Problem mit rtm32.dll/conhook.gen

#1 hi ich habe ein problem mit einen trojaner... er ist versteckt im system32 ordner als rtm32.dll und nennt sich glaube ich conhook.gen...
ich habe mit hijackthis ein logfile erstell, weiß aber nicht bei welchen ich fix checked machen muss... bitte um hilfe!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:31:48, on 21.10.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16757)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
d:\programme\avira\antivir personaledition classic\avscan.exe
D:\Anderes\Andere\WICHTIGES!!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programme\Acrobat Reader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Programme\BitComet\tools\BitCometBHO_1.2.8.7.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programme\Java\bin\ssv.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avgnt] "D:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "D:\Programme\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Programme\Nero 8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Programme\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O8 - Extra context menu item: &Alles mit BitComet herunterladen - res://D:\Programme\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Alle &Videos mit BitComet herunterladen - res://D:\Programme\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Mit BitComet herunter&laden - res://D:\Programme\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\PROGRA~1\Java\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\PROGRA~1\Java\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ 6\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - D:\Programme\ICQ 6\ICQ6\ICQ.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - D:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Programme\Nero 8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - D:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - D:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 6174 bytes

#2 >>
Lösche die temp Dateien mit CCleaner

>>
Scanne mit Malwarebytes, lass das gefundene löschen und poste das Log:
(Vor der Anwendung Update nicht vergessen)
http://virus-protect.org/artikel/tools/malwarebytes.html

>>
Wende Combofix an und poste das Log:
http://www.virus-protect.org/artikel/tools/combofix.html

Gruss Swiss

#3 bei beiden wird gesagt, das keine infizierungen gefunden wurden sind!
der pc läuft wieder wesentlich besser! ich danke schon mal

malwarebytes:

Malwarebytes' Anti-Malware 1.29
Datenbank Version: 1303
Windows 6.0.6000

2008-10-21 19:55:44
mbam-log-2008-10-21 (19-55-44).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|)
Durchsuchte Objekte: 113559
Laufzeit: 33 minute(s), 48 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)


Combofix:

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:17
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:17
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:17
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:18
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:19
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:20
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:21
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:22
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:22
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:18
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:22
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:18
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:19
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 19:57:18
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

scanning hidden files ...

scan completed successfully
hidden files: 0
[/u]

#4 Poste das Log von Combofix hier.

#5 ComboFix 08-10-19.04 - KM Scholz 2008-10-21 20:11:36.3 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1252.1.1031.18.2383 [GMT 2:00]
ausgeführt von:: C:\Users\KM Scholz\Downloads\ComboFix.exe
.
/wow section nicht fertiggestellt

((((((((((((((((((((((( Dateien erstellt von 2008-09-21 bis 2008-10-21 ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-21 18:05 --------- d---a-w C:\ProgramData\TEMP
2008-10-21 17:21 6,736 ----a-w C:\Windows\system32\drivers\PROCEXP90.SYS
2008-10-21 17:20 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\Malwarebytes
2008-10-21 17:20 --------- d-----w C:\ProgramData\Malwarebytes
2008-10-21 16:54 --------- d-----w C:\Program Files\DAEMON Tools Toolbar
2008-10-21 14:42 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\DAEMON Tools
2008-10-21 14:42 --------- d-----w C:\ProgramData\Microsoft Help
2008-10-21 12:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-20 13:14 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-10-20 13:14 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-20 10:50 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\Nero
2008-10-20 10:49 --------- d-----w C:\Program Files\Common Files\Nero
2008-10-20 10:46 --------- d-----w C:\ProgramData\Nero
2008-10-20 10:17 --------- d-----w C:\Program Files\Microsoft Works
2008-10-20 10:16 --------- d-----w C:\Program Files\MSBuild
2008-10-20 10:15 --------- d-----w C:\Program Files\Microsoft.NET
2008-10-20 10:14 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-10-20 09:39 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\Xfire
2008-10-20 09:39 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\Skype
2008-10-20 09:34 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-10-20 09:32 --------- d-----w C:\Program Files\MSXML 4.0
2008-10-19 20:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-10-19 20:08 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\ICQ
2008-10-19 20:08 --------- d-----w C:\ProgramData\Xfire
2008-10-19 20:07 --------- d-----w C:\ProgramData\Skype
2008-10-19 20:07 --------- d-----w C:\Program Files\Skype
2008-10-19 20:07 --------- d-----w C:\Program Files\Common Files\Skype
2008-10-19 20:06 --------- d-----w C:\Program Files\Google
2008-10-19 20:03 --------- d-----w C:\Program Files\Sun
2008-10-19 20:03 --------- d-----w C:\Program Files\Common Files\PX Storage Engine
2008-10-19 20:02 --------- d-----w C:\Program Files\Real
2008-10-19 20:02 --------- d-----w C:\Program Files\Common Files\xing shared
2008-10-19 20:02 --------- d-----w C:\Program Files\Common Files\Real
2008-10-19 20:01 --------- d-----w C:\Program Files\Common Files\Java
2008-10-19 20:00 --------- d-----w C:\ProgramData\Apple Computer
2008-10-19 20:00 --------- d-----w C:\ProgramData\Apple
2008-10-19 20:00 --------- d-----w C:\Program Files\Common Files\Apple
2008-10-19 20:00 --------- d-----w C:\Program Files\Apple Software Update
2008-10-19 17:09 --------- d-----w C:\Program Files\DNA
2008-10-19 16:00 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\vlc
2008-10-19 13:25 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\Teleca
2008-10-19 13:09 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\Sony Ericsson
2008-10-19 13:09 --------- d-----w C:\ProgramData\Teleca
2008-10-19 13:09 --------- d-----w C:\Program Files\Sony Ericsson
2008-10-19 13:09 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-10-19 13:08 --------- d-----w C:\ProgramData\Sony Ericsson
2008-10-19 13:08 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-10-19 13:08 --------- d-----w C:\Program Files\Common Files\Sony Ericsson Shared
2008-10-19 13:03 --------- d-----w C:\ProgramData\Logitech
2008-10-19 13:03 --------- d-----w C:\ProgramData\LogiShrd
2008-10-19 12:28 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-10-19 11:39 --------- d-----w C:\ProgramData\Messenger Plus!
2008-10-18 19:17 --------- d-----w C:\Program Files\Windows Live
2008-10-18 18:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-18 18:49 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\InterTrust
2008-10-18 18:48 --------- d-----w C:\ProgramData\NVIDIA
2008-10-18 18:22 --------- d-----w C:\ProgramData\Symantec
2008-10-18 18:04 15,600 ----a-w C:\Windows\gdrv.sys
2008-10-18 17:56 --------- d-----w C:\Program Files\Realtek
2008-10-18 17:55 --------- d-----w C:\Users\KM Scholz\AppData\Roaming\InstallShield
2008-10-18 17:53 --------- d-----w C:\Program Files\Windows Mail
2008-10-18 17:53 --------- d-----w C:\Program Files\Windows Calendar
2008-10-18 17:50 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2008-10-18 17:50 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2008-10-18 17:50 542,720 ----a-w C:\Windows\System32\sysmain.dll
2008-10-18 17:50 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2008-10-18 17:50 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2008-10-18 17:50 297,984 ----a-w C:\Windows\System32\wlansec.dll
2008-10-18 17:50 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2008-10-18 17:50 258,232 ----a-w C:\Windows\system32\drivers\acpi.sys
2008-10-18 17:50 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2008-10-18 17:50 2,923,520 ----a-w C:\Windows\explorer.exe
2008-10-18 17:43 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-10-18 17:42 315,392 ----a-w C:\Windows\HideWin.exe
2008-10-18 17:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-10-18 17:27 --------- d-----w C:\Program Files\Intel
2008-10-18 17:25 174 --sha-w C:\Program Files\desktop.ini
2008-10-18 17:22 --------- d-----w C:\Program Files\Windows Sidebar
2008-10-18 17:22 --------- d-----w C:\Program Files\Windows Defender
2008-10-18 17:17 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-10-18 17:01 61,440 ----a-w C:\Windows\System32\winipsec.dll
2008-10-18 17:01 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-10-18 17:01 28,672 ----a-w C:\Windows\System32\FwRemoteSvr.dll
2008-10-18 17:01 272,896 ----a-w C:\Windows\System32\polstore.dll
2008-10-18 17:00 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-10-18 17:00 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-10-18 17:00 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-10-18 17:00 28,160 ----a-w C:\Windows\System32\Apphlpdm.dll
2008-10-18 17:00 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-10-18 17:00 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-10-18 17:00 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-10-18 17:00 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2008-10-18 16:59 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-10-18 16:59 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-10-18 16:57 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-10-18 16:57 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-10-18 16:53 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-10-18 16:53 160,872 ----a-w C:\Windows\System32\halmacpi.dll
2008-10-18 16:53 134,760 ----a-w C:\Windows\System32\halacpi.dll
2008-10-18 16:53 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-10-18 1232896]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [2007-08-03 202024]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="D:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"ISTray"="D:\Programme\Spyware Doctor\pctsTray.exe" [2008-08-25 1168264]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="D:\Programme\Nero 8\Nero BackItUp\NBKeyScan.exe" [2007-08-08 1828136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3316544D-0CA2-4B08-B8EC-EFB5B3055447}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{63A50148-8F64-4CC9-B2E1-52B065675E43}C:\\program files\\windows sidebar\\sidebar.exe"= UDP:C:\program files\windows sidebar\sidebar.exe:Windows-Sidebar
"UDP Query User{4329FA97-2B3C-404F-A83E-B6A9A9FEE5B4}C:\\program files\\windows sidebar\\sidebar.exe"= TCP:C:\program files\windows sidebar\sidebar.exe:Windows-Sidebar
"{F6C11496-F2C1-44BB-8AC9-7BD01B24F0E2}"= UDP:C:\Program Files\DNA\btdna.exeNA
"{68404D11-E758-40FB-BC2F-5F19B46338E7}"= TCP:C:\Program Files\DNA\btdna.exeNA
"TCP Query User{08FDBBCF-F208-4637-8417-8BBB14283446}D:\\programme\\bittorrent\\bittorrent.exe"= UDP:\programme\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{7E18A2BF-599D-4709-9F9A-0F8FD14DF2EF}D:\\programme\\bittorrent\\bittorrent.exe"= TCP:\programme\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{6758A327-D4B1-41D3-8ED4-4C1FB1F8289E}C:\\users\\km scholz\\program files\\dna\\btdna.exe"= UDP:C:\users\km scholz\program files\dna\btdna.exe:btdna.exe
"UDP Query User{5E4FA59C-4699-48E5-A4B8-254B206C0C39}C:\\users\\km scholz\\program files\\dna\\btdna.exe"= TCP:C:\users\km scholz\program files\dna\btdna.exe:btdna.exe
"{206FF8D2-F72E-47BE-B854-9C5CE96EEE94}"= C:\Program Files\Skype\Phone\Skype.exe:Skype
"{3EF83E33-4152-41E5-96E1-2C41C8ACBBD3}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{2DFDB649-3731-4E5D-AD26-65D437B60026}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{8E25B6FA-FD13-4B34-A151-632D5AFF81BD}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{8D300ECE-6A9F-44C5-AF13-F3AE9C082B41}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1DD7D7A-5015-4841-956C-CF6637E07762}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{56FC009B-EAC0-401A-9923-A50B353D4276}D:\\programme\\bitcomet\\bitcomet.exe"= UDP:\programme\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{05305047-3290-44A1-BAC1-A5065F9D9648}D:\\programme\\bitcomet\\bitcomet.exe"= TCP:\programme\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"D:\\Programme\\BitTorrent\\bittorrent.exe"= D:\Programme\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4b356f8-9d2e-11dd-8e7f-001a4d57a91c}]
\shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners

2008-10-18 C:\Windows\Tasks\1-Klick-Wartung.job
- D:\Programme\TuneUp Utilities 2008\OneClick.exe []
.
.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - C:\Users\KM Scholz\AppData\Roaming\Mozilla\Firefox\Profiles\3akg5lwp.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - chrome://fastdial/content/fastdial.html
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - d:\programme\Acrobat Reader\Reader\Browser\nppdf32.dll
FF -: plugin - d:\programme\Acrobat Reader\Reader\browser\nppdf32.dll
FF -: plugin - D:\Programme\Apple\Plugins\npqtplugin.dll
FF -: plugin - D:\Programme\Apple\Plugins\npqtplugin2.dll
FF -: plugin - D:\Programme\Apple\Plugins\npqtplugin3.dll
FF -: plugin - D:\Programme\Apple\Plugins\npqtplugin4.dll
FF -: plugin - D:\Programme\Apple\Plugins\npqtplugin5.dll
FF -: plugin - D:\Programme\Apple\Plugins\npqtplugin6.dll
FF -: plugin - D:\Programme\Apple\Plugins\npqtplugin7.dll
FF -: plugin - D:\Programme\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - D:\Programme\DivX\DivX Web Player\npdivx32.dll
FF -: plugin - D:\Programme\FireFox\plugins\npBitCometAgent.dll
FF -: plugin - D:\Programme\FireFox\plugins\npdivx32.dll
FF -: plugin - D:\Programme\FireFox\plugins\npDivxPlayerPlugin.dll
FF -: plugin - D:\Programme\FireFox\plugins\npnul32.dll
FF -: plugin - D:\Programme\FireFox\plugins\NPOFF12.DLL
FF -: plugin - D:\Programme\FireFox\plugins\nppdf32.dll
FF -: plugin - D:\Programme\FireFox\plugins\nppl3260.dll
FF -: plugin - D:\Programme\FireFox\plugins\npqtplugin.dll
FF -: plugin - D:\Programme\FireFox\plugins\npqtplugin2.dll
FF -: plugin - D:\Programme\FireFox\plugins\npqtplugin3.dll
FF -: plugin - D:\Programme\FireFox\plugins\npqtplugin4.dll
FF -: plugin - D:\Programme\FireFox\plugins\npqtplugin5.dll
FF -: plugin - D:\Programme\FireFox\plugins\npqtplugin6.dll
FF -: plugin - D:\Programme\FireFox\plugins\npqtplugin7.dll
FF -: plugin - D:\Programme\FireFox\plugins\nprjplug.dll
FF -: plugin - D:\Programme\FireFox\plugins\nprpjplug.dll
FF -: plugin - D:\Programme\Java\bin\npjava11.dll
FF -: plugin - D:\Programme\Java\bin\npjava12.dll
FF -: plugin - D:\Programme\Java\bin\npjava13.dll
FF -: plugin - D:\Programme\Java\bin\npjava14.dll
FF -: plugin - D:\Programme\Java\bin\npjava32.dll
FF -: plugin - D:\Programme\Java\bin\npjpi160_07.dll
FF -: plugin - D:\Programme\Java\bin\npoji610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-21 20:11:54
Windows 6.0.6000 NTFS

detected NTDLL code modification:
ZwClose

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...


**************************************************************************
.
Zeit der Fertigstellung: 2008-10-21 20:13:33
ComboFix-quarantined-files.txt 2008-10-21 18:13:31
ComboFix2.txt 2008-10-21 17:59:01

Vor Suchlauf: Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
Nach Suchlauf: 17 Verzeichnis(se), 92,828,393,472 Bytes frei

225 --- E O F --- 2008-10-20 09:32:41

#6 >>
Combofix entfernen:
Ausführen bei Vista : Windows Taste + R drücken
Kopiere rein: Combofix /U - klicke "OK"

(oder, wenn es nicht funktioniert: C:\QooBox löschen)
(oder, wenn es nicht funktioniert: C:\QooBox löschen)

>>
mache einen Onlinescan mit eset + poste den report
http://virus-protect.org/artikel/tools/eset-nod.html

>>
Kommen noch Virenwarnungen?

Gruss Swiss

#7 sry, aber mit dem online scan dat funktioniert net :S ...
aber kommen keine virenwarnungen mehr... bei allen anderen programmen
vielen dank