Wieder mal Browser öffnet sich von selbst..:-/

#1 Hallo zusammen,

ich habe mir wohl irgend eine art von Malware eingefangen die folgendes erzeugt:
- öffnen des Default Browsers mit unsinnigen Seiten
- Deaktivieren der "automatischen Windows Updates"
- Bei den Interneteinstellungen immer wieder auf "alle Cookies akzeptieren" zurück gesetzt

Ich habe hier alle Anleitungen (hoffentlich) gelesen und auch ausgeführt.

Zum Schluss habe ich noch combofix drüber laufen lassen. Bin aber immer noch unsicher, ob ich nun "Sauber" bin. Von daher poste ich nun nochmals mein Hijack Log....

hoffe ich habe nichts übersehen...

Lg,
Maria

_______________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:49, on 03.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\flcss.exe
C:\Programme\QuickTime\qttask.exe
D:\v3i\pck2\P2kAutostart.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\Programme\AVG\AVG8\avgrsx.exe
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\opnnmKCr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F-Secure Anti-FunLove] C:\WINDOWS\system32\flcss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [P2kAutostart] D:\v3i\pck2\P2kAutostart.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=-
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Programme\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: SWF Capture tool - C:\Programme\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B019AEE-7A08-45C8-B8A5-BA8F72C8778B}: NameServer = 192.168.2.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll bebhum.dll
O20 - Winlogon Notify: opnnmKCr - C:\WINDOWS\SYSTEM32\opnnmKCr.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 7505 bytes

#2 Hallo MariaKim,

Arbeite bitte noch die Punkte 2-4 aus http://board.protecus.de/t23188.htm ab und pooste die Ergebnisse dazu
__________
MfG Ralf
SEO-Spam Hunter

#3 Upss,
ja hab die Logs vergessen :-)

also:
MALWARE SAGT:
============
Malwarebytes' Anti-Malware 1.30
Datenbank Version: 1454
Windows 5.1.2600 Service Pack 3

03.12.2008 13:11:14
mbam-log-2008-12-03 (13-11-14).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 49358
Laufzeit: 2 minute(s), 52 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

===============================
COMBOFIX sagt:

ComboFix 08-12-01.03 - Maria 2008-12-03 13:12:05.3 - [color=red]FAT32[/color]x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.694 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\Maria\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lTAHknmp.ini
c:\windows\system32\lTAHknmp.ini2

.
((((((((((((((((((((((( Dateien erstellt von 2008-11-03 bis 2008-12-03 ))))))))))))))))))))))))))))))
.

2009-11-06 17:27 . 2009-11-06 17:27 <DIR> d-------- c:\windows\system32\AGEIA
2009-11-06 17:27 . 2009-11-06 17:27 <DIR> d-------- c:\programme\AGEIA Technologies
2009-11-06 17:26 . 2009-11-06 17:26 <DIR> d-------- c:\windows\nview
2009-11-06 17:26 . 2009-11-06 17:26 <DIR> d-------- C:\NVIDIA
2009-11-06 17:26 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-11-06 17:26 . 2008-12-02 15:50 200,819 --a------ c:\windows\system32\nvapps.xm~
2009-11-06 17:26 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2009-11-06 17:26 . 2008-12-03 13:16 104 --a------ c:\windows\system32\nvapps.xml
2008-12-03 12:07 . 2008-12-03 12:07 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2008-12-03 12:07 . 2008-12-03 12:07 <DIR> d-------- c:\dokumente und einstellungen\Maria\Anwendungsdaten\Malwarebytes
2008-12-03 12:07 . 2008-12-03 12:07 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-12-03 12:07 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 12:07 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-03 11:19 . 2008-12-03 11:19 <DIR> d-------- c:\programme\Trend Micro
2008-12-03 11:07 . 2008-12-03 11:07 <DIR> d-------- C:\VundoFix Backups
2008-12-03 10:39 . 2008-12-03 10:39 <DIR> d-------- c:\programme\CCleaner
2008-12-02 17:46 . 2008-12-02 17:46 7 --a------ c:\windows\system32\mwavscan.com
2008-12-02 15:55 . 2008-12-02 15:55 6,627,328 --a------ c:\windows\system32\MNXGAFGOP
2008-12-02 15:53 . 2008-12-02 15:54 <DIR> d-------- C:\rr
2008-12-02 15:48 . 2001-06-29 19:40 29,696 --a------ c:\windows\system32\flcss.exe
2008-12-02 13:04 . 2008-12-02 13:04 282,634 --a------ c:\windows\system32\dwwnw64r.ex~
2008-12-02 13:04 . 2008-12-02 13:04 171 --a------ c:\windows\system32\msnav32.a~
2008-11-12 04:41 . 2008-10-24 12:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 04:40 . 2008-09-04 18:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-03 10:55 . 2008-11-03 10:55 <DIR> d-------- c:\programme\Roland

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 16:27 --------- d-----w c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-10-31 09:35 --------- d-----w c:\programme\SAMSUNG
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 10:00 --------- d-----w c:\dokumente und einstellungen\Maria\Anwendungsdaten\LEAPS
2008-10-24 09:58 --------- d-----w c:\dokumente und einstellungen\Maria\Anwendungsdaten\Pegasys Inc
2008-10-24 09:53 59,488 ----a-w c:\windows\system32\GenSvcInst.exe
2008-10-24 09:53 33,408 ----a-w c:\windows\system32\drivers\CDRBSDRV.SYS
2008-10-24 09:53 145,504 ----a-w c:\windows\system32\bgsvcgen.exe
2008-10-24 09:53 --------- d-----w c:\programme\Pegasys Inc
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 17:35 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 13:25 --------- d-----w c:\dokumente und einstellungen\Maria\Anwendungsdaten\Broken Sword 2.5
2008-10-15 13:01 --------- d-----w c:\programme\Broken Sword 2.5
2008-10-07 09:12 --------- d-----w c:\dokumente und einstellungen\Maria\Anwendungsdaten\Yahoo!
2008-10-07 09:12 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Yahoo! Companion
2008-10-06 10:20 --------- d-----w c:\programme\Yahoo!
2008-10-06 10:20 --------- d-----w c:\dokumente und einstellungen\All Users\Anwendungsdaten\Yahoo!
2008-10-03 17:58 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-10-02 09:07 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-09-30 15:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 16:24 1,846,528 ----a-w c:\windows\system32\win32k.sys
2008-09-15 16:24 1,846,528 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:13 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:13 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 11:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-09-04 08:31 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe
2007-01-19 14:43 5,120 --sha-w c:\programme\Thumbs.db
2006-07-18 14:04 1,252,018 ----a-w c:\programme\index0.jpg
2004-10-16 11:38 299,008 ----a-w c:\dokumente und einstellungen\Maria\Anwendungsdaten\DESINSTALADOR_AVCINEEDSP.exe
2008-06-03 11:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\MSHist012008060320080604\index.dat
.

(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P2kAutostart"="d:\v3i\pck2\P2kAutostart.exe" [2005-11-01 24064]
"H/PC Connection Agent"="c:\programme\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"F-Secure Anti-FunLove"="c:\windows\system32\flcss.exe" [2001-06-29 29696]
"QuickTime Task"="c:\programme\QuickTime\qttask.exe" [2008-05-27 413696]
"SoundMan"="SOUNDMAN.EXE" [2005-09-22 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=bebhum.dll,wyxlfo.dll

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Adobe Reader Speed Launch.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Audible Download Manager.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^GetRight - Tray Icon.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\GetRight - Tray Icon.lnk
backup=c:\windows\pss\GetRight - Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^All Users^Startmenü^Programme^Autostart^Microsoft Office.lnk]
path=c:\dokumente und einstellungen\All Users\Startmenü\Programme\Autostart\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Dokumente und Einstellungen^Maria^Startmenü^Programme^Autostart^DW_Start.lnk]
path=c:\dokumente und einstellungen\Maria\Startmenü\Programme\Autostart\DW_Start.lnk
backup=c:\windows\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\programme\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
--a------ 2005-09-29 16:07 114688 c:\programme\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-06-27 19:03 152872 c:\programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boss Key]
--a------ 2001-07-18 20:17 283136 c:\programme\Boss Key\BOSSKEY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EfreeSoft Boss Key]
--a------ 2005-08-03 16:03 261632 c:\programme\Mgboss\mgboss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2005-10-31 16:21 393216 c:\acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:50 1289000 c:\programme\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
--a------ 2006-07-11 11:15 3144800 c:\programme\ICQLite\ICQLite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 05:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
--a------ 2005-09-21 13:48 425984 c:\programme\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-09-19 17:34 4347120 c:\programme\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:55 5674352 c:\programme\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 05:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name of App]
--a------ 2008-07-07 13:12 675935 c:\programme\SAMSUNG\FW LiveUpdate\FWManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2005-05-11 18:15 45056 c:\programme\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Personal ID]
--a------ 2008-03-20 12:47 1440256 c:\coolsp~1\PERSON~1\pid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 05:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 05:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 14:23 200704 c:\programme\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\programme\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 20:24 32768 c:\programme\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 13:03 36975 c:\programme\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-10-07 13:33 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Acer Media Server"=2 (0x2)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"ATI Smart"=2 (0x2)
"iPodService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"winvnc"=2 (0x2)
"usnjsvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"LtcyCfgSvc"=2 (0x2)
"bgsvcgen"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programme\\ABC\\ABC.exe"=
"c:\\Programme\\AntiVir PersonalEdition Classic\\avcenter.exe"=
"c:\\Programme\\eMule\\emule.exe"=
"c:\\Programme\\Google\\Google Earth\\googleearth.exe"=
"c:\\Programme\\ICQLite\\ICQLite.exe"=
"c:\\Programme\\Mozilla Firefox\\firefox.exe"=
"c:\\Programme\\Trillian\\trillian.exe"=
"c:\\Programme\\Microsoft ActiveSync\\rapimgr.exe"=
"c:\\Programme\\mIRC\\mirc.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Programme\\Acer\\Acer eConsole\\eConsole.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"c:\\Programme\\Adobe\\Adobe Flash CS3\\Flash.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R1 atitray;atitray;\??\c:\programme\Radeon Omega Drivers\v3.8.291\ATI Tray Tools\atitray.sys [2005-11-14 13952]
R3 LtcyCfgWDM;PCI Latency Tool Driver Service;c:\windows\system32\DRIVERS\LtcyCfgWDM.sys [2005-12-26 6656]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3A0.tmp []
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-06-13 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-06-13 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-06-13 42112]
S3 zlportio;zlportio;\??\c:\dokumente und einstellungen\Maria\Desktop\ustar\zlportio.sys []
S4 LtcyCfgSvc;PCI Latency Tool Service;c:\programme\PCI Latency Tool 3\LtcyCfgSvc.exe [2005-12-26 5120]
S4 ORWVWEQB;ORWVWEQB;c:\dokume~1\Maria\LOKALE~1\Temp\ORWVWEQB.exe []
S4 XJF;XJF;c:\dokume~1\Maria\LOKALE~1\Temp\XJF.exe []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{99509135-d787-11db-b2f5-8000600fe800}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -

BHO-{2D17CE7F-3C39-4F50-B498-044616F90584} - c:\windows\system32\pmnkHATl.dll


.
------- Zusätzlicher Suchlauf -------
.
FireFox -: Profile - c:\dokumente und einstellungen\Maria\Anwendungsdaten\Mozilla\Firefox\Profiles\yxl0h9y6.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://de.search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava11.dll
FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava12.dll
FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava13.dll
FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava14.dll
FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJava32.dll
FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF -: plugin - c:\programme\Java\jre1.5.0_06\bin\NPOJI610.dll
FF -: plugin - c:\programme\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 13:16:00
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3A0.tmp"
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\programme\ANTIVIR PERSONALEDITION CLASSIC\AVGUARD.EXE
c:\programme\ANTIVIR PERSONALEDITION CLASSIC\SCHED.EXE
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-12-03 13:18:32 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2008-12-03 12:18:32
ComboFix3.txt 2008-01-16 12:38:08
ComboFix2.txt 2008-12-03 10:06:04

Vor Suchlauf: 34 Verzeichnis(se), 61.684.678.656 Bytes frei
Nach Suchlauf: 34 Verzeichnis(se), 61,678,682,112 Bytes frei

266 --- E O F --- 2008-11-13 02:02:53
=========================================================
HIJACKTHIS SAGT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:21, on 03.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\flcss.exe
C:\Programme\QuickTime\qttask.exe
D:\v3i\pck2\P2kAutostart.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [F-Secure Anti-FunLove] C:\WINDOWS\system32\flcss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [P2kAutostart] D:\v3i\pck2\P2kAutostart.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=-
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Programme\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: SWF Capture tool - C:\Programme\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B019AEE-7A08-45C8-B8A5-BA8F72C8778B}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: bebhum.dll,wyxlfo.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 6904 bytes

#4 Hake bitte folgendes bei Hijackthis an und druecke fix checked:

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [F-Secure Anti-FunLove] C:\WINDOWS\system32\flcss.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

Starte neu und schaue, ob obige Eintraege nun verschwunden sind.

Mache bitte einen Scan mit Gmer:
http://forum.hijackthis.de/showthread.php?t=16868
__________
MfG Ralf
SEO-Spam Hunter

#5 Hallo,

anbei das neue Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:23:10, on 05.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\v3i\pck2\P2kAutostart.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\explorer.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [P2kAutostart] D:\v3i\pck2\P2kAutostart.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=-
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Programme\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: SWF Capture tool - C:\Programme\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B019AEE-7A08-45C8-B8A5-BA8F72C8778B}: NameServer = 192.168.2.1
O20 - AppInit_DLLs: bebhum.dll,wyxlfo.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 5980 bytes

#6 Entschuldige, du muss diesen Eintrag auch "fixen" ud kontrollieren, ob er nach neustart noch vorhanden ist
O20 - AppInit_DLLs: bebhum.dll,wyxlfo.dll

Was ist mit dem Gmer report?
__________
MfG Ralf
SEO-Spam Hunter

#7 Hier mal das neue Log nach Reboot:

HijackThis:
========
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:45:14, on 05.12.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\v3i\pck2\P2kAutostart.exe
C:\Programme\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [P2kAutostart] D:\v3i\pck2\P2kAutostart.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programme\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=-
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with Xilisoft YouTube Video Converter - C:\Programme\Xilisoft\YouTube Video Converter\upod_link.HTM
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O8 - Extra context menu item: Save Flash - res://C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: SWF Capture tool - C:\Programme\Eltima Software\Flash Decompiler\iebt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Programme\Bonjour\ExplorerPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Programme\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Programme\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B019AEE-7A08-45C8-B8A5-BA8F72C8778B}: NameServer = 192.168.2.1
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 5859 bytes


und das hat Gmer ausgespuckt:

Gmer
======

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-05 13:49:16
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT F7D1564C ZwCreateThread
SSDT F7D15638 ZwOpenProcess
SSDT F7D1563D ZwOpenThread
SSDT F7D15647 ZwTerminateProcess
SSDT F7D15642 ZwWriteVirtualMemory

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C70361A2-BAA3-1CEC-7230-4D433813EF4C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C70361A2-BAA3-1CEC-7230-4D433813EF4C}@paanddjanmnhafelhfgkkkmllbghfihg 0x61 0x62 0x62 0x6C ...

---- EOF - GMER 1.0.14 ----

#8 Hm, dann fix noch das:
O8 - Extra context menu item: &Search - http://speedbar.myway.com/menusearch.html?p=-

Dann bitte Mbam aktualisieren, neu scannen, falls es etwas findet, bitte melden, sowie bitte ein neues Combofix Log.

Mache auch einen Kontrollscan mit F-secure:
http://support.f-secure.de/ger/home/ols.shtml
__________
MfG Ralf
SEO-Spam Hunter