komische Anwendung im Background ?

#1 Hallo


seit paar Tagen bekomm ich von Windows immer die Meldung das eine Anwendung mit dem Namen "360" oder "460" nicht beendet werden kann wenn ich den PC runterfahren will...wenn ich dann auf sofort beenden klick kommt die Meldung wieder.Ich poste jetzt mal nen Hijack Log vielleicht weiss jemand was das sein könnte.


edit:achja noch was...wenn ich im Taskmanager nach der Anwendung gugg find ich da nix.

Zitat

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50:54, on 21.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Windows Live\Messenger\msnmsgr.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\Trend Micro\jackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online.de/service/redir/tosw6_sc_webtour.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programme\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Ikarus-GuardX] C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6CCE3920-3183-4B3D-808A-B12EB769DE12} (CSS Web Installer Class) - http://www.commandondemand.com/eval/cod/cabs/cssweb.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225F6D22-1000-44AB-9B47-15C3667066B5}: NameServer = 217.237.151.142 217.237.150.188
O17 - HKLM\System\CS1\Services\Tcpip\..\{225F6D22-1000-44AB-9B47-15C3667066B5}: NameServer = 217.237.151.142 217.237.150.188
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: GuardX - Ikarus Security Software GmbH - C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe

--
End of file - 7832 bytes

mfg
wolverine26

#2 hier das viruslog von mwav-->

Zitat

Object "livekill Corrupted Adware/Spyware" found in File System! Action Taken: No Action Taken.
Object "livekill Corrupted Adware/Spyware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\IDBHO.IDBrowserExtension" refers to invalid object "{9030D464-4C02-4ABF-8ECC-5164760863C6}". Action Taken: No Action Taken.
Entry "HKCR\IDBHO.IDBrowserExtension.1" refers to invalid object "{9030D464-4C02-4ABF-8ECC-5164760863C6}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asquared.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\fscax.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\OL2005.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "C:\Program Files\Real\RealPlayer\RealPlay.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\PPSDKActiveXScanner.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\OL2005.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asquared.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\fscax.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\cssweb.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\GAME_UNO1.dll". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".$$$". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".007". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".part". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".php4". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".r001". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".ro1". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tmp". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".xpi". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB873339". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB885836". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB886185". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB887472". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB888302". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB890046". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB890859". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB891781". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB893756". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB893803v2". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB894391". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB896358". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB896423". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB896428". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB898461". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB899587". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB899591". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB900485". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB901017". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB901214". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB902400". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB904942". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB905414". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB905749". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB908519". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB908531". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB910437". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB911280". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB911562". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB911927". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB913580". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB914388". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB914389". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB914440". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB916595". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB918118". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB918439". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB919007". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB920213". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB920670". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB920683". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB920685". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB920872". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB921503". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB922582". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB922819". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB923191". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB923414". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB923980". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB924270". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB924496". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB924667". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB925902". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB926255". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB926436". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB927779". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB927802". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB927891". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB928255". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB928843". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB929123". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB930178". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB930916". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB931261". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB931784". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB932168". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB932823-v3". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB933729". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB935448". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB935839". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB935840". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB936021". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB937894". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB938828". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB938829". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB941202". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB941568". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB941644". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB941693". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB942763". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB943055". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB943460". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB943485". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB944653". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB945553". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB946026". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB948590". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB948881". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "KB950749". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (2.0.0.14)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (2.0.0.15)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (2.0.0.16)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "Mozilla Firefox (3.0.1)". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{02DFF6B1-1654-411C-8D7B-FD6052EF016F}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{08CA9554-B5FE-4313-938F-D4A417B81175}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{125F0ACC-D3FC-402B-8D96-27F6E46D00D5}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{13D3FE3C-C175-4BA3-9483-5BB01B502F19}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1762C1BA-66BF-454A-8746-F921574CFF6C}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{41B9E2CF-0B3F-442A-B5B3-592A4A355634}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{44734179-8A79-4DEE-BB08-73037F065543}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{45D68F08-56A0-4412-BB0F-8492BE978AC7}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{558CD0A7-0548-4220-88FE-01CC1477DF61}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{5AC9F44E-06C7-41E3-A464-37177AB9105D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{7C3E3706-8FBD-4169-9726-0A47FBF9D32A}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{900D1065-7ABC-4AE0-B9F7-3422167208B5}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{901C63FD-6673-47A6-9B5F-B13E3EBFA470}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{AA9768AA-FF0B-4C66-A085-31E934F77841}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{C3CE4CED-46B0-407E-A703-7A83AAE02A36}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{DBE84DB2-1794-4244-9859-9B720CA89B4D}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{E81F8ADE-B49B-4242-8FD8-7D9C65A25D68}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{F68E3631-68ED-4970-8D77-B81FE83AA6A1}". Action Taken: No Action Taken.

#3 Mwav von eScan sollte man nicht benutzen,gibt "false positive"findet etwas was gar nicht da ist
Und diese "Entry "HKLM"eintraege werden in die Vollversion geheilt und beim naechsten wieder gefunden

Poste mal die daten von: http://board.protecus.de/t23187.htm
__________
MfG Argus

#4 Anti Malware log--->

Zitat

Malwarebytes' Anti-Malware 1.29
Datenbank Version: 1306
Windows 5.1.2600 Service Pack 3

22.10.2008 18:05:34
mbam-log-2008-10-22 (18-05-27).txt

Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 97206
Laufzeit: 22 minute(s), 36 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 4

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> No action taken.
C:\WINDOWS\system32\vcmgcd32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\logo1_.exe (Worm.Viking) -> No action taken.
C:\WINDOWS\system32\systems.txt (Trojan.FakeAlert) -> No action taken.

#5 Und wo bleiben die andere logs?
__________
MfG Argus

#6 Combofixlog->

Zitat

ComboFix 08-10-21.05 - Administrator 2008-10-22 19:45:15.1 - NTFSx86
ausgeführt von:: C:\Dokumente und Einstellungen\Administrator\Desktop\ComboFix.exe
* Resident AV is active

.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((( Dateien erstellt von 2008-09-22 bis 2008-10-22 ))))))))))))))))))))))))))))))
.

2008-10-22 19:00 . 2008-10-22 19:00 61,440 --a------ C:\WINDOWS\system32\drivers\oewon.sys
2008-10-22 16:35 . 2008-10-22 16:35 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-10-22 16:35 . 2008-10-22 16:35 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-10-22 16:35 . 2008-10-22 16:35 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Malwarebytes
2008-10-22 16:35 . 2008-10-16 20:25 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-22 16:35 . 2008-10-16 20:25 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-22 15:13 . 2008-10-22 15:13 0 --a------ C:\23990098.$$$
2008-10-19 20:57 . 2008-10-19 20:57 24,002 --a------ C:\43779551_full,r,470x470.jpg
2008-10-17 20:55 . 2008-10-17 20:55 <DIR> d-------- C:\Programme\iTunes
2008-10-17 20:55 . 2008-10-17 20:55 <DIR> d-------- C:\Programme\iPod
2008-10-17 20:55 . 2008-10-17 20:55 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-17 19:36 . 2008-10-17 19:37 <DIR> d-------- C:\Programme\virtualdubmod
2008-10-14 20:30 . 2008-10-14 20:30 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Lavasoft
2008-10-14 20:27 . 2008-10-14 20:27 <DIR> d-------- C:\Programme\Spyware Doctor
2008-10-14 20:27 . 2008-10-14 20:27 <DIR> d-------- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\PC Tools
2008-10-14 20:27 . 2008-08-25 12:36 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-10-14 20:27 . 2008-08-25 12:36 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-10-14 20:27 . 2008-08-25 12:36 40,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-10-14 20:27 . 2008-06-02 16:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-10-14 20:12 . 2008-10-14 20:12 <DIR> d-------- C:\Programme\TeaTimer (Spybot - Search & Destroy)
2008-10-14 20:12 . 2008-10-14 20:12 <DIR> d-------- C:\Programme\SDHelper (Spybot - Search & Destroy)
2008-10-14 20:07 . 2008-10-20 19:41 <DIR> d-------- C:\Temp
2008-10-14 20:07 . 2008-10-14 20:07 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Prevx
2008-10-12 19:51 . 2008-10-12 19:51 12,450 --a------ C:\chatlog.rtf
2008-10-09 13:07 . 2008-10-09 13:07 <DIR> d-------- C:\Programme\DivX
2008-10-09 02:27 . 2008-10-09 02:27 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Java
2008-10-08 01:53 . 2008-10-08 01:53 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-10-08 01:53 . 2008-10-20 19:43 <DIR> d-------- C:\Programme\Hitman Pro
2008-10-01 22:13 . 2008-10-01 22:20 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WinZip
2008-10-01 21:16 . 2008-08-21 11:05 625,144 --a------ C:\WINDOWS\system32\ikmapi.dll
2008-10-01 21:16 . 2008-08-21 11:05 113,144 --a------ C:\WINDOWS\system32\ikproc.dll
2008-10-01 21:09 . 2008-10-01 21:09 <DIR> d-------- C:\Programme\Ikarus
2008-09-27 14:47 . 2008-09-27 14:47 84 --a------ C:\WINDOWS\netdet.ini
2008-09-27 14:46 . 2008-09-27 14:46 <DIR> d-------- C:\Programme\VIDEOzilla
2008-09-27 14:46 . 2008-09-27 14:46 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\shctxex.vb
2008-09-25 22:07 . 2008-09-25 22:07 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-09-22 14:51 . 2008-09-22 14:51 <DIR> d-------- C:\Programme\AGI
2008-09-22 14:51 . 2008-09-22 14:51 2,117,632 --a------ C:\WINDOWS\system32\python25.dll
2008-09-22 14:51 . 2008-09-16 18:26 1,332,197 --a------ C:\WINDOWS\system32\pythondll.zip
2008-09-22 14:51 . 2008-09-22 14:51 339,968 --a------ C:\WINDOWS\system32\pythoncom25.dll
2008-09-22 14:51 . 2008-09-22 14:51 114,688 --a------ C:\WINDOWS\system32\pywintypes25.dll

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-20 19:37 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\OpenOffice.org2
2008-10-20 17:38 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-10-14 19:19 --------- d---a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2008-10-14 18:12 --------- d-----w C:\Programme\Spybot - Search & Destroy
2008-10-14 18:09 --------- d-----w C:\Programme\Lavasoft
2008-10-11 21:00 --------- d-----w C:\Programme\KaLoMa
2008-10-11 21:00 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\T-Online DSL-Manager
2008-10-09 00:28 --------- d-----w C:\Programme\Java
2008-10-04 10:42 --------- d-----w C:\Programme\SlySoft
2008-10-01 22:19 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\WLInstaller
2008-10-01 22:18 --------- dcsh--w C:\Programme\Gemeinsame Dateien\WindowsLiveInstaller
2008-09-16 21:59 --------- d-----w C:\Programme\4U Computing
2008-09-16 00:12 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-09-16 00:12 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-09-14 10:50 --------- d-----w C:\Programme\QuickTime
2008-09-14 10:50 --------- d-----w C:\Programme\Bonjour
2008-09-14 10:49 --------- d-----w C:\Programme\Gemeinsame Dateien\Apple
2008-09-06 23:23 --------- d-----w C:\Programme\sftloader
2008-09-05 09:49 --------- d-----w C:\Programme\Messenger Plus! Live
2008-09-01 11:10 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-08-31 20:36 --------- d-----w C:\Programme\Zzaph
2008-08-29 11:19 --------- d-----w C:\Programme\Apple Software Update
2008-08-29 08:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 07:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-08-28 21:40 --------- d-----w C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Apple Computer
2008-08-28 21:21 --------- d-----w C:\Programme\Safari
2008-08-23 19:42 --------- d-----w C:\Programme\Panda Security
2008-04-26 20:50 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2008-04-19 12:23 2 --shatr C:\WINDOWS\winstart.bat
2008-07-02 00:37 12,251,936 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"msnmsgr"="C:\Programme\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"HP Software Update"="C:\Programme\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-02-24 2372760]
"QuickTime Task"="C:\Programme\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"Ikarus-GuardX"="C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe" [2008-08-21 1387000]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Malwarebytes Anti-Malware (reboot)"="C:\Programme\Malwarebytes' Anti-Malware\mbam.exe" [2008-10-16 1257104]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\GuardX]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTGUARD]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\QIP\\qip.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
"C:\\PROGRA~1\\GEMEIN~1\\MICROW~1\\Agent\\MWAGENT.EXE"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Bonjour\\mDNSResponder.exe"=
"C:\\Programme\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Programme\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=

R2 GuardX;GuardX;C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe [2008-08-21 1108472]
R2 NTGUARD;NTGUARD;C:\Programme\Ikarus\virus utilities\bin\NTGUARD.SYS [2008-08-21 95360]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [2008-10-16 38496]
R3 TSMPacket;DSL-Manager Service;C:\WINDOWS\system32\DRIVERS\tsmpkt.sys [2007-06-26 13824]
S3 AhnFlt2k;AhnFlt2k;C:\WINDOWS\system32\Drivers\AhnFlt2k.sys [2006-03-28 45056]
S3 AhnRec2k;AhnRec2k;C:\WINDOWS\system32\Drivers\AhnRec2k.sys [2005-12-12 13696]
S3 AhnRghNt;AhnRghNt;C:\WINDOWS\system32\Drivers\AhnRghNt.sys [2006-06-12 28288]
S3 CdmDrvNt;CdmDrvNt;C:\WINDOWS\system32\Drivers\CdmDrvNt.sys [2006-03-04 12605]
S3 dsltestSp5;dsltestSp5 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\dsltestSp5.sys [2007-09-12 26816]
S3 RegGuard;RegGuard;C:\WINDOWS\system32\Drivers\regguard.sys [2008-04-19 25773]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2007-05-02 83592]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2007-05-02 15112]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2007-05-02 109704]
S3 TDslMgrService;DSL-Manager;C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe [2007-11-26 294912]

*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER
*Newly Created Service* - MBAMSWISSARMY
.
Inhalt des "geplante Tasks" Ordners

2008-10-10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

HKLM-Run-TkBellExe - realsched.exe
ShellExecuteHooks-{F552DDE6-2090-4bf4-B924-6141E87789A5} - (no file)
Notify-WgaLogon - (no file)


.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\zava52ne.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
FF -: plugin - C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Programme\Mozilla Firefox\plugins\NPAhnASP.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 19:46:23
Windows 5.1.2600 Service Pack 3 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-10-22 19:47:09
ComboFix-quarantined-files.txt 2008-10-22 17:47:07
ComboFix2.txt 2008-07-05 17:17:04

Vor Suchlauf: 22 Verzeichnis(se), 50.255.335.424 Bytes frei
Nach Suchlauf: 22 Verzeichnis(se), 50,424,004,608 Bytes frei

WindowsXP-KB310994-SP2-Pro-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /Execute /fastdetect

190 --- E O F --- 2008-10-04 00:16:55

#7 hallo?? könnt mal jemand was zu sagen?!

#8 Ungeduldig?
Entferne HitmanPro von dein Rechner

Virustotal

Verborgene Dateien sichtbar machen
Arbeitsplatz öffnen >Extras >Ordneroptionen >den Reiter "Ansicht" >Versteckte Dateien und Ordner >"alle Dateien und Ordner anzeigen" aktivieren und >Extras >Ordneroptionen >den Reiter "Ansicht" >Dateien und Ordner >"Geschützte Systemdateien ausblenden (empfohlen)" deaktivieren

Prüfe mal diese Datei(en) bei Virustotal http://www.virustotal.com/flash/index_en.html

Zitat

C:\WINDOWS\system32\drivers\oewon.sys

Note: Wenn bei ViruTotal die Meldung kommt ” Die Datei wurde bereits analysiert “wähle „Analysiere die Datei“
Poste nur die URL am Ende
__________
MfG Argus

#9

Zitat

Ungeduldig?
Entferne HitmanPro von dein Rechner

macht kein Spass zu surfen wenn man weiss das man mit Trojanern und Backdoors unterwegs ist ;-)
Hitman is weg :-)

Zitat

C:\WINDOWS\system32\drivers\oewon.sys

gibts nimma.

#10 Dafür hat man doch ein Up-to-date Virenscanner

Zitat

macht kein Spass zu surfen wenn man weiss das man mit Trojanern und Backdoors unterwegs ist

Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

Zitat

O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

klicke: Fix checked

Ewido Micro
Scanne mit Ewido Micro(by grisoft.com)
__________
MfG Argus

#11

Zitat

Dafür hat man doch ein Up-to-date Virenscanner

hm ja ich hab zwar nen derzeit besten aber gegen gewisse Malware hilft das auch nix.

Zitat

Klicke: Do a Systemscan only
Setze ein Häckchen in das Kästchen vor den genannten Eintrag bei

Zitat:
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

klicke: Fix checked

erledigt.


log von ewido kommt gleich

#12 hier erstmal noch nen weiterer Hijackthis log-->

Zitat

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:55:57, on 23.10.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sygate\SPF\smc.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Windows Live\Messenger\msnmsgr.exe
C:\Programme\Windows Live\Messenger\usnsvc.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\DsNET Corp\aTube Catcher 1.0\yct.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
C:\Dokumente und Einstellungen\Administrator\Desktop\ewido_micro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online.de/service/redir/tosw6_sc_webtour.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Ikarus-GuardX] C:\Programme\Ikarus\virus utilities\bin\guardxkickoff.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programme\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{225F6D22-1000-44AB-9B47-15C3667066B5}: NameServer = 217.237.151.142 217.237.150.188
O17 - HKLM\System\CS1\Services\Tcpip\..\{225F6D22-1000-44AB-9B47-15C3667066B5}: NameServer = 217.237.151.142 217.237.150.188
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: GuardX - Ikarus Security Software GmbH - C:\Programme\Ikarus\virus utilities\bin\guardxservice.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programme\Sygate\SPF\smc.exe
O23 - Service: DSL-Manager (TDslMgrService) - T-Systems Enterprise Services GmbH - C:\Programme\T-Online\DSL-Manager\DslMgrSvc.exe

--
End of file - 6546 bytes

#13 ewidoscan zieht sich etwas in die Länge.

#14 ewidolog--->

Zitat

__________________________________________________
ewido anti-spyware online scanner
http://www.ewido.net
__________________________________________________


Name: TrackingCookie.Atdmt
Path: C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@atdmt[2].txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@bs.serving-sys[1].txt
Risk: Medium

Name: TrackingCookie.Doubleclick
Path: C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@doubleclick[1].txt
Risk: Medium

Name: TrackingCookie.Ivwbox
Path: C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@ivwbox[1].txt
Risk: Medium

Name: TrackingCookie.2o7
Path: C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt
Risk: Medium

Name: TrackingCookie.Serving-sys
Path: C:\Dokumente und Einstellungen\Administrator\Cookies\administrator@serving-sys[2].txt
Risk: Medium

Name: Dialer.Generic
Path: HKLM\SYSTEM\ControlSet004\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_18491E01&REV_1000#4&23606ECE&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#RearLineInWave3\Device Parameters\Mixer\3\Controls
Risk: High

Name: Dialer.Generic
Path: HKLM\SYSTEM\ControlSet004\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#HDAUDIO#FUNC_01&VEN_10EC&DEV_0888&SUBSYS_18491E01&REV_1000#4&23606ECE&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#RearLineInWave3\Device Parameters\Mixer\3\Controls\0
Risk: High

#15 >>
Lade Dir Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten.
in das Feld: "Enter search strings" (reinschreiben oder reinkopieren)

6994AD04-93EF-11D0-A3CC-00A0C9223196

in edit und klicke "Ok".
Notepad wird sich öffnen -- kopiere den Text ab und poste ihn.


Gruss Swiss