo-dy.ide is older than 90 days
File ntroo-dz.ide is older than 90 days
File ntroo-ea.ide is older than 90 days
File offmsg-a.ide is older than 90 days
File obfus-b.ide is older than 90 days
File poiso-ad.ide is older than 90 days
File pswd-gen.ide is older than 90 days
File psyme-jw.ide is older than 90 days
File psyme-jx.ide is older than 90 days
File psyme-jy.ide is older than 90 days
File psyme-kd.ide is older than 90 days
File pws-atp.ide is older than 90 days
File pws-aty.ide is older than 90 days
File pws-aua.ide is older than 90 days
File pws-atu.ide is older than 90 days
File pws-atr.ide is older than 90 days
File pws-att.ide is older than 90 days
File rootk-ds.ide is older than 90 days
File rootk-dr.ide is older than 90 days
File rexplo-d.ide is older than 90 days
File swfdlr-b.ide is older than 90 days
File tibs-uw.ide is older than 90 days
File usract-a.ide is older than 90 days
File vb-ebe.ide is older than 90 days
File wlhack-g.ide is older than 90 days
File ytkit-a.ide is older than 90 days
File zlob-aol.ide is older than 90 days
File zlob-aop.ide is older than 90 days
Using IDE file autor-nu.ide
Using IDE file pdfex-ac.ide
Using IDE file autor-om.ide
Using IDE file pushdo-x.ide
Using IDE file agen-huq.ide
Using IDE file votera-b.ide
Using IDE file mdro-bwl.ide
Using IDE file maldoc-f.ide
Using IDE file agen-iao.ide
Using IDE file agen-hzb.ide
Using IDE file agen-hwu.ide
Using IDE file bank-eoe.ide
Using IDE file bancb-qz.ide
Using IDE file swizz-oj.ide
Using IDE file zlob-aqu.ide
Using IDE file agen-iea.ide
Using IDE file agen-iec.ide
Using IDE file tiotua-w.ide
Using IDE file agen-iex.ide
Using IDE file agen-iam.ide
Using IDE file agen-hxb.ide
Using IDE file zlob-aox.ide
Using IDE file agen-iaz.ide
Using IDE file zlob-apn.ide
Using IDE file agen-hvm.ide
Using IDE file bho-hp.ide
Using IDE file drop-bg.ide
Using IDE file gimmiv-a.ide
Using IDE file start-bo.ide
Using IDE file agen-huf.ide
Using IDE file zlob-aqj.ide
Using IDE file agen-hny.ide
Using IDE file fakev-hh.ide
Using IDE file zlob-aqq.ide
Using IDE file emold-a.ide
Using IDE file autor-ku.ide
Using IDE file poiso-ag.ide
Using IDE file acespa-a.ide
Using IDE file autor-ld.ide
Using IDE file bank-ent.ide
Using IDE file agen-hxq.ide
Using IDE file fakea-fx.ide
Using IDE file fakea-fs.ide
Using IDE file autor-lq.ide
Using IDE file autor-lr.ide
Using IDE file autor-lt.ide
Using IDE file fakea-ev.ide
Using IDE file fakea-et.ide
Using IDE file fakea-ei.ide
Using IDE file dloa-bxx.ide
Using IDE file buzus-r.ide
Using IDE file autor-oa.ide
Using IDE file dwnl-his.ide
Using IDE file zlob-aqz.ide
Using IDE file autor-ob.ide
Using IDE file autor-nc.ide
Using IDE file cmjsp-am.ide
Using IDE file autor-nk.ide
Using IDE file drop-bb.ide
Using IDE file autor-ol.ide
Using IDE file sdbo-dla.ide
Using IDE file dorf-bv.ide
Using IDE file pws-auf.ide
Using IDE file bho-hh.ide
Using IDE file bho-hj.ide
Using IDE file agen-hyv.ide
Using IDE file bckd-qpt.ide
Using IDE file pws-auy.ide
Using IDE file autor-nj.ide
Using IDE file autor-me.ide
Using IDE file autor-os.ide
Using IDE file agen-hul.ide
Using IDE file autor-mc.ide
Using IDE file autor-ox.ide
Using IDE file autor-ny.ide
Using IDE file autor-lf.ide
Using IDE file autor-oo.ide
Using IDE file autor-li.ide
Using IDE file agen-hwd.ide
Using IDE file autor-lb.ide
Using IDE file autor-nr.ide
Using IDE file autor-mo.ide
Using IDE file dloa-bxj.ide
Using IDE file silly-cr.ide
Using IDE file looke-ej.ide
Using IDE file agen-iab.ide
Using IDE file agen-iaj.ide
Using IDE file maldoc-o.ide
Using IDE file keyge-cr.ide
Using IDE file mdro-bwn.ide
Using IDE file ircb-acv.ide
Using IDE file agen-icz.ide
Using IDE file agen-ida.ide
Using IDE file geezo-f.ide
Using IDE file agen-iej.ide
Using IDE file onlin-bh.ide
Using IDE file agen-ign.ide
Using IDE file fakev-gl.ide
Using IDE file fakev-gf.ide
Using IDE file pdfex-w.ide
Using IDE file dwnl-hkf.ide
Using IDE file dwnl-hkb.ide
Using IDE file dwnl-hjq.ide
Using IDE file dwnl-hjp.ide
Using IDE file dwnl-hjg.ide
Using IDE file zlob-apd.ide
Using IDE file zlob-anz.ide
Using IDE file zbot-ar.ide
Using IDE file banlo-fz.ide
Using IDE file agen-hyc.ide
Using IDE file wimad-k.ide
Using IDE file zlob-arf.ide
Using IDE file dloa-byo.ide
Using IDE file dloa-byd.ide
Using IDE file dloa-bwr.ide
Using IDE file pws-aut.ide
Using IDE file agen-hur.ide
Using IDE file dloa-bwz.ide
Using IDE file banc-bep.ide
Using IDE file banho-ab.ide
Using IDE file smal-emq.ide
Using IDE file banspy-k.ide
Using IDE file dloa-bsb.ide
Using IDE file agen-hyo.ide
Using IDE file boaxxe-g.ide
Using IDE file fakev-gw.ide
Using IDE file agen-hwy.ide
Using IDE file agen-hwt.ide
Using IDE file stayt-a.ide
Using IDE file advhac-a.ide
Using IDE file skintr-d.ide
Using IDE file snpves-c.ide
Using IDE file banc-bev.ide
Using IDE file agen-hwr.ide
Using IDE file swizz-oy.ide
Using IDE file autor-nt.ide
Using IDE file autor-no.ide
Using IDE file malas-h.ide
Using IDE file agen-hxy.ide
Using IDE file drop-az.ide
Using IDE file psw-fw.ide
Using IDE file agen-idp.ide
Using IDE file ifgif-a.ide
Using IDE file auexje-a.ide
Using IDE file ifram-bh.ide
Using IDE file fanbot-m.ide
Using IDE file agen-ifz.ide
Using IDE file onlin-bf.ide
Using IDE file pdfex-aa.ide
Using IDE file asp-d.ide
Using IDE file imaut-d.ide
Using IDE file dwnl-hkh.ide
Using IDE file sdbo-dnj.ide
Using IDE file agen-ich.ide
Using IDE file dload-ed.ide
Using IDE file keylo-ku.ide
Using IDE file agen-hyy.ide
Using IDE file autor-mf.ide
Using IDE file fakev-gt.ide
Using IDE file fakev-gh.ide
Using IDE file mourn-a.ide
Using IDE file zlob-apg.ide
Using IDE file zlob-api.ide
Using IDE file merein-a.ide
Using IDE file kolabc-d.ide
Using IDE file poiso-af.ide
Using IDE file bho-hw.ide
Using IDE file autor-kx.ide
Using IDE file agen-ibm.ide
Using IDE file salit-an.ide
Using IDE file fakea-gi.ide
Using IDE file fakea-ft.ide
Using IDE file delf-fbf.ide
Using IDE file autor-nz.ide
Using IDE file fakea-en.ide
Using IDE file arinj-a.ide
Using IDE file autor-mb.ide
Using IDE file fakea-eh.ide
Using IDE file dloa-bxp.ide
Using IDE file pws-auq.ide
Using IDE file autor-md.ide
Using IDE file keylo-kw.ide
Using IDE file dwnld-e.ide
Using IDE file autor-ml.ide
Using IDE file yahlov-a.ide
Using IDE file dloa-bwo.ide
Using IDE file renos-be.ide
Using IDE file agen-ibh.ide
Using IDE file pws-avz.ide
Using IDE file killa-fb.ide
Using IDE file agen-icv.ide
Using IDE file autor-nn.ide
Using IDE file dropr-ak.ide
Using IDE file dloa-bxb.ide
Using IDE file wow-kd.ide
Using IDE file mdro-bwv.ide
Using IDE file bckd-qpz.ide
Using IDE file asp-c.ide
Using IDE file autor-pb.ide
Using IDE file autor-ow.ide
Using IDE file vb-ebj.ide
Using IDE file agen-hym.ide
Using IDE file ambler-g.ide
Using IDE file agen-hzu.ide
Using IDE file wowpw-bf.ide
Using IDE file dloa-bun.ide
Using IDE file dloa-bus.ide
Using IDE file bancb-rb.ide
Using IDE file bank-eoj.ide
Using IDE file bank-e.ide
Using IDE file autor-of.ide
Using IDE file agen-iaw.ide
Using IDE file dloa-bxh.ide
Using IDE file start-bn.ide
Using IDE file dloa-bxm.ide
Using IDE file rootk-eb.ide
Using IDE file delf-fbl.ide
Using IDE file agen-hxo.ide
Using IDE file agen-ias.ide
Using IDE file agen-hxw.ide
Using IDE file dloa-byq.ide
Using IDE file autor-lz.ide
Using IDE file dloa-bzl.ide
Using IDE file autor-ly.ide
Using IDE file dwnl-hkc.ide
Using IDE file agen-icw.ide
Using IDE file mdro-bwg.ide
Using IDE file agen-hvk.ide
Using IDE file pws-aup.ide
Using IDE file agen-idg.ide
Using IDE file agen-hvv.ide
Using IDE file pushdo-w.ide
Using IDE file zlob-ape.ide
Using IDE file zapch-eh.ide
Using IDE file fakea-iy.ide
Using IDE file agen-ibz.ide
Using IDE file agen-ibw.ide
Using IDE file fakeav-l.ide
Using IDE file dload-ef.ide
Using IDE file zimeno-c.ide
Using IDE file zipcar-b.ide
Using IDE file agen-iew.ide
Using IDE file fakev-go.ide
Using IDE file dwnl-hiw.ide
Using IDE file bank-ens.ide
Using IDE file agen-ice.ide
Using IDE file dwnl-hjh.ide
Using IDE file formad-a.ide
Using IDE file mdro-bwh.ide
Using IDE file obfjs-bd.ide
Using IDE file freezo-d.ide
Using IDE file fakev-hi.ide
Using IDE file fakea-fp.ide
Using IDE file ms0806-a.ide
Using IDE file dwnl-hin.ide
Using IDE file freevi-a.ide
Using IDE file obfjs-bf.ide
Using IDE file agen-hnf.ide
Using IDE file dwnl-hkk.ide
Using IDE file onlin-be.ide
Using IDE file agen-ifh.ide
Using IDE file injec-db.ide
Using IDE file linea-go.ide
Using IDE file zlob-apa.ide
Using IDE file dloa-bwh.ide
Using IDE file fanbot-l.ide
Using IDE file tileb-kz.ide
Using IDE file autor-oz.ide
Using IDE file delpdl-c.ide
Using IDE file zlob-aqd.ide
Using IDE file smal-emr.ide
Using IDE file fakeal-a.ide
Using IDE file legm-arx.ide
Using IDE file autor-ln.ide
Using IDE file meredr-b.ide
Using IDE file autor-lj.ide
Using IDE file jolly-a.ide
Using IDE file bdoo-apw.ide
Using IDE file swfdlr-c.ide
Using IDE file agen-igy.ide
Using IDE file bho-ig.ide
Using IDE file sasan-k.ide
Using IDE file vb-ebr.ide
Using IDE file autor-pg.ide
Using IDE file vapsu-ad.ide
Using IDE file agen-ihp.ide
Using IDE file zbot-ax.ide
Using IDE file r0x4h-a.ide
Using IDE file rootk-ef.ide
Using IDE file autor-pl.ide
Using IDE file banlo-ga.ide
Using IDE file autor-pi.ide
Using IDE file rbot-gxf.ide
Using IDE file autor-pf.ide
Using IDE file zlob-arg.ide
Using IDE file autor-pm.ide
Using IDE file autor-pe.ide
Using IDE file zbot-ay.ide
Using IDE file fakea-gs.ide
Using IDE file cryptb-a.ide
Using IDE file dloa-caj.ide
Using IDE file click-fd.ide
Using IDE file bravo-j.ide
Using IDE file ircb-adb.ide
Using IDE file pushd-aa.ide
Using IDE file bank-eot.ide
Using IDE file sdbo-dnp.ide
Using IDE file sohan-bp.ide
Using IDE file dloa-cbf.ide
Using IDE file corefl-f.ide
Using IDE file kukoo-d.ide
Using IDE file yahlov-c.ide
Using IDE file impair-a.ide
Using IDE file jeff-a.ide
Using IDE file autoi-ai.ide
Using IDE file qhosts-c.ide
Using IDE file bckd-qqr.ide
Using IDE file tibs-uy.ide
Using IDE file bank-eor.ide
Using IDE file autor-ry.ide
Using IDE file fakev-hv.ide
Using IDE file agen-ikx.ide
Using IDE file agen-iku.ide
Using IDE file pdfex-ag.ide
Using IDE file psw-fz.ide
Using IDE file agen-ikt.ide
Using IDE file agen-ikf.ide
Using IDE file pdfjs-h.ide
Using IDE file bho-ir.ide
Using IDE file bank-eos.ide
Using IDE file autor-rs.ide
Using IDE file autor-rv.ide
Using IDE file autor-rx.ide
Using IDE file rootk-eh.ide
Using IDE file hakflo-a.ide
Using IDE file rbot-gxg.ide
Using IDE file tileb-la.ide
Using IDE file agen-ijo.ide
Using IDE file diale-fv.ide
Using IDE file autor-qc.ide
Using IDE file vundro-e.ide
Using IDE file autor-rf.ide
Using IDE file agen-ihx.ide
Using IDE file autor-rd.ide
Using IDE file fakea-gz.ide
Using IDE file autor-qs.ide
Using IDE file autor-rb.ide
Using IDE file autor-qz.ide
Using IDE file tiotu-ab.ide
Using IDE file agen-ilm.ide
Using IDE file htaccf-a.ide
Using IDE file ircb-ade.ide
Using IDE file malas-i.ide
Using IDE file autor-qd.ide
Using IDE file autor-qx.ide
Using IDE file autor-qp.ide
Using IDE file mdro-bpm.ide
Using IDE file drop-bn.ide
Using IDE file autor-rj.ide
Using IDE file injec-dk.ide
Using IDE file injec-dl.ide
Using IDE file autor-ri.ide
Using IDE file injec-df.ide
Using IDE file fakev-hr.ide
Using IDE file injec-dg.ide
Using IDE file fakev-ic.ide
Using IDE file fakea-kf.ide
Using IDE file agen-iii.ide
Using IDE file agen-iij.ide
Using IDE file fakeav-q.ide
Using IDE file fakea-kg.ide
Using IDE file fujac-ao.ide
Using IDE file autor-rg.ide
Using IDE file autor-rl.ide
Using IDE file insom-a.ide
Using IDE file autor-re.ide
Using IDE file ezio-h.ide
Using IDE file agen-ilh.ide
Using IDE file autor-qy.ide
Using IDE file autor-rw.ide
Using IDE file nebule-s.ide
Using IDE file keylo-kz.ide
Using IDE file dloa-cct.ide
Using IDE file dloa-ccc.ide
Using IDE file dloa-cbm.ide
Using IDE file dloa-cbl.ide
Using IDE file agen-iio.ide
Using IDE file fakea-he.ide
Using IDE file autor-pv.ide
Using IDE file atrn-jd.ide
Using IDE file banho-ad.ide
Using IDE file agen-ijn.ide
Using IDE file bdoo-ara.ide
Using IDE file autor-qk.ide
Using IDE file autor-qf.ide
Using IDE file bckd-qqq.ide
Using IDE file bckd-qqo.ide
Using IDE file bank-eoq.ide
Using IDE file agen-iks.ide
Using IDE file looke-ek.ide
Using IDE file downld-l.ide
Using IDE file netsk-bt.ide
Using IDE file zlob-ari.ide
Using IDE file mdro-bxk.ide
Using IDE file mario-e.ide
Using IDE file tometa-k.ide
Using IDE file tiotua-y.ide
Using IDE file solow-j.ide
Using IDE file sohan-bm.ide
Using IDE file smal-ems.ide
Using IDE file pdfex-ah.ide
Using IDE file rbot-gxj.ide
Using IDE file psw-gc.ide
Using IDE file psw-gd.ide
Using IDE file proxy-iu.ide
Using IDE file fakea-jx.ide
Using IDE file autoi-at.ide
Using IDE file silly-cv.ide
Using IDE file pws-auh.ide
Using IDE file redlof-c.ide
Using IDE file dwnld-l.ide
Using IDE file autor-tb.ide
Using IDE file autoru-u.ide
Using IDE file sdbo-dkh.ide
Using IDE file click-fe.ide
Using IDE file bho-iv.ide
Using IDE file crack-q.ide
Using IDE file pws-awv.ide
Using IDE file dload-es.ide
Using IDE file fakea-ij.ide
Using IDE file dloa-bzi.ide
Using IDE file dloa-ccj.ide
Using IDE file autor-sq.ide
Using IDE file fakev-ik.ide
Using IDE file pcbk-fam.ide
Using IDE file fakev-ig.ide
Using IDE file fakev-ie.ide
Using IDE file fakev-jc.ide
Using IDE file fakev-iu.ide
Using IDE file bckd-qoz.ide
Using IDE file mdro-buy.ide
Using IDE file pdfjs-o.ide
Using IDE file autoi-aq.ide
Using IDE file bckd-qlk.ide
Using IDE file linea-am.ide
Using IDE file pws-aww.ide
Using IDE file pws-awx.ide
Using IDE file agen-imr.ide
Using IDE file poison-m.ide
Using IDE file agen-iou.ide
Using IDE file zapch-ei.ide
Using IDE file expjs-c.ide
Using IDE file wowp-gen.ide
Using IDE file waled-f.ide
Using IDE file autor-ck.ide
Using IDE file kripti-a.ide
Using IDE file zlob-alw.ide
Using IDE file agen-iot.ide
Using IDE file dwnld-b.ide
Using IDE file agen-ijx.ide
Using IDE file linea-an.ide
Using IDE file bho-iz.ide
Using IDE file dwnl-hmp.ide
Using IDE file waled-d.ide
Using IDE file agen-ilv.ide
Using IDE file dwnl-hfs.ide
Using IDE file bank-emn.ide
Using IDE file startp-p.ide
Using IDE file renos-ca.ide
Using IDE file sohan-br.ide
Using IDE file agen-ing.ide
Using IDE file dloa-cdo.ide
Using IDE file autoi-an.ide
Using IDE file autoi-ap.ide
Using IDE file renos-bw.ide
Using IDE file ircbo-zd.ide
Using IDE file fakev-je.ide
Using IDE file dloa-bsd.ide
Using IDE file decdec-c.ide
Using IDE file tiotu-ac.ide
Using IDE file mdro-btj.ide
Using IDE file renos-cc.ide
Using IDE file agen-imk.ide
Using IDE file dloa-bob.ide
Using IDE file agen-imf.ide
Using IDE file dloa-bya.ide
Using IDE file fakev-id.ide
Using IDE file agen-gtc.ide
Using IDE file fakev-im.ide
Using IDE file rbot-gsa.ide
Using IDE file fakev-ih.ide
Using IDE file rbot-gsm.ide
Using IDE file daolno-a.ide
Using IDE file dablin-a.ide
Using IDE file agen-imv.ide
Using IDE file dloa-cen.ide
Using IDE file refpro-c.ide
Using IDE file dloa-cea.ide
Using IDE file dloa-cem.ide
Using IDE file dwnl-hmr.ide
Using IDE file dwnl-hme.ide
Using IDE file fakea-kt.ide
Using IDE file downln-a.ide
Using IDE file adcli-ev.ide
Using IDE file clickr-h.ide
Using IDE file adcl-gen.ide
Using IDE file bho-jc.ide
Using IDE file psyme-ix.ide
Using IDE file injec-dq.ide
Using IDE file rootk-ek.ide
Using IDE file pws-axe.ide
Using IDE file psw-gg.ide
Using IDE file agen-hii.ide
Using IDE file bckd-qqs.ide
Using IDE file haxdor-b.ide
Using IDE file psw-ge.ide
Using IDE file rootk-el.ide
Using IDE file autor-cs.ide
Using IDE file agen-hte.ide
Using IDE file agen-ipa.ide
Using IDE file killa-fc.ide
Using IDE file silly-h.ide
Using IDE file banc-bfa.ide
Using IDE file hiloti-a.ide
Using IDE file wowpws-b.ide
Using IDE file agen-iof.ide
Using IDE file perlif-a.ide
Using IDE file wimad-l.ide
Using IDE file agen-ioe.ide
Using IDE file agen-int.ide
Using IDE file autor-sd.ide
Using IDE file agen-ils.ide
Using IDE file agen-ioa.ide
Using IDE file zbot-bu.ide
Using IDE file waled-g.ide
Using IDE file autor-tk.ide
Using IDE file zbot-bp.ide
Using IDE file votera-d.ide
Using IDE file votera-c.ide
Using IDE file waled-h.ide
Using IDE file autor-sw.ide
Using IDE file autor-sv.ide
Using IDE file autor-su.ide
Using IDE file autoi-au.ide
Using IDE file autoi-al.ide
Using IDE file vb-dyb.ide
Using IDE file zbot-bl.ide
Using IDE file bank-ekt.ide
Using IDE file autor-ta.ide
Using IDE file mariof-h.ide
Using IDE file autor-sl.ide
Using IDE file renos-cb.ide
Using IDE file injec-dn.ide
Using IDE file pws-axk.ide
Using IDE file autor-tc.ide
Using IDE file pws-axb.ide
Using IDE file fretho-a.ide
Using IDE file ircbo-wd.ide
Using IDE file dloa-ccz.ide
Using IDE file renos-ce.ide
Using IDE file bho-ix.ide
Using IDE file confic-c.ide
Using IDE file waled-a.ide
Using IDE file pushd-ab.ide
Using IDE file ircb-adj.ide
Using IDE file sohan-aw.ide
Using IDE file fakea-km.ide
Using IDE file pwss-gen.ide
Using IDE file ambler-h.ide
Using IDE file agen-imc.ide
Using IDE file agen-imb.ide
Using IDE file mariof-j.ide
Using IDE file mdro-bxs.ide
Using IDE file ezio-i.ide
Using IDE file injec-di.ide
Using IDE file rbot-gsk.ide
Using IDE file agen-ioy.ide
Using IDE file ircb-aay.ide
Using IDE file ntroo-eh.ide
Using IDE file agen-ioq.ide
Using IDE file agen-ink.ide
Using IDE file zbot-bo.ide
Using IDE file zbot-bm.ide
Using IDE file autor-tu.ide
Using IDE file waled-k.ide
Using IDE file actxhc-a.ide
Using IDE file dwnl-hnd.ide
Using IDE file agen-ipe.ide
Using IDE file swfdld-k.ide
Using IDE file autoi-av.ide
Using IDE file jsredi-h.ide
Using IDE file zlob-ark.ide
Using IDE file autor-uj.ide
Using IDE file fakea-im.ide
Using IDE file rootk-em.ide
Using IDE file agen-ipv.ide
Using IDE file autor-ua.ide
Using IDE file autor-uk.ide
Using IDE file delf-ezg.ide
Using IDE file qhost-ae.ide
Using IDE file autor-un.ide
Using IDE file vapsu-af.ide
Using IDE file kolabc-f.ide
Using IDE file injec-ds.ide
Using IDE file dwnl-hng.ide
Using IDE file silban-f.ide
Using IDE file phishk-a.ide
Using IDE file poiso-ak.ide
Using IDE file agen-iqm.ide
Using IDE file gaferm-a.ide

Full Scanning

Could not open C:\hiberfil.sys
>>> Virus 'Mal/Behav-023' found in file C:\Programme\Programme\Musik\awave.exe
Removal successful
>>> Virus 'Mal/Behav-023' found in file C:\System Volume Information\_restore{66234F2B-C93E-4D94-8BDB-1899CBBA9319}\RP4\A0000240.exe
Removal successful
>>> Virus 'Mal/GamePSW-C' found in file C:\WINDOWS\system32\wow84_708.dll
Removal failed
Could not open C:\WINDOWS\Temp\sqlite_uHqo422QmujscFH

1 boot sector swept.
108339 files swept in 1 hour, 14 minutes and 48 seconds.
2 errors were encountered.
3 viruses were discovered.
3 files out of 108339 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.


Vielen Dank nochmal für die Anleitung. Was kann man mit der nichtgelöschten Datei machen?

Gruss Bramvan

#50

Zitat

2009-01-06 13:09 . 2009-01-06 13:09 102,400 --a------ c:\windows\system32\wow84_708.dll
2009-01-06 13:09 . 2009-01-06 13:09 20 --a------ c:\windows\syscheck

Hat sich doch noch was versteckt:

Lass folgende Datei bei www.virustotal.dom/de prüfen:
c:\windows\system32\wow84_708.dll



>>
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere in das weisse Feld:

Zitat

Files to delete:
c:\windows\system32\wow84_708.dll

Folders to delete:
c:\windows\syscheck

- schliesse alle offenen Programme (denn nach Anwendung des Avengers wird der Rechner neustarten)

- Klicke: Execute

- bestätige, dass der Rechner neu gestartet wird - klicke "yes"
- nach dem Neustart erscheint automatisch ein Log vom Avenger - (C:\avenger.txt), kopiere es ab - mit rechtem Mausklick - kopieren - einfügen


>>
Start - Programme - Zubehör - Systemprogramme - Datenträgerbereinigung
- Click:Temporäre Internet Files/Temporäre Internet Dateien, o.k.
- Click:Temporäre Dateien, o.k


>>
Klicke: Start -Ausführen- schreib rein: cmddann kopiere in das schwarze DOS-Fenster:

Zitat

del %windir%\temp\*.* /f

klicke "enter"
schreibe Y

>>
Schau nun nach ob die Dateien noch vorhanden sind.

>>
Arbeite datfindbat ab - poste von jedem log nur die Daten der letzten drei Monate:
http://www.virus-protect.org/datfindbat.html

Gruss Swiss

#51 Guten Morgen Swiss,

erstmal wieder vielen Dank für Deinen Reply. Wie es aussieht haben ich einem World of Warcraft-Trojaner auf meinem Rechner - interessant: ich habe dies Spiel nie gespielt. Für alle Mitleser:
http://www.avira.com/de/threats/section/fulldetails/id_vir/4456/tr_thief.wow.dom.html

So nun zu meinen Aufgaben:
1) die Virustotal-Überprüfungslog

Datei wow84_708.dll empfangen 2009.01.18 10:32:15 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 22/39 (56.42%)

Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.73 2009.01.18 -
AhnLab-V3 2009.1.15.0 2009.01.17 Win-Trojan/WowHack.102400.G
AntiVir 7.9.0.57 2009.01.17 TR/PSW.OnLineGa.zad
Authentium 5.1.0.4 2009.01.17 W32/Heuristic-KPP!Eldorado
Avast 4.8.1281.0 2009.01.16 Win32:Trojan-gen {Other}
AVG 8.0.0.229 2009.01.17 PSW.OnlineGames.BLZC
BitDefender 7.2 2009.01.18 Generic.Malware.PVPkWk!g.0DAE30B2
CAT-QuickHeal 10.00 2009.01.17 TrojanGameThief.WOW.dtj
ClamAV 0.94.1 2009.01.18 Trojan.Onlinegames-1544
Comodo 935 2009.01.18 TrojWare.Win32.GameThief.WOW.dul
DrWeb 4.44.0.09170 2009.01.18 Trojan.PWS.Wow.1127
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6312 2009.01.17 Win32/Wowpa.EG
F-Prot 4.4.4.56 2009.01.17 W32/Heuristic-KPP!Eldorado
F-Secure 8.0.14470.0 2009.01.18 -
Fortinet 3.117.0.0 2009.01.15 W32/WOW.KAU!tr.pws
GData 19 2009.01.18 Generic.Malware.PVPkWk!g.0DAE30B2
Ikarus T3.1.1.45.0 2009.01.18 -
K7AntiVirus 7.10.594 2009.01.17 -
Kaspersky 7.0.0.125 2009.01.18 -
McAfee 5498 2009.01.17 -
McAfee+Artemis 5498 2009.01.17 -
Microsoft 1.4205 2009.01.18 -
NOD32 3774 2009.01.17 Win32/PSW.WOW.NHK
Norman 5.93.01 2009.01.16 W32/Wow.ELH
nProtect 2009.1.8.0 2009.01.16 Trojan-PWS/W32.WebGame.102400.AV
Panda 9.5.1.2 2009.01.17 -
PCTools 4.4.2.0 2009.01.17 -
Prevx1 V2 2009.01.18 -
Rising 21.12.62.00 2009.01.18 Trojan.PSW.Win32.WoWar.azd
SecureWeb-Gateway 6.7.6 2009.01.17 Trojan.PSW.OnLineGa.zad
Sophos 4.37.0 2009.01.18 Mal/GamePSW-C
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.18 Infostealer
TheHacker 6.3.1.5.222 2009.01.17 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.17 -
ViRobot 2009.1.17.1563 2009.01.17 -
VirusBuster 4.5.11.0 2009.01.17 Trojan.GameThief.E
weitere Informationen
File size: 102400 bytes
MD5...: 131dda21eab1ac155f5f8f1d7642f6c4
SHA1..: 15bdee8be103eb0e014cf71944bc95b078c797f8
SHA256: 93a0b55e7ca1b02667d45cfb689c2015dcd6f19ff0c6cc9669d83c767edd941b
SHA512: 6680b94ae772e472ade95ed056fd0f2ff3aaa6cddac3119d9f2708388cf89d16
7b7e4f9274089ff607fa5bcdaef67cd20d2c807eb55a8209591ede6e92bfca06
ssdeep: 1536:KDL6Xf62my90ccs8WE+IrEEJVt+eWGcpQevTcdqCZ9p056lbMoin1KhPE:K
vIf62RCPrZrhv0Hfuq56tMoin1Khc
PEiD..: Armadillo v1.xx - v2.xx
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000a2e1
timedatestamp.....: 0x494cf620 (Sat Dec 20 13:41:52 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xfa06 0x10000 6.73 f9277283f60c9c2ec7b9ecf78f4c4aa3
.rdata_ 0x11000 0x1e96 0x1ea0 5.27 ce938b273e8a471cce4ec0b7dce00024
.data 0x13000 0x7098 0x4000 2.14 ce16947a145844066c650332392a6390
.reloc 0x1b000 0x19d4 0x2000 4.33 94d13b708f4ccc32a9a1526957b0a528

( 6 imports )
> KERNEL32.dll: ReadProcessMemory, GetWindowsDirectoryA, VirtualAllocEx, VirtualProtectEx, lstrcpyA, GetPrivateProfileStringA, WritePrivateProfileStringA, SetUnhandledExceptionFilter, CreateThread, WaitForSingleObject, FreeConsole, SetEvent, CreateEventA, GetCurrentThreadId, WriteFile, SetFilePointer, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, IsBadWritePtr, LocalFree, SetEndOfFile, GetOEMCP, GetACP, GetStringTypeW, ReadFile, lstrlenA, DeleteFileA, SetLastError, lstrlenW, WideCharToMultiByte, Sleep, GetCurrentProcess, WriteProcessMemory, GetTickCount, GetModuleFileNameA, FreeLibrary, VirtualProtect, lstrcatA, HeapAlloc, HeapFree, GetModuleHandleA, CreateToolhelp32Snapshot, Process32First, Process32Next, OpenProcess, GetLastError, CreateFileA, DeviceIoControl, CloseHandle, GetSystemDirectoryA, LoadLibraryA, GetProcAddress, GetStringTypeA, LCMapStringW, HeapReAlloc, VirtualAlloc, VirtualFree, HeapCreate, LCMapStringA, MultiByteToWideChar, GetCPInfo, FlushFileBuffers, SetStdHandle, IsBadCodePtr, IsBadReadPtr, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, GetStartupInfoA, GetFileType, GetStdHandle, SetHandleCount, UnhandledExceptionFilter, HeapSize, TerminateProcess, RtlUnwind, RaiseException, InterlockedDecrement, InterlockedIncrement, TlsSetValue, TlsGetValue, ExitThread, GetCommandLineA, GetVersion, TlsAlloc, TlsFree, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, ExitProcess
> USER32.dll: GetUserObjectInformationA, wsprintfA, CloseDesktop, GetProcessWindowStation, FindWindowExA, OpenInputDesktop, GetThreadDesktop, FindWindowA, PostMessageA, SendMessageA, GetWindowThreadProcessId, SetThreadDesktop, OpenDesktopA, SetProcessWindowStation, OpenWindowStationA
> ADVAPI32.dll: RegisterServiceCtrlHandlerA, SetServiceStatus, ImpersonateLoggedOnUser, RegCreateKeyA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegSetValueExA, RegEnumValueA, RegOpenKeyExA, OpenProcessToken, LookupPrivilegeValueA, DuplicateTokenEx, SetTokenInformation, AdjustTokenPrivileges, RegEnumKeyExA, RegOpenKeyA, RegQueryValueExA, RegCloseKey
> ole32.dll: CoInitializeEx, CoCreateInstance
> OLEAUT32.dll: -, -
> PSAPI.DLL: GetModuleFileNameExA, EnumProcessModules

( 1 exports )
ServiceMain

2) Die Avenger-Aufgabe und das log

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\windows\system32\wow84_708.dll" deleted successfully.

Error: "c:\windows\syscheck" is not a folder! It may instead be a file.
Deletion of folder "c:\windows\syscheck" failed!
Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)
--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file


Completed script processing.

*******************

Finished! Terminate.

3) den Windows/Temp-Ordner über Datenträgerbereinigung und Dos-Befehl zu leeren: Es blieben leider

"Im Verzeichnis C:\Windows\Temp finden sich drei Dateien, die sich nicht löschen lassen, da sie von einem Programm benutzt werden:
CLML_AGENT_LOG1.txt, Perflib_Perfdata_5f8.dat, sqlite_fwzV3kGe88MShPW.
"
4) Arbeite datfindbat ab: Hier der auf Max-3-Monats-Veränderungen gekürzte
log:

Datentr„ger in Laufwerk C: ist HDD
Volumeseriennummer: FC5E-608C

Verzeichnis von c:\

18.01.2009 11:04 0 dirdat.txt
18.01.2009 10:40 2.145.964.032 hiberfil.sys
18.01.2009 10:40 2.145.890.304 pagefile.sys
18.01.2009 10:39 1.538 avenger.txt
16.01.2009 17:34 14.522 ComboFix.txt
12.01.2009 10:52 305 BOOT.INI
08.11.2008 15:44 790 EVP73.Key

22 Datei(en) 4.292.454.832 Bytes
0 Verzeichnis(se), 237.368.786.944 Bytes frei
Datentr„ger in Laufwerk C: ist HDD
Volumeseriennummer: FC5E-608C

Verzeichnis von C:\WINDOWS\system32

18.01.2009 11:00 134.864 vsconfig.xml
16.01.2009 18:59 144.792 javaw.exe
16.01.2009 18:59 148.888 javaws.exe
16.01.2009 18:59 73.728 javacpl.cpl
16.01.2009 18:59 144.792 java.exe
16.01.2009 18:59 410.984 deploytk.dll
14.01.2009 22:42 108.144 CmdLineExt.dll
11.01.2009 18:51 302.032 FNTCACHE.DAT
11.01.2009 18:08 211.640 TZLog.log
27.12.2008 16:33 1.158 wpa.dbl
12.12.2008 18:33 3.081.216 mshtml.dll
09.12.2008 15:24 17.593.280 MRT.exe
26.10.2008 09:01 62.480 perfc009.dat
26.10.2008 09:01 401.200 perfh009.dat
26.10.2008 09:01 415.800 perfh007.dat
26.10.2008 09:01 75.194 perfc007.dat
26.10.2008 09:01 966.074 PerfStringBackup.INI
23.10.2008 13:59 283.648 gdi32.dll
22.10.2008 10:47 62.976 tzchange.exe
16.10.2008 14:13 202.776 wuweb.dll
16.10.2008 14:13 1.809.944 wuaueng.dll
16.10.2008 14:12 323.608 wucltui.dll
16.10.2008 14:12 213.528 wuaucpl.cpl
16.10.2008 14:12 561.688 wuapi.dll
16.10.2008 14:09 51.224 wuauclt.exe
16.10.2008 14:09 92.696 cdm.dll
16.10.2008 14:09 43.544 wups2.dll
16.10.2008 14:08 34.328 wups.dll
16.10.2008 14:08 31.768 wucltui.dll.mui
16.10.2008 14:08 27.672 wuapi.dll.mui
16.10.2008 14:08 27.672 wuaucpl.cpl.mui
16.10.2008 14:07 18.968 wuaueng.dll.mui
16.10.2008 11:37 617.984 urlmon.dll
16.10.2008 11:37 16.384 jsproxy.dll
16.10.2008 11:37 1.023.488 browseui.dll
16.10.2008 11:37 449.024 mshtmled.dll
16.10.2008 11:37 474.624 shlwapi.dll
16.10.2008 11:37 39.424 pngfilt.dll
16.10.2008 11:37 665.088 wininet.dll
16.10.2008 11:37 1.494.528 shdocvw.dll
16.10.2008 11:37 532.480 mstime.dll
16.10.2008 11:37 146.432 msrating.dll
16.10.2008 11:37 55.808 extmgr.dll
16.10.2008 11:37 96.768 inseng.dll
16.10.2008 11:37 205.312 dxtrans.dll
16.10.2008 11:37 251.392 iepeers.dll
16.10.2008 11:37 152.064 cdfview.dll
16.10.2008 11:37 357.888 dxtmsft.dll
16.10.2008 11:37 1.056.256 danim.dll
15.10.2008 20:05 374.272 xpsp3res.dll
15.10.2008 17:57 332.800 netapi32.dll

2095 Datei(en) 430.622.455 Bytes
0 Verzeichnis(se), 237.368.659.968 Bytes frei
Datentr„ger in Laufwerk C: ist HDD
Volumeseriennummer: FC5E-608C

Verzeichnis von C:\WINDOWS

18.01.2009 10:41 887.931 WindowsUpdate.log
18.01.2009 10:40 2.048 bootstat.dat
18.01.2009 10:38 32.540 SchedLgU.Txt
16.01.2009 17:33 227 system.ini
14.01.2009 22:12 84 winamp.ini
06.01.2009 13:09 20 syscheck
10.10.2008 18:06 422 BRWMARK.INI


Verzeichnis von C:\DOKUME~1\Meister\LOKALE~1\Temp

18.01.2009 10:40 16.384 Perflib_Perfdata_e1c.dat
18.01.2009 10:40 16.384 Perflib_Perfdata_e10.dat
18.01.2009 10:40 16.384 Perflib_Perfdata_ec.dat
3 Datei(en) 49.152 Bytes
0 Verzeichnis(se), 237.368.680.448 Bytes frei

5) Meine Frage: Soll ich die C:\WINDOWS\syscheck-Datei mit dem Avenger versuchen zu löschen?

Im voraus vielen Dank für Deine Antwort,

Gruss Bramvan

#52

Zitat

Perflib_Perfdata_e1c.dat

Dabei dürfte es sich um Temporärdateien des System-Monitors (Start-Programme-Verwaltung "Leistung") handeln, welche beim Runterfahren eigentlich gelöscht werden sollten. Also schädlich sind diese nicht.

>>
Dann erstelle ein neues Script und wende es mit Avenger an:

Files to delete:
c:\windows\syscheck

>>
C:\Avenger\backup.zip --> löschen (und den Papierkorb leeren)

>>
Scanne noch mit Siperantispyware:
http://board.protecus.de/t31252.htm

>>
Und noch einen Onlinescan mit ESET:
http://virus-protect.org/onlinescan.html

Gruss swiss

#53 Einen guten Morgen, Swiss,

ich hatte seitdem dem Entfernen der c:\windows\system32\wow84_708.dll-Datei noch keine Virenmeldung von Antivir!
Zu meinen ToDos:
1) c:\windows\syscheck wurde erfolgreich entfernt
2) Das Log von Superantspyware:
SUPERAntiSpyware Scann-Protokoll
http://www.superantispyware.com

Generiert 01/19/2009 bei 09:53 AM

Version der Applikation : 4.24.1004

Version der Kern-Datenbank : 3715
Version der Spur-Datenbank : 1689

Scan Art : kompletter Scann
Totale Scann-Zeit : 00:15:55

Gescannte Speicherelemente : 563
Erfasste Speicher-Bedrohungen : 0
Gescannte Register-Elemente : 5082
Erfasste Register-Bedrohungen : 0
Gescannte Datei-Elemente : 14568
Erfasste Datei-Elemente : 0

3) Der Onlinescan mit ESET konnte nicht durchgeführt werden, weil mein Browser (Firefox) nicht unterstützt wird.

Gibt es andere Möglichkeiten für einen Online-Scan?

Vielen Dank für Deine Bemühungen im voraus.
Gruss Bramvan

#54 Das sieht doch schon super aus

Mache noch folgendes:
>>
OTMoveIt3.exe
bleepingcomputer.com

->OTMoveIt3.exe auf dem Desktop speichern

OTMoveIt.exe klicken

1. klicken: CleanUp! button

2. cleanup.txt wird vom Internet geladen (von Firewall zulassen!)

3. Begin cleanup process? klicke: Yes. - "Do you want to reboot?" klicke Yes


so wird von OTMoveIt2 automatisch alles an Tools entfernt, die zur Virenreinigung geladen wurden.


>>
Hier findest du mehrere Onlinescans:
http://virus-protect.org/onlinescan.html

>>
Aber denke dass es sauber ist.

Gruss Swiss

#55 Hallo, Swiss,

ja, das finde auch! Wo ich mir das Ding eingefangen, ist mir ein Rätsel. Und die Leistung meiner Schutzvorrichtungen Antivir und Zonelabs waren auch nicht sonderlich rühmlich. Na, ja, Trotzdem vielen Dank nochmal für Deinen Experten-Dienst bei einem fast Ahnungslosen. Habe OTMoveIt2 rüberlaufen lassen. Jetzt ist noch ein Ordner c:\SAV32CLI und ein versteckte Ordner c:\Config.Msi - der aber leer zu sein scheint - übrig. Kann ich die einfach so löschen?

Gruss Bramvan

#56 Config.MSI wird von MSI-Installern erstellt, wenn man irgendeine Software installiert. Kann man bedenkenlos löschen.

c:\SAV32CLI gehört zu Sophos und kannst du auch löschen


Na dann happy Surfing

Gruss Swiss

#57 wie kann ich bei windows vist ein ordner mit einem kennwort beschützen? bei einem klick soll es mich einfach nach dem kennwort fragen....wäre sehr hilfreich wenn mir jemand helfen kann....

#58 Hallo Protecus Team!

mich hat es jetzt auch erwischt. Ich habe nur ein großes Problem!
Mein Rechner fährt sogar nicht mehr hoch. Es piepst beim booten ... und ich weiss jetzt nicht mehr was ich tun soll. ich hatte vor diesem Crash noch mit Antivir diesen Trojaner gefunden und gelöscht, aber irgendwie funktioniert jetzt garnichts mehr.

Kann ich jetzt noch was machen ? hilft formatieren beider partitionen überhaupt gegen trojaner? im absicherungsmodus kann ich windows starten.
leider habe ich überhaupt keine Ahnung. eine Hijackthis file habe ich im gesicherten Modus schon durchlaufen lassen , kann diese jetz aber nich posten, weil ich Angst hatte, dass beim kopieren der Datei, der Trojaner auf diesen Rechner überlaufen kann!? (unbegründet?)

Wie sollte ich die Sache weiter angehen? Hilfe...

NEUE INFOS:
Der Trojaner hat irgendwie eine andere Form wie die bisher bekannten hier im Forum!
Nachdem ich den TR/Dropper.gen gefunden habe und gelöscht habe, hat sich dann abends nen Winrar Werbe Pop-Up geöffnet. dann hat der PC sich runtergefahren und seitdem geht nichts mehr. Wenn ich ihn starte piept er am anfang nur noch und bootet nicht mehr hoch. In den abgesicherten Modus komm ich noch, wie soll ich nun vorgehen?

ich bin wirklich verzweifelt... hilfe...

jetzt bootet der wieder! komisch
hier is die hijackthisfile

Logfile of Trend Micro HiJackThis v2.0.2
Scan saved at 00:43:17, on 21.01.2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ig?hl=de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.samsungcomputer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViivMonitor] C:\Program Files\Intel\Intel Media Share Software\ViivMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://static.pe.studivz.net/photoup...che=1222026080
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://static.pe.studivz.net/photoup...che=1211229818
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Abaqus Licence Server - Macrovision Corporation - C:\ABAQUS\License\lmgrd.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASDM_Service - EnviProt - C:\Program Files\AutoShutdownManager\Services\AutoShutdownMan ager_Service.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Flexlm Service 1 - Macrovision Corporation - C:\ABAQUS\License\lmgrd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Media Share Synch Service (IMSSync) - Intel® Corporation - C:\Program Files\Intel\Intel Media Share Software\IMSSync.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB701\webserver\bin\win32\matlabserver.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 7837 bytes

und die Malwarebyte logfile:

Malwarebytes' Anti-Malware 1.33
Datenbank Version: 1654
Windows 6.0.6000

21.01.2009 08:42:19
mbam-log-2009-01-21 (08-42-19).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 290273
Laufzeit: 51 minute(s), 15 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)