bitte dringend :weil ich ein richtig heftiges ding drauf habe!!!

#1 Hilft mir bitte !!! ich hab so ein ding names VirusRemover2008 drauf was ganzezeit will das ich es kaufe und das verlangsamt mein pc sehr!!! ich hab schon versucht mit malewarebytes und dan combofix leider kamm das ding nach 1-3tagen wieder !!!! bitte hilfe =(

#2 Ist es möglich die Daten von MBAM,Combofix und Hijack This zu posten?
__________
MfG Argus

#3 ne sry leider net ich find die datein net

#4 Dan scanne nochmal mit MBAM(zuerst updaten)und poste das log
__________
MfG Argus

#5 Malwarebytes' Anti-Malware 1.32
Datenbank Version: 1645
Windows 5.1.2600 Service Pack 1

14.01.2009 14:42:24
mbam-log-2009-01-14 (14-42-24).txt

Scan-Methode: Vollständiger Scan (A:\|C:\|D:\|)
Durchsuchte Objekte: 167199
Laufzeit: 1 hour(s), 9 minute(s), 49 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 4
Infizierte Registrierungsschlüssel: 33
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 7
Infizierte Verzeichnisse: 4
Infizierte Dateien: 33

Infizierte Speicherprozesse:
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\Twain\Twain.exe (Trojan.Agent) -> Unloaded process successfully.

Infizierte Speichermodule:
C:\WINDOWS\system32\jkkKdbYP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\walgbogd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tqhasn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vtUonoPj.dll (Trojan.Vundo) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68d775b6-b694-409f-9d41-31b3e800bd06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{68d775b6-b694-409f-9d41-31b3e800bd06} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8f619dd8-0654-4ce2-b224-bec69a49eef1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8f619dd8-0654-4ce2-b224-bec69a49eef1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vtuonopj (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BHO_MyJavaCore.DLL (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fce52b27 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\twain (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkkdbyp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkkdbyp -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\VirusRemover2008 (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\VirusRemover2008\Logs (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\Programme\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINDOWS\system32\tqhasn.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jkkKdbYP.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\PYbdKkkj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PYbdKkkj.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\walgbogd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dgobglaw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUonoPj.dll (Trojan.Vundo) -> Delete on reboot.
C:\Programme\Mjcore\Mjcore.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Programme\WebShow\WebShow.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Programme\Mozilla Firefox\components\srff.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\fytdfbia.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Lokale Einstellungen\Temp\msroenxawc.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Lokale Einstellungen\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Lokale Einstellungen\Temp\__26.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Lokale Einstellungen\Temp\__27.tmp (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\VirusRemover2008\Logs\scns.log (Rogue.VirusRemover) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Desktop\VirusRemover2008.lnk (Rogue.VirusRemove) -> Quarantined and deleted successfully.
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk (Rogue.VirusRemove) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekafjyjtadt.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekahwebosbm.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\Twain\Twain.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\Temp\mousehook.dll (Trojan.FakeAlert) -> Delete on reboot.

#6 Update MBAM und scanne nochmal

ComboFix(by sUBs)
Download ComboFix und speichert es auf den Desktop!
Schliesse alle Programme und Anwendungen mit Hintergrundwächtern inklusive der Firewall + Antivirusprogramme müssen deaktiviert sein

Starte combofix.exe

Folge den Instruktionen in das Fenster

Während Combofix lauft NICHT ins Fenster klicken sonst erfriert dein Rechner

Wenn das Tool fertig ist,oeffnet sich ein logfile (C:\ combofix.txt)
nun das KOMPLETTE Log mit rechtem Mausklick ab kopieren und ins Forum mit rechtem Mausklick "einfügen"
__________
MfG Argus

#7 ComboFix 09-01-13.04 - Torbo 2009-01-14 17:14:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1031.18.2943.2489 [GMT 1:00]
ausgeführt von:: c:\windows\UserConfigs\Torbo\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wvUligHB.dll
c:\windows\UserConfigs\All Users\Startmenü\Programme\VirusRemover2008
c:\windows\UserConfigs\All Users\Startmenü\Programme\VirusRemover2008\VirusRemover2008.lnk
c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Temporary Internet Files\bestwiner.stt
c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Temporary Internet Files\CPV.stt
c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Temporary Internet Files\fbk.sts

c:\windows\system32\userinit.exe . . . ist infiziert!!
.
((((((((((((((((((((((((((((((((((((((( Treiber/Dienste )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((( Dateien erstellt von 2008-12-14 bis 2009-01-14 ))))))))))))))))))))))))))))))
.

2009-01-14 16:03 . 2009-01-14 16:03 84,418 --a------ c:\windows\UserConfigs\All Users\Anwendungsdaten\firstlsp.reg.dat
2009-01-14 16:02 . 2009-01-14 16:23 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\AntiVir PersonalEdition Premium
2009-01-14 16:02 . 2009-01-14 16:05 <DIR> d-------- c:\programme\AntiVir PersonalEdition Premium
2009-01-14 13:45 . 2009-01-14 13:45 24,064 --a------ c:\windows\system32\pcload.exe
2009-01-13 20:40 . 2009-01-13 20:40 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\PC Tools
2009-01-13 20:40 . 2009-01-14 15:14 <DIR> d-------- c:\programme\Spyware Doctor
2009-01-13 20:40 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-13 20:40 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-13 20:40 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-13 20:40 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-13 17:13 . 2009-01-14 14:42 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\Twain
2009-01-13 17:08 . 2009-01-14 14:42 <DIR> d-------- c:\programme\WebShow
2009-01-13 15:51 . 2003-07-17 01:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-01-13 15:51 . 2004-12-31 16:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2009-01-12 21:53 . 2009-01-12 21:53 <DIR> d-------- C:\RunUp_SG
2009-01-12 19:03 . 2009-01-12 19:06 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\SecondLife
2009-01-12 15:26 . 2009-01-12 15:26 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\Malwarebytes
2009-01-12 15:26 . 2009-01-12 15:26 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\Malwarebytes
2009-01-12 15:26 . 2009-01-12 15:26 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2009-01-12 15:26 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-12 15:26 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-11 18:05 . 2009-01-11 18:37 241 --a------ c:\windows\wininit.ini
2009-01-11 17:32 . 2009-01-12 16:34 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-01-11 17:32 . 2009-01-12 13:23 <DIR> d-------- c:\programme\Spybot - Search & Destroy
2009-01-11 17:30 . 2009-01-11 17:30 <DIR> d-------- c:\programme\Includes
2009-01-11 17:25 . 2009-01-11 17:25 <DIR> d-------- c:\programme\CCleaner
2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad
2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\windows\system32\LNR
2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\temp\tmp90
2009-01-11 17:12 . 2009-01-11 18:05 <DIR> d-------- C:\Temp
2009-01-11 17:10 . 2009-01-11 18:05 <DIR> d-------- c:\programme\Enigma Software Group
2009-01-11 14:59 . 2009-01-14 17:08 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\codeblocks
2009-01-11 14:59 . 2009-01-11 14:59 <DIR> d-------- c:\programme\CodeBlocks
2009-01-11 11:37 . 2009-01-11 11:37 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\Electronic Arts
2009-01-11 11:37 . 2009-01-11 11:37 <DIR> d-------- C:\ProgramData
2009-01-09 13:58 . 2009-01-09 13:58 <DIR> d-------- C:\CrashReport
2009-01-09 13:47 . 2009-01-11 20:06 <DIR> d-------- c:\programme\Runes of Magic
2009-01-08 13:50 . 2009-01-08 13:50 96 --ah----- c:\windows\system32\HsInfo.dat
2009-01-06 18:19 . 2009-01-10 16:43 6,412 --a------ C:\Silver.clt
2009-01-05 16:47 . 2009-01-05 16:47 <DIR> d-------- c:\windows\UserConfigs\Torbo\temp
2009-01-05 16:47 . 2009-01-05 16:47 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\TeamViewer
2009-01-05 15:46 . 2009-01-11 13:02 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\SPORE
2009-01-05 15:45 . 2009-01-05 15:45 <DIR> dr-h----- c:\windows\UserConfigs\Torbo\Anwendungsdaten\SecuROM
2009-01-05 15:45 . 2009-01-05 15:45 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-05 15:38 . 2009-01-11 11:37 <DIR> d-------- c:\programme\Electronic Arts
2009-01-05 14:02 . 2009-01-05 14:02 170 --a------ c:\windows\system32\spupdsvc.inf
2009-01-05 13:35 . 2005-10-20 23:33 1,003,008 --a------ c:\windows\system32\esent.dll
2009-01-04 21:20 . 2009-01-04 21:20 <DIR> d-------- c:\programme\Zattoo
2009-01-04 20:56 . 2009-01-04 20:57 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\concept design
2009-01-04 20:56 . 2009-01-04 20:56 <DIR> d-------- c:\programme\concept design
2009-01-04 20:56 . 2006-05-21 15:15 966,144 --a------ c:\windows\system32\NCTAudioInformation2.dll
2009-01-04 20:56 . 2006-05-21 15:15 634,880 --a------ c:\windows\system32\NCTAudioEditor2.dll
2009-01-04 20:56 . 2006-05-21 15:15 522,752 --a------ c:\windows\system32\NCTAudioTransform2.dll
2009-01-04 20:56 . 2006-05-21 15:15 307,200 --a------ c:\windows\system32\msvcr70.dll
2009-01-04 20:56 . 2006-05-21 15:15 237,568 --a------ c:\windows\system32\lame_enc.dll
2009-01-04 20:35 . 2009-01-06 17:48 6,412 --a------ C:\Pokemon blue.clt
2009-01-04 19:32 . 2009-01-04 23:47 <DIR> d-------- c:\programme\Rollercoaster Rush
2009-01-04 19:02 . 2009-01-14 17:07 <DIR> d-a------ c:\windows\UserConfigs\All Users\Anwendungsdaten\TEMP
2009-01-04 19:02 . 2009-01-04 19:02 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\NevoSoft Games
2009-01-04 19:01 . 2009-01-04 19:01 <DIR> d-------- c:\windows\Farm Craft
2009-01-04 19:01 . 2009-01-04 19:01 <DIR> d-------- c:\programme\Farm Craft
2009-01-04 16:36 . 2009-01-04 16:36 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\Fugazo
2009-01-04 16:36 . 2009-01-04 16:36 <DIR> d-------- c:\programme\LeeGTs Games
2009-01-04 16:35 . 2009-01-04 17:19 19 --a------ c:\windows\popcinfo.dat
2009-01-04 16:26 . 2009-01-04 16:26 <DIR> d-------- c:\programme\Java
2009-01-04 16:26 . 2009-01-04 16:26 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-04 16:24 . 2009-01-04 16:26 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-04 14:47 . 2009-01-04 14:47 <DIR> d-------- C:\games
2009-01-04 14:45 . 2009-01-04 14:45 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\Grisoft
2009-01-04 14:45 . 2009-01-04 14:45 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\Grisoft
2009-01-04 14:45 . 2007-05-30 13:10 10,872 --a------ c:\windows\system32\drivers\AvgAsCln.sys
2009-01-04 13:39 . 2009-01-04 14:26 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\ICQ
2009-01-04 13:39 . 2009-01-04 13:39 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\ICQ
2009-01-04 13:39 . 2009-01-04 13:39 <DIR> d-------- c:\programme\ICQ6Toolbar
2009-01-04 13:39 . 2009-01-04 14:26 <DIR> d-------- c:\programme\ICQ6.5
2009-01-04 13:15 . 2002-08-29 03:43 286,720 --a------ c:\windows\system32\msh263.drv
2009-01-04 13:15 . 2006-02-14 10:24 217,728 -ra------ c:\windows\system32\drivers\bdacap.sys
2009-01-04 13:15 . 2006-01-11 09:29 114,688 -r------- c:\windows\system32\GLAPILIB.dll
2009-01-04 13:15 . 2002-08-29 03:43 50,176 --a------ c:\windows\system32\drivers\vfwwdm32.dll
2009-01-04 13:15 . 2001-08-18 04:53 45,568 --a------ c:\windows\system32\iyuv_32.dll
2009-01-04 13:15 . 2001-08-18 04:53 45,568 --a--c--- c:\windows\system32\dllcache\iyuv_32.dll
2009-01-04 13:15 . 2006-01-06 07:55 11,264 -ra------ c:\windows\system32\drivers\GLKbFilter.sys
2009-01-04 13:15 . 2001-08-18 04:54 8,192 --a------ c:\windows\system32\tsbyuv.dll
2009-01-04 13:15 . 2001-08-18 04:54 8,192 --a--c--- c:\windows\system32\dllcache\tsbyuv.dll
2009-01-04 13:15 . 2006-01-17 03:01 3,766 -ra------ c:\windows\system32\drivers\IRKEYMAP_1.SET
2009-01-04 13:13 . 2009-01-04 13:13 <DIR> d-------- c:\programme\NewSoft
2009-01-04 13:13 . 2009-01-04 13:13 <DIR> d-------- c:\programme\Gemeinsame Dateien\NewSoft
2009-01-04 13:10 . 2002-08-29 01:32 28,160 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-01-04 13:10 . 2002-08-29 01:32 28,160 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-01-04 13:10 . 2001-08-18 04:19 14,080 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-01-04 13:10 . 2001-08-18 04:19 14,080 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-01-04 13:07 . 2004-07-01 23:08 360,448 --a--c--- c:\windows\system32\dllcache\qmgr.dll
2009-01-04 13:07 . 2004-07-01 23:08 331,776 --a------ c:\windows\system32\winhttp.dll
2009-01-04 13:07 . 2004-07-01 23:08 331,776 --a--c--- c:\windows\system32\dllcache\winhttp.dll
2009-01-04 13:07 . 2004-07-01 23:08 17,408 --a------ c:\windows\system32\qmgrprxy.dll
2009-01-04 13:07 . 2004-07-01 23:08 17,408 --a--c--- c:\windows\system32\dllcache\qmgrprxy.dll
2009-01-04 13:07 . 2004-07-01 23:08 7,680 -----c--- c:\windows\system32\dllcache\bitsprx2.dll
2009-01-04 13:07 . 2004-07-01 23:08 7,680 --------- c:\windows\system32\bitsprx2.dll
2009-01-04 13:07 . 2004-07-01 23:08 7,168 -----c--- c:\windows\system32\dllcache\bitsprx3.dll
2009-01-04 13:07 . 2004-07-01 23:08 7,168 --------- c:\windows\system32\bitsprx3.dll
2009-01-04 13:04 . 2009-01-04 13:04 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\nView_Profiles
2009-01-04 13:03 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll
2009-01-04 13:03 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll
2009-01-04 13:03 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2009-01-04 13:03 . 2008-10-16 14:13 202,776 --a------ c:\windows\system32\wuweb.dll
2009-01-04 13:03 . 2004-08-03 14:05 186,648 --a------ c:\windows\system32\wuaueng1.dll
2009-01-04 13:03 . 2004-08-03 14:02 169,752 --a------ c:\windows\system32\wuauclt1.exe
2009-01-04 13:03 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2009-01-04 13:01 . 2009-01-04 13:01 <DIR> d-------- c:\windows\UserConfigs\All Users\Anwendungsdaten\NVIDIA
2009-01-04 12:51 . 2009-01-04 12:51 940,794 --a------ c:\windows\system32\LoopyMusic.wav
2009-01-04 12:51 . 2009-01-04 12:51 146,650 --a------ c:\windows\system32\BuzzingBee.wav
2009-01-04 12:49 . 2009-01-04 12:49 <DIR> d-------- C:\WUTemp
2009-01-04 12:49 . 2009-01-04 12:50 <DIR> d-------- c:\windows\LastGood.Tmp
2009-01-04 12:49 . 2005-04-16 15:20 487,424 -r------- c:\windows\RtlExUpd.dll
2009-01-04 12:49 . 2003-08-25 18:06 182,880 --a------ c:\windows\system32\iuenginenew.dll
2009-01-04 12:49 . 2005-06-28 09:21 22,752 --a------ c:\windows\system32\spupdsvc.exe
2009-01-04 12:38 . 2009-01-04 11:53 774 --a------ c:\windows\system32\$winnt$.inf
2009-01-04 12:25 . 2009-01-04 12:25 1,024 --a------ C:\.rnd
2009-01-04 12:25 . 2009-01-04 12:25 26 --a------ c:\windows\FileName
2009-01-04 12:19 . 2009-01-04 12:40 <DIR> d-------- c:\windows\NV128160.TMP
2009-01-04 12:19 . 2006-07-06 10:39 208,896 --a------ c:\windows\system32\nvudisp.exe
2009-01-04 12:19 . 2006-07-12 06:19 16,960 --a------ c:\windows\system32\nvdisp.nvu
2009-01-04 12:18 . 2006-07-06 10:39 208,896 --a------ c:\windows\system32\NVUNINST.EXE
2009-01-04 12:18 . 2000-03-29 15:17 5,824 --a------ c:\windows\system32\drivers\ASUSHWIO.SYS
2009-01-04 12:18 . 2009-01-04 12:56 4,251 --a------ c:\windows\Ascd_tmp.ini

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 16:22 --------- d-----w c:\programme\Mjcore
2009-01-10 18:07 --------- d-----w c:\programme\Teamspeak2_RC2
2009-01-09 07:33 --------- d--h--w c:\programme\InstallShield Installation Information
2009-01-04 11:15 --------- d-----w c:\programme\Steam
2009-01-03 00:25 --------- d-----w c:\programme\Mobile Master
2008-12-22 10:00 --------- d-----w c:\programme\Gemeinsame Dateien\Adobe
2008-12-13 20:50 --------- d-----w c:\programme\PremiumSoft
2008-12-05 19:35 --------- d-----w c:\programme\NEXON
2008-11-15 08:02 --------- d-----w c:\programme\MobMapUpdater
.

------- Sigcheck -------

2004-08-04 08:58 25088 d1e53dc57143f2584b1dd53b036c0633 c:\windows\SoftwareDistribution\Download\84e71ea11258afcace4e790f6b073745\userinit.exe
2004-08-03 23:58 25088 d1e53dc57143f2584b1dd53b036c0633 c:\windows\system32\userinit.exe
2009-01-14 13:45 111616 be9f5da369dddc22224c053bbb27c64e c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2009-01-12_16.59.19.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-05 16:17:11 57,384 ----a-w c:\windows\system32\avsda.dll
- 2009-01-12 15:40:55 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-14 16:21:43 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-12 15:40:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-14 16:21:43 32,768 ----a-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-12 15:40:55 32,768 ----a-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2009-01-14 16:21:43 32,768 ----a-w c:\windows\system32\config\systemprofile\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2006-11-22 12:30:12 34,304 ----a-w c:\windows\system32\drivers\avgntdd.sys
+ 2006-11-22 12:30:12 14,848 ----a-w c:\windows\system32\drivers\avgntmgr.sys
+ 2002-08-29 03:43:42 22,528 ----a-w c:\windows\system32\init32.exe
- 2009-01-05 12:49:32 4,232 ----a-w c:\windows\UserConfigs\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat
+ 2009-01-14 16:23:00 5,496 ----a-w c:\windows\UserConfigs\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat
- 2009-01-05 12:49:32 4,617 ----a-w c:\windows\UserConfigs\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat
+ 2009-01-14 16:23:00 5,496 ----a-w c:\windows\UserConfigs\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat
- 2009-01-12 15:41:03 16,384 ----a-w c:\windows\UserConfigs\LocalService\Cookies\index.dat
+ 2009-01-14 16:21:51 16,384 ----a-w c:\windows\UserConfigs\LocalService\Cookies\index.dat
- 2009-01-12 15:41:03 32,768 ----a-w c:\windows\UserConfigs\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-14 16:21:51 32,768 ----a-w c:\windows\UserConfigs\LocalService\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-12 15:41:03 16,384 ----a-w c:\windows\UserConfigs\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2009-01-14 16:21:51 16,384 ----a-w c:\windows\UserConfigs\LocalService\Lokale Einstellungen\Verlauf\History.IE5\index.dat
- 2009-01-12 15:39:50 229,376 ---ha-w c:\windows\UserConfigs\LocalService\NTUSER.DAT
+ 2009-01-14 16:19:07 229,376 ---ha-w c:\windows\UserConfigs\LocalService\NTUSER.DAT
- 2009-01-12 15:39:50 229,376 ---ha-w c:\windows\UserConfigs\NetworkService\NTUSER.DAT
+ 2009-01-14 16:19:07 229,376 ---ha-w c:\windows\UserConfigs\NetworkService\NTUSER.DAT
- 2009-01-11 16:26:51 145,463 ----a-w c:\windows\UserConfigs\Torbo\Anwendungsdaten\Mozilla\Firefox\Profiles\k0b8kzgf.default\compreg.dat
+ 2009-01-13 16:29:54 145,745 ----a-w c:\windows\UserConfigs\Torbo\Anwendungsdaten\Mozilla\Firefox\Profiles\k0b8kzgf.default\compreg.dat
+ 2009-01-12 19:31:54 11,373 ----a-w c:\windows\UserConfigs\Torbo\Anwendungsdaten\SecondLife\browser_profile\history.dat
- 2009-01-12 15:57:18 32,768 ----a-w c:\windows\UserConfigs\Torbo\Cookies\index.dat
+ 2009-01-14 16:22:42 32,768 ----a-w c:\windows\UserConfigs\Torbo\Cookies\index.dat
+ 2009-01-14 14:55:06 22,102,584 ----a-w c:\windows\UserConfigs\Torbo\Desktop\antivir_workstation_winu_de_h.exe
+ 2007-01-03 06:04:04 14,901,760 ----a-w c:\windows\UserConfigs\Torbo\Desktop\Avira_AntiVir_PREMIUM_v7___KEY_bis_03.01.2012\Avira AntiVir PREMIUM v7 & KEY bis 03.01.2012\antivir_workstation_win7u_de_hp.exe
+ 2009-01-12 18:03:23 22,216,792 ----a-w c:\windows\UserConfigs\Torbo\Desktop\Second_Life_1-21-6-99587_Setup.exe
- 2009-01-12 13:57:27 15,883 ----a-w c:\windows\UserConfigs\Torbo\Eigene Dateien\project.exe
+ 2009-01-14 15:01:53 15,883 ----a-w c:\windows\UserConfigs\Torbo\Eigene Dateien\project.exe
- 2009-01-12 15:39:47 262,144 ---ha-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
+ 2009-01-14 16:18:46 262,144 ---ha-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Anwendungsdaten\Microsoft\Windows\UsrClass.dat
- 2009-01-12 15:57:19 53,248 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Temp\catchme.dll
+ 2009-01-14 16:22:09 53,248 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Temp\catchme.dll
- 2009-01-12 15:57:35 49,152 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-14 16:22:42 229,376 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-12 15:57:18 32,768 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2009-01-14 16:22:42 49,152 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Verlauf\History.IE5\index.dat
+ 2009-01-12 16:00:33 32,768 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Verlauf\History.IE5\MSHist012009011220090113\index.dat
+ 2009-01-13 20:43:30 32,768 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Verlauf\History.IE5\MSHist012009011320090114\index.dat
+ 2009-01-14 13:54:55 32,768 ----a-w c:\windows\UserConfigs\Torbo\Lokale Einstellungen\Verlauf\History.IE5\MSHist012009011420090115\index.dat
- 2009-01-12 15:39:47 1,835,008 ---ha-w c:\windows\UserConfigs\Torbo\NTUSER.DAT
+ 2009-01-14 16:18:46 2,097,152 ---ha-w c:\windows\UserConfigs\Torbo\NTUSER.DAT
.
-- Snapshot auf jetziges Datum zurückgesetzt --
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}]
2009-01-14 17:22 136192 --a------ c:\programme\Mjcore\Mjcore.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"ICQ"="c:\programme\ICQ6.5\ICQ.exe" [2008-12-17 172792]
"EA Core"="c:\programme\Electronic Arts\EADM\Core.exe" [2009-01-07 3321856]
"cogad"="c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad\cogad.exe" [2009-01-11 56832]
"SpybotSD TeaTimer"="c:\programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-07-12 7626752]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-07-12 86016]
"ChangeFilterMerit"="c:\programme\NewSoft\Presto! PVR\ChangeFilterMerit.exe" [2005-05-17 40960]
"Presto! PVR Monitor"="c:\programme\NewSoft\Presto! PVR\Monitor.exe" [2006-02-23 57344]
"!AVG Anti-Spyware"="c:\programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"avgnt"="c:\programme\AntiVir PersonalEdition Premium\avgnt.exe" [2006-10-31 262184]
"nwiz"="nwiz.exe" [2006-07-12 c:\windows\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

c:\windows\UserConfigs\All Users\Startmen�\Programme\Autostart\
Adobe Reader Speed Launch.lnk - c:\programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=nphwsc.dll tqhasn.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R0 avgntmgr;avgntmgr;c:\windows\system32\drivers\avgntmgr.sys [2009-01-14 14848]
R1 avgntdd;avgntdd;c:\windows\system32\drivers\avgntdd.sys [2009-01-14 34304]
R4 AntiVirMailService;AntiVir PersonalEdition Premium MailGuard;c:\programme\AntiVir PersonalEdition Premium\avmailc.exe [2009-01-14 118824]
R4 AVEService;AntiVir PersonalEdition Premium MailGuard Hilfsdienst;c:\programme\AntiVir PersonalEdition Premium\avesvc.exe [2009-01-14 32808]
R4 ICQ Service;ICQ Service;c:\programme\ICQ6Toolbar\ICQ Service.exe [2009-01-04 222456]
S3 bdacap;PC-DTV Receiver;c:\windows\system32\drivers\bdacap.sys [2009-01-04 217728]
S3 GLHIDKBFILTER;GLHIDKBFILTER;c:\windows\system32\drivers\GLKbFilter.sys [2009-01-04 11264]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programme\Spyware Doctor\pctsAuxs.exe [2009-01-13 356920]
.
Inhalt des "geplante Tasks" Ordners

2009-01-14 c:\windows\Tasks\bttignyv.job
- c:\windows\system32\rundll32.exe [2001-08-18 14:00]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
LSP: avsda.dll
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
FF - ProfilePath - c:\windows\UserConfigs\Torbo\Anwendungsdaten\Mozilla\Firefox\Profiles\k0b8kzgf.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\programme\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\NPHoldemFireLauncher.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\programme\Mozilla Firefox\plugins\npygw.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 17:22:09
Windows 5.1.2600 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostarteinträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1275210071-1284227242-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:51,77,15,d7,20,51,18,79,1b,04,3c,e1,7d,c0,2d,a9,d7,9d,f4,58,0d,
ba,8d,55,1b,d6,64,d0,50,24,cb,41,8a,44,47,fb,9f,f0,e2,fb,b2,a2,af,43,29,86,\
"rkeysecu"=hex:e0,a5,10,d0,fa,ed,b3,b7,16,65,25,0c,52,41,1e,bc
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(700)
c:\windows\system32\avsda.dll
c:\windows\System32\dssenh.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\WgaTray.exe
c:\programme\AntiVir PersonalEdition Premium\sched.exe
c:\programme\AntiVir PersonalEdition Premium\avguard.exe
c:\progra~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\Apache.exe
c:\programme\Java\jre6\bin\jqs.exe
c:\progra~1\NVIDIA~1\NETWOR~1\bin\nSvcLog.exe
c:\progra~1\NVIDIA~1\NETWOR~1\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\NVIDIA~1\NETWOR~1\bin\nSvcIp.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-01-14 17:26:00 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-01-14 16:25:58
ComboFix2.txt 2009-01-12 15:59:40

Vor Suchlauf: 18 Verzeichnis(se), 63.126.843.392 Bytes frei
Nach Suchlauf: 18 Verzeichnis(se), 63,133,437,952 Bytes frei

328 --- E O F --- 2009-01-05 13:06:00

#8 Start > Ausführen> Kopiere rein ComboFix /U OK

SDFix für Windows 2000 und Windows XP
Download link 1 SDFix zum Desktop
Download link 2 SDFix
Download link 3 SDFix
Download link 4 SDFix zip
Download link 5 SDFix zip
Download link 6 SDFix zip

Starte dein Recher in
abgesicherten Modus

SDFix.zip entpacken
unter C:\ findet man nun den SDFix-Ordner

Doppelklick RunThis.bat
Schreibe: Y folge allen Anweisungen
Dann wird der Rechner neustarten
SDFix entfernt jetzt die gefundene Objekte

Kopiere den Inhalt des Berichts SophosReport.txt in diesen Thread
__________
MfG Argus

#9 Mach noch folgendes:

>>
Lasse folgende Dateien bei www.VIRUSTOTAL.com/de prüfen und poste das Ergebnis:

c:\windows\system32\pcload.exe
c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad\cogad.exe

Auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren mit Strg V) --> Klick auf die zu prüfende Datei und öffnen--> klick auf "Senden der Datei"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> hier kopieren

Gruss Swiss




Ist für mich:

Zitat

2009-01-14 13:45 . 2009-01-14 13:45 24,064 --a------ c:\windows\system32\pcload.exe

2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad
2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\windows\system32\LNR
2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\temp\tmp90
2009-01-11 17:12 . 2009-01-11 18:05 <DIR> d-------- C:\Temp
2009-01-11 17:10 . 2009-01-11 18:05 <DIR> d-------- c:\programme\Enigma Software Group

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cogad"="c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad\cogad.exe" [2009-01-11 56832]

#10 SDFix: Version 1.240
Run by Torbo on 14.01.2009 at 20:19

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\SpeedRunner\config.cfg - Deleted
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\SpeedRunner\SpeedRunner.exe - Deleted
C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\SpeedRunner\SRUninstall.exe - Deleted
C:\Programme\Mjcore\Mjcore.dll - Deleted



Folder C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\SpeedRunner - Removed
Folder C:\Programme\Mjcore - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 20:31:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 3 Aug 2006 223 ..SH. --- "C:\Boot.bak"
Wed 22 Oct 2008 949,072 A..H. --- "C:\Programme\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Programme\Spybot - Search & Destroy\SDHelper.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Programme\Spybot - Search & Destroy\Tools.dll"
Wed 22 Jun 2005 45,568 A.SHR --- "C:\Program Files\Replay Converter\cygz.dll"
Mon 13 Nov 2006 319,456 A..H. --- "C:\Programme\Gemeinsame Dateien\Motorola Shared\MotPCSDrivers\difxapi.dll"
Mon 5 Jan 2009 444 ...HR --- "C:\WINDOWS\UserConfigs\Torbo\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!

#11 Entferne C:\SDFix\backups

Mache bitte was Tonstudio geschrieben hat
__________
MfG Argus

#12 Antivirus Version letzte aktualisierung Ergebnis
a-squared 4.0.0.73 2009.01.15 -
AhnLab-V3 2009.1.15.0 2009.01.14 -
AntiVir 7.9.0.54 2009.01.14 -
Authentium 5.1.0.4 2009.01.14 -
Avast 4.8.1281.0 2009.01.14 -
AVG 8.0.0.229 2009.01.14 -
BitDefender 7.2 2009.01.15 -
CAT-QuickHeal 10.00 2009.01.15 -
ClamAV 0.94.1 2009.01.15 -
Comodo 931 2009.01.14 -
DrWeb 4.44.0.09170 2009.01.15 -
eSafe 7.0.17.0 2009.01.14 -
eTrust-Vet 31.6.6308 2009.01.15 -
F-Prot 4.4.4.56 2009.01.14 -
F-Secure 8.0.14470.0 2009.01.15 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.15 -
Ikarus T3.1.1.45.0 2009.01.15 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.15 -
McAfee 5495 2009.01.14 -
McAfee+Artemis 5495 2009.01.14 -
Microsoft 1.4205 2009.01.15 -
NOD32 3767 2009.01.15 -
Norman 5.93.01 2009.01.13 -
nProtect 2009.1.8.0 2009.01.15 -
Panda 9.5.1.2 2009.01.14 -
PCTools 4.4.2.0 2009.01.14 -
Prevx1 V2 2009.01.15 Cloaked Malware
Rising 21.12.30.00 2009.01.15 -
SecureWeb-Gateway 6.7.6 2009.01.15 -
Sophos 4.37.0 2009.01.15 -
Sunbelt 3.2.1831.2 2009.01.09 -
TheHacker 6.3.1.4.220 2009.01.14 -
TrendMicro 8.700.0.1004 2009.01.15 -
ViRobot 2009.1.14.1559 2009.01.15 -
VirusBuster 4.5.11.0 2009.01.14 -
weitere Informationen
File size: 24064 bytes
MD5...: 7ea9a741086d4ef64a44aa6a28d0f47d
SHA1..: 1cfb9b9cdc460f610324a5bca77742062d836a4a
SHA256: d5c33e1fdc54a7892a92041599b4c425658d79f64dd8b46aaccf705b0d45e34c
SHA512: 295c714f27d67aae20c5bbea8821d13a695a490a5e5a2a5913690af7d1245b5e
cab27b7c12c78bbaa522bdddee61cc7124855d48f75a8f2d6eb1afeb76c13e5c
ssdeep: 384:IgA6j/7hXS/UVXTD+btms0WFlkoW7yQMPp74duB6mZHfRIOiGW0VbWl:/AYV
S/UVjDp2k3ap7pLIz6y
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404b20
timedatestamp.....: 0x47d00e4f (Thu Mar 06 15:31:27 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x482d 0x4a00 7.36 5aa93cb7cc7a60b494f60974c9993d01
.data 0x6000 0x4c23 0xc00 4.12 ae95ffdd1992df346b837f30a8d963a0
.rsrc 0xb000 0x3b8 0x400 3.25 ab179ddd32b5be67c917aad5218f10b9

( 4 imports )
> GDI32.dll: CreateCompatibleDC, DeleteObject, CreateDIBSection, SaveDC, DeleteDC, GetDeviceCaps, CreateSolidBrush, CreatePen, SelectObject, Ellipse, MoveToEx, Polyline, RectInRegion, CreateRectRgnIndirect
> MSVCRT.dll: wcsncmp, _adjust_fdiv, strcspn, strlen, _splitpath, _strnicmp, memcmp, _pctype, _ltow, wcscpy, wcscmp, _snwprintf, atoi, _wfullpath
> KERNEL32.dll: TlsFree, SetEnvironmentVariableA, EnterCriticalSection, lstrlenW, GetFileType, GetEnvironmentStrings, GlobalAlloc, GetCurrentProcess, LocalFree, ReadProcessMemory, InterlockedExchange, GetStartupInfoA, IsBadStringPtrA, FreeEnvironmentStringsA, MulDiv, DeleteFileA, GetProcessAffinityMask, lstrcatA, GetVersionExA, GetThreadContext
> ole32.dll: CoResumeClassObjects, OleCreateStaticFromData, CoAddRefServerProcess, CoUnmarshalInterface, OleCreateLinkToFile, CoTaskMemFree, CoFreeUnusedLibraries, CoGetClassObject, CoInstall, OleLockRunning, CoFreeAllLibraries, OleRegGetMiscStatus

( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=6C1FCD1300C975F75E5E00445D71CF000166BDE4' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=6C1FCD1300C975F75E5E00445D71CF000166BDE4</a>

ACHTUNG ACHTUNG: VirusTotal ist ein kostenloser Dienst bereitgestellt von Hispasec Sistemas. Es gibt keine Garantie zur Verfügbarkeit sowie Fortbestehen der Dienstleistung. Obwohl die Erkennungsrate mehrerer Antivirus-Engines besser ist als nur durch ein Produkt, garantieren die Ergebnisse des Scans nicht die Harmlosigkeit einer Datei. Gegenwärtig gibt es keine Lösung, welche eine Erkennungsrate aller Viren und Malware zu 100% bietet.

#13 Welche Datei war das??

Was ist mit der anderen?

Gruss Swiss

#14

Zitat

Tonstudio postete
Mach noch folgendes:

>>
Lasse folgende Dateien bei www.VIRUSTOTAL.com/de prüfen und poste das Ergebnis:

c:\windows\system32\pcload.exe
c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad\cogad.exe

Auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren mit Strg V) --> Klick auf die zu prüfende Datei und öffnen--> klick auf "Senden der Datei"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> hier kopieren

Gruss Swiss




Ist für mich:

Zitat

2009-01-14 13:45 . 2009-01-14 13:45 24,064 --a------ c:\windows\system32\pcload.exe

2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad
2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\windows\system32\LNR
2009-01-11 17:12 . 2009-01-11 17:12 <DIR> d-------- c:\temp\tmp90
2009-01-11 17:12 . 2009-01-11 18:05 <DIR> d-------- C:\Temp
2009-01-11 17:10 . 2009-01-11 18:05 <DIR> d-------- c:\programme\Enigma Software Group

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cogad"="c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad\cogad.exe" [2009-01-11 56832]

#15

Zitat

>>
Lasse folgende Dateien bei www.VIRUSTOTAL.com/de prüfen und poste das Ergebnis:

c:\windows\system32\pcload.exe

c:\windows\UserConfigs\Torbo\Anwendungsdaten\cogad\cogad.exe

Also ich sehe hier zwei Dateien....