Home » Viren, Trojaner & Malware Forum » TR/AutoR.NMY.7470.1 » Themenansicht

TR/AutoR.NMY.7470.1
#0
12.11.2008, 21:22
jominek
Member

Beiträge: 32
#1 Guten Abend zusammen,
ich habe mir heute laut meines Anti Viren Programm Avira einen Trojaner zugezogen, denn ich bis dato leider nicht losgeworden bin!
Ich habe bemerkt, dass dieser immer irgendwelche temp Dateien unter
C:\Dokumente und Einstellungen\Eltern\Lokale Einstellungen\Temp
erstellt!
Kann mir jmd bitte helfen, wie ich den Virus von meiner Platte löschen kann?


Vielen Dank im Voraus



hier eine Auswertung des Tools datFind.bat


Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F6C6-CCCF

Verzeichnis von c:\

12.11.2008 21:10 0 dirdat.txt
12.11.2008 21:10 103 autorun.inf
12.11.2008 19:17 3.220.418.560 hiberfil.sys
12.11.2008 19:17 3.534.307.328 pagefile.sys
26.09.2008 15:16 7.007 hpfr3425.log
26.09.2008 15:14 0 hpfr3420.xml
15.05.2008 17:40 8.192 BOOTSECT.BAK
24 Datei(en), 6.792.927.846 Bytes
0 Verzeichnis(se), 465.913.004.032 Bytes frei
Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F6C6-CCCF

Verzeichnis von C:\Windows\system32

12.11.2008 19:22 586.980 perfh009.dat
12.11.2008 19:22 101.052 perfc009.dat
12.11.2008 19:22 618.204 perfh007.dat
12.11.2008 19:22 122.636 perfc007.dat
12.11.2008 19:22 1.418.806 PerfStringBackup.INI
12.11.2008 19:18 3.616 7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
12.11.2008 19:18 3.616 7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
08.11.2008 17:56 98.304 CmdLineExt.dll
08.11.2008 17:12 361.216 TuneUpDefragService.exe
08.11.2008 17:01 603.904 TUProgSt.exe
03.11.2008 21:33 43.520 CmdLineExt03.dll
26.10.2008 13:58 4 proc-1037709799.bin
17.10.2008 12:24 418.712 FNTCACHE.DAT
16.10.2008 05:47 466.944 netapi32.dll
10.10.2008 16:44 15.360 umstartup.etl
07.10.2008 20:19 16.721.856 mrt.exe
02.10.2008 04:49 827.392 wininet.dll
02.10.2008 04:49 1.166.336 urlmon.dll
02.10.2008 04:49 671.232 mstime.dll
02.10.2008 04:49 3.578.880 mshtml.dll
02.10.2008 04:49 28.160 jsproxy.dll
02.10.2008 04:49 270.336 iertutil.dll
02.10.2008 04:49 6.068.736 ieframe.dll
02.10.2008 02:32 1.383.424 mshtml.tlb
26.09.2008 16:26 50 bridf07a.dat
19.09.2008 19:24 3.350 KGyGaAvL.sys
18.09.2008 06:09 3.601.464 ntkrnlpa.exe
18.09.2008 06:09 3.549.240 ntoskrnl.exe
18.09.2008 05:56 125.952 wersvc.dll
18.09.2008 05:56 147.456 Faultrep.dll
18.09.2008 03:16 2.032.640 win32k.sys
06.09.2008 21:09 56 ezsidmv.dat
04.09.2008 17:51 107.832 PnkBstrB.exe
04.09.2008 17:50 66.872 PnkBstrA.exe
26.08.2008 19:48 188 MsiExec.exe.log
24.08.2008 17:54 0 0
16.08.2008 13:19 176.167 rmoc3260.dll
16.08.2008 13:19 5.632 pndx5032.dll
16.08.2008 13:19 6.656 pndx5016.dll
16.08.2008 13:19 278.528 pncrt.dll
16.08.2008 12:28 8 78156839D5.sys
16.08.2008 10:43 60.826 license.rtf
12.08.2008 04:39 443.392 win32spl.dll
05.08.2008 10:49 293.376 psisdecd.dll
05.08.2008 10:49 428.544 EncDec.dll
05.08.2008 10:48 177.664 mpg2splt.ax
05.08.2008 10:48 80.896 MSNP.ax
05.08.2008 10:48 217.088 psisrndr.ax
04.08.2008 08:51 750.984 Magentic Screensaver.scr
02.08.2008 04:26 36.864 cdd.dll
01.08.2008 14:46 1.717.848 skype4com.dll
2542 Datei(en), 1.035.210.747 Bytes
0 Verzeichnis(se), 465.912.877.056 Bytes frei
Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F6C6-CCCF

Verzeichnis von C:\Windows

12.11.2008 21:03 60.698 WindowsUpdate.log
12.11.2008 20:45 69 NeroDigital.ini
12.11.2008 20:29 86 wininit.ini
12.11.2008 19:17 67.584 bootstat.dat
09.11.2008 14:46 32 0
09.11.2008 13:47 0 BsMobileModel.ini
26.10.2008 13:58 289 win.ini
22.10.2008 13:14 425 BRWMARK.INI
26.09.2008 16:26 27 BRPP2KA.INI
19.09.2008 17:53 63 PixieTool.INI
61 Datei(en), 22.677.918 Bytes
0 Verzeichnis(se), 465.912.877.056 Bytes frei
Datentr„ger in Laufwerk C: ist BOOT
Volumeseriennummer: F6C6-CCCF

Verzeichnis von C:\Users\Eltern\AppData\Local\Temp

12.11.2008 20:00 1.552 wmplog01.sqm
12.11.2008 19:43 31.832 Eltern.bmp
12.11.2008 19:40 1.552 wmplog00.sqm
12.11.2008 19:33 917.504 MFPL7014.DLL
12.11.2008 19:24 39.076 cteng_1_2_271226511009.dat
12.11.2008 19:24 172.396 cteng_1_2_261226476925.dat
12.11.2008 19:24 282.952 cteng_1_2_231226502125.dat
12.11.2008 19:24 311.832 cteng_1_2_221226491324.dat
12.11.2008 19:24 323.972 cteng_1_2_201226484127.dat
12.11.2008 19:24 271.816 cteng_1_2_181226494923.dat
12.11.2008 19:24 231.756 cteng_1_2_161226505724.dat
12.11.2008 19:24 183.384 cteng_1_2_141226487727.dat
12.11.2008 19:24 295.252 cteng_1_2_131226498523.dat
12.11.2008 19:24 68.524 cteng_1_1_41226502182.dat
12.11.2008 19:24 59.032 cteng_1_1_201226511543.dat
12.11.2008 19:23 55.924 cteng_1_1_141226512141.dat
12.11.2008 19:23 53.160 cteng_1_1_121226480524.dat
12.11.2008 19:23 66.128 cteng_1_1_111226473323.dat
12.11.2008 19:23 55.112 cteng_1_1_101226447102.dat
12.11.2008 19:19 798.720 tmpCDE9.tmp
12.11.2008 19:19 7.470 tmpCDE8.tmp
12.11.2008 19:19 3.964.928 ~DFC277.tmp
11.11.2008 20:21 329.392 cteng_1_2_71226427967.dat
11.11.2008 20:21 335.228 cteng_1_2_41226407263.dat
11.11.2008 20:21 140.644 cteng_1_2_251226399582.dat
11.11.2008 20:21 211.676 cteng_1_2_241226399410.dat
11.11.2008 20:21 245.188 cteng_1_2_211226414287.dat
11.11.2008 20:20 258.060 cteng_1_2_171226418305.dat
11.11.2008 20:20 227.900 cteng_1_2_151226392208.dat
11.11.2008 20:20 68.176 cteng_1_1_91226421608.dat
11.11.2008 20:20 67.056 cteng_1_1_81226418604.dat
11.11.2008 20:20 79.484 cteng_1_1_71226427971.dat
11.11.2008 20:20 65.996 cteng_1_1_161226422446.dat
10.11.2008 17:39 8.680 cteng_8_2_21224089394.dat
10.11.2008 17:39 16.804 cteng_8_2_11223394495.dat
08.11.2008 07:46 72.228 cteng_1_1_181225018872.dat
07.11.2008 10:45 63.396 cteng_1_1_211226043874.dat
06.11.2008 17:13 58.232 cteng_1_1_131225982299.dat
38 Datei(en), 10.442.014 Bytes
0 Verzeichnis(se), 465.912.872.960 Bytes frei
Seitenanfang Seitenende
12.11.2008, 21:36
Argus
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#2 Malwarebytes Anti-Malware fuer Windows 2000,XP und Vista
Download MBAM
Doppelklick mbam-setup und waehle Deutsch ,das Program wird jetzt ge-updatet

Wähle bei Reiter:
“Scanner”> "Quickscan durchfuehren".
“Update “> klicke “Suche nache Aktualisierungen“
“Einstellungen“ hake an “Beende Inter Explorer während des Löschvorgangs“
Scan laufen lassen

Wenn am Ende infizierungen gefunden werden,anhaken und entfernen lassen
Starte dein Rechner neu
Unter Scanberichte stet das log (mbam-log-XX-XX-XXXX.txt)
Poste dessen inhalt hier ins Forum
Note:
Wenn MBAM Schwierigkeiten damit hat Daten zu entfernen wird es gemeldet und klicke OK
Danach wird gefragt den Rechner neu zu starten,lass es zu
Malwarebytes Anti-Malware kann man nachher behalten !

Später kann man noch ein "Vollständiger Suchlauf“durchführen

Download: Trend Micro Hijack This™
Lade/entpacke HijackThis in einen extra Ordner z.b C:\Programme\Hijack This
Doppelklick HJTInstall.exe und installiere das Tool in C:\Programme\Hijack This
Am Ende steht auf dein Desktop eine verknüpfung

Starte Hijack This und klicke “Do a system scan and safe a logfile”
Save log --> hijackthis.log - Save - es öffnet sich der Editor
nun das KOMPLETTE Log mit rechtem Mausklick abkopieren und ins Forum mit rechtem Mausklick "einfügen"
Windows Vista rechtsklick auf HijackThis.exe waehle "Run as Administrator".
__________
MfG Argus
Seitenanfang Seitenende
12.11.2008, 22:49
jominek
Member

Themenstarter

Beiträge: 32
#3 Malwarebytes' Anti-Malware 1.30
Datenbank Version: 1390
Windows 6.0.6001 Service Pack 1

12.11.2008 22:42:30
mbam-log-2008-11-12 (22-42-30).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 49386
Laufzeit: 1 minute(s), 34 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 2
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 9
Infizierte Verzeichnisse: 4
Infizierte Dateien: 1

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Tribute Service (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ab7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e99eed34-e849-429e-9db7-bdd136f736fb}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{e99eed34-e849-429e-9db7-bdd136f736fb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f6e98b82-c9e1-4791-b73e-f56159cfd58d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e99eed34-e849-429e-9db7-bdd136f736fb}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{e99eed34-e849-429e-9db7-bdd136f736fb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{f6e98b82-c9e1-4791-b73e-f56159cfd58d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e99eed34-e849-429e-9db7-bdd136f736fb}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{e99eed34-e849-429e-9db7-bdd136f736fb}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{f6e98b82-c9e1-4791-b73e-f56159cfd58d}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.212;85.255.112.238 -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\MSVideoPlugin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Eltern\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\sexvid (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.




























Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:48:30, on 12.11.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HomeCinema\TV Enhance\TVEService.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\S.A.D\CyberGhost VPN\CyberGhost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Hijack This\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teltarif.de/arch/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TVEService] "C:\Program Files\HomeCinema\TV Enhance\TVEService.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [CyberGhost VPN] "C:\Program Files\S.A.D\CyberGhost VPN\CGStarter.exe" /autostart
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Öffnen mit WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/707-37276-17534-25/4 (file missing)
O9 - Extra 'Tools' menuitem: eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/707-37276-17534-25/4 (file missing)
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: eBay - Der weltweite Online-Marktplatz - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/707-37276-17534-15/4 (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: eBay - {0B65DCC9-1740-43dc-B19C-4F309FB6A6CA} - http://rover.ebay.com/rover/1/707-37276-17534-15/4 (file missing) (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://download.gamedesire.com/g_bin/pl/solitaire_2_0_0_28.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CyberGhost VPN Client (CGVPNCliSrvc) - mobile concepts GmbH - C:\Program Files\S.A.D\CyberGhost VPN\CGVPNCliService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: TVEnhance Background Capture Service (TBCS) (TVECapSvc) - Unknown owner - C:\Program Files\HomeCinema\TV Enhance\Kernel\TV\TVECapSvc.exe
O23 - Service: TVEnhance Task Scheduler (TTS)) (TVESched) - Unknown owner - C:\Program Files\HomeCinema\TV Enhance\Kernel\TV\TVESched.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 9745 bytes
Seitenanfang Seitenende
12.11.2008, 22:58
Argus
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#4 ComboFix(by sUBs)
Download ComboFix und speichert es auf den Desktop!

Schliesse alle Programme und Anwendungen mit Hintergrundwächtern inklusive der Firewall + Antivirusprogramme müssen deaktiviert sein

Starte combofix.exe
Folge den Instruktionen in das Fenster

Während Combofix lauft NICHT ins Fenster klicken sonst erfriert dein Rechner

Wenn das Tool fertig ist,oeffnet sich ein logfile (C:\ combofix.txt)
nun das KOMPLETTE Log mit rechtem Mausklick ab kopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Argus
Seitenanfang Seitenende
12.11.2008, 23:24
jominek
Member

Themenstarter

Beiträge: 32
#5 SmitFraudFix v2.375

Scan done at 23:12:08,91, 12.11.2008
Run from C:\Users\Eltern\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
::1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\autorun.inf Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller
DNS Server Search Order: 192.168.2.1



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning not selected.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



















omboFix 08-11-11.01 - Eltern 2008-11-12 23:17:47.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1031.18.2028 [GMT 1:00]
ausgeführt von:: c:\users\Eltern\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((( Dateien erstellt von 2008-10-12 bis 2008-11-12 ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 22:12 4,040 ----a-w c:\windows\System32\tmp.reg
2008-11-12 22:01 --------- d-----w c:\program files\Hijack This
2008-11-12 21:01 --------- d-----w c:\users\Eltern\AppData\Roaming\Malwarebytes
2008-11-12 21:01 --------- d-----w c:\programdata\Malwarebytes
2008-11-12 21:01 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-11-12 20:58 --------- d-----w c:\programdata\Spybot - Search & Destroy
2008-11-12 18:19 29,192 ----a-w c:\windows\system32\drivers\ndisprot.sys
2008-11-11 19:43 --------- d-----w c:\program files\Vietcong2
2008-11-10 19:30 --------- d-----w c:\program files\StarMoney 5.0
2008-11-09 19:51 --------- d-----w c:\program files\Metin2_Germany
2008-11-09 15:39 --------- d-----w c:\users\Eltern\AppData\Roaming\Lavasoft
2008-11-09 15:39 --------- d-----w c:\programdata\Lavasoft
2008-11-09 15:39 --------- d-----w c:\program files\Lavasoft
2008-11-09 15:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-09 15:16 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-09 13:58 --------- d-----w c:\users\Eltern\AppData\Roaming\Skype
2008-11-09 13:57 --------- d-----w c:\users\Eltern\AppData\Roaming\skypePM
2008-11-09 13:48 --------- d-----w c:\program files\Bluetooth Remote Control
2008-11-08 16:59 --------- d-----w c:\program files\FlightGear
2008-11-08 16:56 98,304 ----a-w c:\windows\System32\CmdLineExt.dll
2008-11-08 16:44 --------- d-----w c:\users\Eltern\AppData\Roaming\flightgear.org
2008-11-08 16:38 --------- d-----w c:\program files\S.A.D
2008-11-08 16:12 361,216 ----a-w c:\windows\System32\TuneUpDefragService.exe
2008-11-08 16:10 --------- d-----w c:\program files\TuneUp Utilities 2008
2008-11-08 16:01 603,904 ----a-w c:\windows\System32\TUProgSt.exe
2008-11-08 16:00 --------- d-sh--w c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2008-11-07 11:09 --------- d-----w c:\program files\IncrediMail
2008-11-03 20:33 43,520 ----a-w c:\windows\System32\CmdLineExt03.dll
2008-11-02 17:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-30 08:16 --------- d-----w c:\users\Eltern\AppData\Roaming\vlc
2008-10-30 08:13 --------- d-----w c:\program files\VideoLAN
2008-10-26 12:58 --------- d-----w c:\users\Eltern\AppData\Roaming\GanymedeNet
2008-10-26 12:49 --------- d-----w c:\users\Eltern\AppData\Roaming\Vso
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-22 12:14 --------- d-----r c:\users\Eltern\AppData\Roaming\Brother
2008-10-21 06:52 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-19 02:11 --------- d-----w c:\program files\Call of Duty
2008-10-17 11:22 --------- d-----w c:\program files\Windows Mail
2008-10-17 06:37 --------- d-----w c:\programdata\Microsoft Help
2008-10-11 14:18 --------- d-----w c:\users\Eltern\AppData\Roaming\Zylom
2008-10-11 14:18 --------- d-----w c:\programdata\Zylom
2008-10-11 14:18 --------- d-----w c:\program files\Zylom Games
2008-10-10 06:58 82,944 ----a-w c:\windows\System32\o4Patch.exe
2008-10-10 06:58 82,944 ----a-w c:\windows\System32\IEDFix.C.exe
2008-10-07 12:19 --------- d-----w c:\program files\ICQ6
2008-10-04 16:56 --------- d-----w c:\program files\Screamer Radio
2008-10-02 03:49 827,392 ----a-w c:\windows\System32\wininet.dll
2008-10-01 13:51 87,552 ----a-w c:\windows\System32\VACFix.exe
2008-09-30 17:17 --------- d-----w c:\program files\NickOnline
2008-09-26 15:25 --------- d-----w c:\program files\Brother
2008-09-26 15:24 --------- d-----w c:\users\Eltern\AppData\Roaming\InstallShield
2008-09-26 15:24 --------- d-----w c:\program files\Nuance
2008-09-26 15:23 --------- d-----w c:\programdata\ScanSoft
2008-09-26 15:23 --------- d-----w c:\programdata\InstallShield
2008-09-26 15:23 --------- d-----w c:\program files\ScanSoft
2008-09-26 15:23 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-09-26 15:23 --------- d-----w c:\program files\Common Files\InstallShield
2008-09-26 15:22 --------- d-----w c:\programdata\Brother
2008-09-26 14:20 --------- d-----w c:\program files\Xvid
2008-09-26 11:51 --------- d-----w c:\users\Eltern\AppData\Roaming\ICQ
2008-09-24 12:49 --------- d-----w c:\programdata\DVD Shrink
2008-09-21 18:35 --------- d-----w c:\programdata\DAEMON Tools Pro
2008-09-21 18:21 --------- d-----w c:\users\Eltern\AppData\Roaming\DAEMON Tools Pro
2008-09-21 18:18 716,272 ----a-w c:\windows\system32\drivers\sptd.sys
2008-09-19 18:24 3,350 --sha-w c:\windows\System32\KGyGaAvL.sys
2008-09-19 17:47 --------- d-----w c:\program files\Pinnacle
2008-09-19 17:30 --------- d-----w c:\users\Eltern\AppData\Roaming\Winamp
2008-09-19 17:29 --------- d-----w c:\programdata\Winamp Toolbar
2008-09-19 17:29 --------- d-----w c:\program files\Winamp Toolbar
2008-09-19 17:29 --------- d-----w c:\program files\Winamp
2008-09-19 16:52 --------- d-----w c:\programdata\Pinnacle
2008-09-18 05:09 3,601,464 ----a-w c:\windows\System32\ntkrnlpa.exe
2008-09-18 05:09 3,549,240 ----a-w c:\windows\System32\ntoskrnl.exe
2008-09-18 04:56 147,456 ----a-w c:\windows\System32\Faultrep.dll
2008-09-18 04:56 125,952 ----a-w c:\windows\System32\wersvc.dll
2008-09-18 02:16 2,032,640 ----a-w c:\windows\System32\win32k.sys
2008-09-04 16:51 107,832 ----a-w c:\windows\System32\PnkBstrB.exe
2008-09-04 16:50 66,872 ----a-w c:\windows\System32\PnkBstrA.exe
2008-08-18 10:19 82,432 ----a-w c:\windows\System32\404Fix.exe
2008-08-12 03:39 443,392 ----a-w c:\windows\System32\win32spl.dll
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"Magentic"="c:\progra~1\Magentic\bin\Magentic.exe" [2008-08-04 488808]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2008-10-28 243072]
"CyberGhost VPN"="c:\program files\S.A.D\CyberGhost VPN\CGStarter.exe" [2008-02-25 1772544]
"CCleaner"="c:\program files\CCleaner\CCleaner.exe" [2008-09-29 1279216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TVEService"="c:\program files\HomeCinema\TV Enhance\TVEService.exe" [2007-10-19 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13543968]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-06-09 92704]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-01-26 65536]
"RtHDVCpl"="RtHDVCpl.exe" [2008-03-26 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "c:\programdata\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-45819548-2476857198-394434232-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{AB838261-F26A-4C9B-8954-DE6CFFE184C1}"= c:\program files\HomeCinema\MakeDisc\MakeDisc.exe:CyberLink MakeDisc
"{F42E5E88-7168-472F-841E-B2445ABAEC6A}"= c:\program files\HomeCinema\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"{69592730-DAB1-44F5-B850-6559A1BD668B}"= c:\program files\HomeCinema\TV Enhance\TVEnhance.exe:CyberLink TVEnhance
"{CE74335E-9E88-46D6-92AC-CEE66361DF13}"= c:\program files\HomeCinema\TV Enhance\TVEService.exe:CyberLink TVEnhance Resident Program
"{DFF085F8-8A96-4327-8B52-4EF94DBE5F36}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{CC153BC7-98C8-445C-BE9B-8E2D680B3F85}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{A3855C00-2113-4B9F-88D0-C188DCFB7A49}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{DE82886E-DF1F-4D4E-A9E3-963D5B7F109A}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{933A0760-C4D1-4B0A-8824-01084549C7CE}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{676D5090-A635-4016-872F-D2C4B44FD192}c:\\program files\\call of duty 2\\cod2mp_s.exe"= UDP:c:\program files\call of duty 2\cod2mp_s.exe:CoD2MP_s
"UDP Query User{18569709-DCF8-427A-98A9-F9D073802C13}c:\\program files\\call of duty 2\\cod2mp_s.exe"= TCP:c:\program files\call of duty 2\cod2mp_s.exe:CoD2MP_s
"{5AEBF5F7-9022-4EC7-980D-B66C25B99588}"= UDP:c:\program files\Firefly Studios\Stronghold Legends\StrongholdLegends.exe:Stronghold Legends
"{ADC716E6-77EE-4A4A-94E4-1F00E0463353}"= TCP:c:\program files\Firefly Studios\Stronghold Legends\StrongholdLegends.exe:Stronghold Legends
"TCP Query User{B27DE202-4458-47FE-94F0-1F9DA0796D40}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A01B4330-76A4-46E3-B4DC-9B77C100AEA8}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{FBFFEAFA-44B6-4BDE-B833-D21F86FEA566}"= Disabled:UDP:c:\program files\Magentic\bin\MgImp.exe:Magentic
"{E0A91B82-79BD-449E-BBE6-22CC59AD7AD0}"= Disabled:TCP:c:\program files\Magentic\bin\MgImp.exe:Magentic
"{D54FF9BD-CF2C-4905-9CE2-5F3B35E5FC03}"= UDP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"{02496A20-B0FE-47FE-A33A-E22874DA268E}"= TCP:c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe:BlueSoleilCS
"TCP Query User{0BA4C141-B1BD-4F5E-91E1-7DBDD4E86827}c:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:c:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"UDP Query User{3F004AE4-C372-4E86-B584-E7C5099749B6}c:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:c:\program files\common files\nero\nero web\setupx.exe:Nero Installer
"TCP Query User{185EFB05-7753-4B9D-839A-2A09D0B8F0C6}c:\\users\\eltern\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= UDP:c:\users\eltern\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"UDP Query User{C232A0C3-B994-4917-A0B9-B8F83F5D4D4B}c:\\users\\eltern\\appdata\\local\\temp\\onlineupdate8\\setupxu.exe"= TCP:c:\users\eltern\appdata\local\temp\onlineupdate8\setupxu.exe:setupxu.exe
"TCP Query User{901DCB84-5E53-4DE7-A7DC-BF543734234D}c:\\windows\\system32\\dplaysvr.exe"= UDP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay-Helfer
"UDP Query User{12AECBB2-F595-49C2-AFC0-4E0D54EF8C40}c:\\windows\\system32\\dplaysvr.exe"= TCP:c:\windows\system32\dplaysvr.exe:Microsoft DirectPlay-Helfer
"TCP Query User{BCE67987-F559-4E17-89F7-4A9865A6CBA5}c:\\program files\\firefly studios\\stronghold crusader\\stronghold_crusader_extreme.exe"= UDP:c:\program files\firefly studios\stronghold crusader\stronghold_crusader_extreme.exe:Stronghold Crusader
"UDP Query User{936A13A8-6347-447A-A6EF-481A910E2C97}c:\\program files\\firefly studios\\stronghold crusader\\stronghold_crusader_extreme.exe"= TCP:c:\program files\firefly studios\stronghold crusader\stronghold_crusader_extreme.exe:Stronghold Crusader
"TCP Query User{99A6A954-9D43-4A0B-A4D2-26A1E21403B9}c:\\vietcong\\vietcong.exe"= UDP:c:\vietcong\vietcong.exe:vietcong
"UDP Query User{1602DFFC-CFA4-4DC1-A86D-8926EBA5996A}c:\\vietcong\\vietcong.exe"= TCP:c:\vietcong\vietcong.exe:vietcong
"{AA0FF87F-DB32-421E-BD97-10F932FBE14E}"= UDP:c:\program files\Firefly Studios\Stronghold 2\Stronghold2.exe:Stronghold 2
"{615782B2-7E66-496A-9A9E-50F8B8ACE36D}"= TCP:c:\program files\Firefly Studios\Stronghold 2\Stronghold2.exe:Stronghold 2
"{92E3DD09-72D2-4735-A634-379E77DA8324}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{1D52194C-83D7-48D5-B11F-A31BC636150C}c:\\program files\\firefly studios\\stronghold crusader\\stronghold crusader.exe"= UDP:c:\program files\firefly studios\stronghold crusader\stronghold crusader.exe:Stronghold Crusader
"UDP Query User{711EA9DB-3176-4C82-ABA3-00063B80C6A1}c:\\program files\\firefly studios\\stronghold crusader\\stronghold crusader.exe"= TCP:c:\program files\firefly studios\stronghold crusader\stronghold crusader.exe:Stronghold Crusader
"TCP Query User{95FC0B56-F779-4ECB-BFAA-40F14E20CF1F}c:\\program files\\vietcong2\\vietcong2.exe"= UDP:c:\program files\vietcong2\vietcong2.exe:vietcong2
"UDP Query User{2015786A-31D1-4F9C-BC81-4D6D577091A1}c:\\program files\\vietcong2\\vietcong2.exe"= TCP:c:\program files\vietcong2\vietcong2.exe:vietcong2
"{BD951D3F-A4BF-4AC1-825F-92EE62F4B62E}"= UDP:c:\program files\NAVIGON\NAVIGON fresh\fresh.exe:NAVIGON fresh
"{E6DFC14B-95C4-42E4-85FE-7A744E759B17}"= TCP:c:\program files\NAVIGON\NAVIGON fresh\fresh.exe:NAVIGON fresh
"TCP Query User{C92DDDB8-9D6D-46C6-B7DF-0BA52068B39F}c:\\program files\\metin2_germany\\metin2.bin"= UDP:c:\program files\metin2_germany\metin2.bin:metin2
"UDP Query User{1426DDA7-E922-4EE2-9B80-26D54FCC3DAE}c:\\program files\\metin2_germany\\metin2.bin"= TCP:c:\program files\metin2_germany\metin2.bin:metin2
"{408D5E6B-85C3-49A3-9E53-774CF57B1614}"= Disabled:UDP:c:\users\Eltern\AppData\Local\Temp\Rar$EX02.837\IncrediMail.Xe.Premium v.5.8.5.3823 Incl.JunkFilterPlus\Cracked Files\IncMail.exe:IncrediMail
"{5D543503-0C80-49DA-8322-6B06B5EFED92}"= Disabled:TCP:c:\users\Eltern\AppData\Local\Temp\Rar$EX02.837\IncrediMail.Xe.Premium v.5.8.5.3823 Incl.JunkFilterPlus\Cracked Files\IncMail.exe:IncrediMail
"{CAD09BEF-1359-443C-9B5A-5B0A08AB7866}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"{C478A5D1-ABC6-4514-A218-D97B743B499E}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImpCnt.exe:IncrediMail
"TCP Query User{F0FD22D4-8233-4B9A-BDE2-3DCDD91C4CF9}c:\\program files\\flightgear\\bin\\win32\\fgfs.exe"= UDP:c:\program files\flightgear\bin\win32\fgfs.exe:fgfs
"UDP Query User{923E1751-9326-40BD-BFA8-F8E5864E72A9}c:\\program files\\flightgear\\bin\\win32\\fgfs.exe"= TCP:c:\program files\flightgear\bin\win32\fgfs.exe:fgfs
"TCP Query User{263445F3-0439-4F9E-8678-F72C91D488E9}c:\\program files\\metin2_germany\\metin2.bin"= UDP:c:\program files\metin2_germany\metin2.bin:metin2
"UDP Query User{8F45558B-328F-4CDC-9309-B6E226C683C7}c:\\program files\\metin2_germany\\metin2.bin"= TCP:c:\program files\metin2_germany\metin2.bin:metin2
"{937204E9-77D4-405E-A86F-C6E57B35C3C5}"= UDP:c:\program files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe:Ad-Aware SE Personal
"{1C8933B3-57E9-4EF5-ACEE-37AF70C1C5D6}"= TCP:c:\program files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe:Ad-Aware SE Personal
"{CBC0CBAE-6579-4747-8FB4-6636876E8442}"= Disabled:UDP:c:\program files\Magentic\bin\Magentic.exe:Magentic
"{FED46B1A-C499-4419-9FC4-C4B3C6568984}"= Disabled:TCP:c:\program files\Magentic\bin\Magentic.exe:Magentic
"{9D45CFE0-E073-441E-9B59-41E1ECCBD38E}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{5EE4490C-D94B-4B87-B94B-264DEFD495DE}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{2887FF92-3860-4324-8CD1-41A85FDF2D34}"= Disabled:UDP:c:\program files\Magentic\bin\MgApp.exe:Magentic
"{FFD0B512-C5AC-4102-83A7-4B5C5D87E542}"= Disabled:TCP:c:\program files\Magentic\bin\MgApp.exe:Magentic
"{B983A27C-4DC9-4B7D-8C63-ECA2F24CC392}"= UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{8A39CD82-1BD7-429C-98F9-B9141B1DDB78}"= TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Aware.exe:Ad-Aware
"{88E44B96-443A-4831-864C-51DE7510BC11}"= UDP:c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe:Ad-Watch
"{D639E9BA-81B4-4387-BD07-D3DDCDEF7479}"= TCP:c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe:Ad-Watch
"{CEB1ED6B-9FF1-4973-B608-9A469EC2552D}"= Disabled:UDP:c:\program files\Magentic\bin\Magentic.exe:Magentic
"{50DAD024-68D3-4E0D-BAB3-D51D5B80433A}"= Disabled:TCP:c:\program files\Magentic\bin\Magentic.exe:Magentic
"{F685E65F-2351-41EC-8EE2-A14F4417F83E}"= Disabled:UDP:c:\program files\Magentic\bin\MgApp.exe:Magentic
"{CF0EDFBB-EEDC-4EC2-A8AF-B1F2424B3D29}"= Disabled:TCP:c:\program files\Magentic\bin\MgApp.exe:Magentic
"{87D7754E-1D9A-4362-9914-0767D35A1B9E}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{4B420CD2-EAF5-42D9-A446-19A4A15870FE}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{28C9A530-8A71-4636-AC68-4F51D8EFC663}"= Disabled:UDP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{CDA61B50-26AB-4F6A-8F75-7D1DDB96EC90}"= Disabled:TCP:c:\program files\IncrediMail\bin\ImApp.exe:IncrediMail
"{12F24C95-2103-4CB1-9C6C-CCCC0612CFFF}"= Disabled:UDP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail
"{0C31F139-F5BB-4613-851D-88069814CF68}"= Disabled:TCP:c:\program files\IncrediMail\bin\IncMail.exe:IncrediMail

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AFS;AFS;c:\windows\system32\drivers\AFS.sys [2008-08-20 77004]
R2 CGVPNCliSrvc;CyberGhost VPN Client;c:\program files\S.A.D\CyberGhost VPN\CGVPNCliService.exe [2008-07-30 1940992]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-14 809296]
R2 TVECapSvc;TVEnhance Background Capture Service (TBCS);c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVECapSvc.exe [2007-10-19 290909]
R2 TVESched;TVEnhance Task Scheduler (TTS));c:\program files\HomeCinema\TV Enhance\Kernel\TV\TVESched.exe [2007-10-19 114779]
R3 PhilCap;Pinnacle PCTV service;c:\windows\system32\DRIVERS\PhilCap.sys [2007-07-30 908832]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\DRIVERS\tap0901.sys [2008-01-30 25216]
R3 X10Hid;X10 Hid Device;c:\windows\system32\Drivers\x10hid.sys [2006-11-17 13976]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [2008-11-12 29192]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-01-11 36384]
S3 TuneUp.Defrag;TuneUp Drive Defrag-Dienst;c:\windows\System32\TuneUpDefragService.exe [2008-11-08 361216]
S4 ErrDev;Microsoft Hardware Error Device Driver;c:\windows\system32\drivers\errdev.sys [2008-01-21 6656]
S4 MegaSR;MegaSR;c:\windows\system32\drivers\megasr.sys [2008-01-21 386616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL l:\resycled\boot.com l:
\shell\Open\command - l:\resycled\boot.com l:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34d84846-6d00-11dd-89a2-806e6f6e6963}]
\shell\AutoRun\command - I:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78090c50-6b85-11dd-b5c7-002185191f77}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL f:\resycled\boot.com f:
\shell\Open\command - f:\resycled\boot.com f:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9de64ec9-6b76-11dd-bbc5-806e6f6e6963}]
\shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners

2008-11-12 c:\windows\Tasks\User_Feed_Synchronization-{D280CC1C-E5DF-40F1-995F-BE803187E58C}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 03:24]
.
.
------- Zusätzlicher Suchlauf -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.teltarif.de/arch/
O8 -: Nach Microsoft E&xel exportieren - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 -: Öffnen mit WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 23:18:58
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-11-12 23:20:01
ComboFix-quarantined-files.txt 2008-11-12 22:19:59

Vor Suchlauf: Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
Nach Suchlauf: 17 Verzeichnis(se), 464,950,681,600 Bytes frei

263 --- E O F --- 2008-11-07 06:52:39
Seitenanfang Seitenende
13.11.2008, 00:02
Argus
Ehrenmitglied
Avatar Argus

Beiträge: 6028
#6 CombiFix entfernen
Start > Ausführen> Kopiere rein ComboFix /U OK

Benutze CCleaner und cleane die Registry
__________
MfG Argus
Seitenanfang Seitenende
13.11.2008, 15:52
jominek
Member

Themenstarter

Beiträge: 32
#7 Hi Leute,

Ich weiß nicht wie ich mich bedanken soll,aber ihr habt wieder meinen Arsch gerettet.

Nochmals vielen Dank!
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren:
Seite(n): 1