Virus IRC-Worm / HJT vorhanden

#1 1.Hi^^ bin neu weis aber denk ich wie das hier leuft...
2.Es geht sich um, hier ein bild :

Also IRC-Worm
3.HJT Logfile :
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 05:34:33, on 12.06.2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18444)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
E:\Kaspersky\avp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
E:\Kaspersky\klwtblfs.exe
D:\totalcmd\TOTALCMD.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Ralph\AppData\Local\Temp\mexe.com
D:\HiJackThis204.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - E:\Kaspersky\ievkbd.dll
O2 - BHO: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - E:\Kaspersky\klwtbbho.dll
O3 - Toolbar: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O4 - HKLM\..\Run: [AVP] "E:\Kaspersky\avp.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Users\Ralph\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O8 - Extra context menu item: Hinzufügen zu Anti-Banner - E:\Kaspersky\ie_banner_deny.htm
O9 - Extra button: &Virtuelle Tastatur - {4248FE82-7FCB-46AC-B270-339F08212110} - E:\Kaspersky\klwtbbho.dll
O9 - Extra button: Li&nks untersuchen - {CCF151D8-D089-449F-A5A4-D9909053F20F} - E:\Kaspersky\klwtbbho.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: E:\KASPER~1\mzvkbd3.dll,E:\KASPER~1\kloehk.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - E:\Kaspersky\avp.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - D:\Daniel\hamachi\hamachi-2.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: S3D Service (Win32) - iZ3D Inc. - C:\Program Files\iZ3D Driver\Win32\S3DCService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 4944 bytes

4.Mache grade noch Escan check

Mfg inet pwnZ

Ps. Währe gut wen wer helfen könnte^^

#2 Die Datei wurde in deinem Email Programm gefunden und ist dort so lange harmlos, bis du den dort angegebenen Anhang oeffnest. Loesche die entsprechende Mail und komprimiere dann die Mail Datenbank. Dann sollte die Meldung verschwinden.
Pruefe die Datei C:\Users\Ralph\AppData\Local\Temp\mexe.com bitte bei Virustotal und poste den Link um Ergebnis...
__________
MfG Ralf
SEO-Spam Hunter

#3 Erst ma danke...

Kannst du mir sagen wo ich die Mail finden kann ?

Die auswertung von Virustotal :
Antivirus Version letzte aktualisierung Ergebnis
a-squared 5.0.0.26 2010.06.12 -
AhnLab-V3 2010.06.13.00 2010.06.12 -
AntiVir 8.2.2.6 2010.06.11 -
Antiy-AVL 2.0.3.7 2010.06.11 -
Authentium 5.2.0.5 2010.06.12 -
Avast 4.8.1351.0 2010.06.12 -
Avast5 5.0.332.0 2010.06.12 -
AVG 9.0.0.787 2010.06.11 -
BitDefender 7.2 2010.06.12 -
CAT-QuickHeal 10.00 2010.06.12 -
ClamAV 0.96.0.3-git 2010.06.12 -
Comodo 5073 2010.06.12 -
DrWeb 5.0.2.03300 2010.06.12 -
eSafe 7.0.17.0 2010.06.10 Win32.Looked.P
eTrust-Vet 36.1.7629 2010.06.11 -
F-Prot 4.6.0.103 2010.06.12 -
F-Secure 9.0.15370.0 2010.06.12 -
Fortinet 4.1.133.0 2010.06.12 -
GData 21 2010.06.12 -
Ikarus T3.1.1.84.0 2010.06.12 -
Jiangmin 13.0.900 2010.06.12 -
Kaspersky 7.0.0.125 2010.06.12 -
McAfee 5.400.0.1158 2010.06.12 -
McAfee-GW-Edition 2010.1 2010.06.11 -
Microsoft 1.5802 2010.06.12 -
NOD32 5191 2010.06.11 -
Norman 6.04.12 2010.06.12 -
nProtect 2010-06-12.01 2010.06.12 -
Panda 10.0.2.7 2010.06.12 -
PCTools 7.0.3.5 2010.06.12 -
Prevx 3.0 2010.06.12 -
Rising 22.51.05.02 2010.06.12 -
Sophos 4.54.0 2010.06.12 -
Sunbelt 6439 2010.06.12 -
Symantec 20101.1.0.89 2010.06.12 -
TheHacker 6.5.2.0.298 2010.06.12 -
TrendMicro 9.120.0.1004 2010.06.12 Cryp_Xed-16
TrendMicro-HouseCall 9.120.0.1004 2010.06.12 Cryp_Xed-16
VBA32 3.12.12.5 2010.06.11 -
ViRobot 2010.6.12.3882 2010.06.12 -
VirusBuster 5.0.27.0 2010.06.11 -
weitere Informationen
File size: 2329160 bytes
MD5...: 9ed8ff7dbe93582c357d32eeb0a26c95
SHA1..: 586ef075258b4125e06a93740ee0bea40bb7fa9a
SHA256: 87ba963a46ec4dc90969d43073cfd5cfa7fa3601f1e3ab27fee0ca96ee1ed5a3
ssdeep: 49152:AqpwL4LGSSa6RjTutvPm89vFV1vpZVnyBA5dPKJzPKJVPKJbPKJbPKJrcA
Zmw:AqXeBTutvOsvwcAAw
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xfea3f
timedatestamp.....: 0x4af3f801 (Fri Nov 06 10:18:41 2009)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x10ba3e 0x10c000 6.19 c43b5c97b374ee5d2dd45143b85f640c
.rdata 0x10d000 0x6e6c 0x7000 5.08 c54ca57920fb86b5df8421f78c32b375
.data 0x114000 0xd41b8 0xb8000 5.37 7d3033e0e0db47d91e246655fd7da0a3
.rsrc 0x1e9000 0x6aae8 0x6b000 7.12 0c6153c1718945625c2ea12ce62e5236

( 9 imports )
> VERSION.dll: GetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
> COMCTL32.dll: PropertySheetA, InitCommonControlsEx, -
> KERNEL32.dll: CreateMutexA, CreateSemaphoreA, CreateEventA, lstrcmpA, GetEnvironmentVariableA, FindNextChangeNotification, FindCloseChangeNotification, WaitForSingleObject, FindFirstChangeNotificationA, GetDriveTypeA, _llseek, ReleaseMutex, GetCurrentThreadId, lstrcmpW, SetEvent, CompareFileTime, WideCharToMultiByte, WinExec, SetCurrentDirectoryA, GetPrivateProfileSectionA, FlushFileBuffers, GetLogicalDrives, GetSystemDefaultLangID, SizeofResource, LoadResource, GlobalMemoryStatus, EnumResourceNamesA, EnumResourceTypesA, TerminateProcess, GetCurrentProcessId, ReadProcessMemory, VirtualQueryEx, ExpandEnvironmentStringsA, OpenSemaphoreA, OpenEventA, OpenMutexA, CopyFileA, SetPriorityClass, QueryDosDeviceA, GlobalUnlock, GlobalFree, GlobalAlloc, GlobalLock, DuplicateHandle, InterlockedExchange, GetVolumeInformationA, VirtualFreeEx, VirtualProtectEx, VirtualAllocEx, SetProcessWorkingSetSize, _lclose, OpenFile, LoadLibraryExA, TerminateThread, LocalAlloc, MoveFileA, GetVersion, GetSystemInfo, FormatMessageA, LocalFileTimeToFileTime, GetCurrentDirectoryA, WriteFile, GetFileInformationByHandle, ReadFile, SetFilePointer, SystemTimeToFileTime, FileTimeToSystemTime, FindFirstFileA, FindClose, AreFileApisANSI, lstrcpynA, GetFileTime, GetFileAttributesA, GetVersionExA, GetProcessHeap, HeapFree, HeapAlloc, OpenProcess, GetCurrentThread, GetCurrentProcess, lstrcmpiA, GetLocalTime, lstrlenA, MultiByteToWideChar, InterlockedIncrement, InterlockedDecrement, SetLastError, GetFileSize, CreateFileMappingA, GetDiskFreeSpaceA, GetTickCount, Sleep, MapViewOfFile, UnmapViewOfFile, OpenFileMappingA, GetTempPathA, GetTempFileNameA, GetLastError, SetFileAttributesA, RemoveDirectoryA, lstrcatA, lstrcpyA, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, CreateFileA, GetStringTypeW, GetFullPathNameA, GetSystemDirectoryA, DeleteFileA, LocalFree, CloseHandle, DeviceIoControl, PeekNamedPipe, SetEnvironmentVariableW, FileTimeToLocalFileTime, FileTimeToDosDateTime, CreateProcessA, GetExitCodeProcess, GetDateFormatA, GetTimeFormatA, GetTimeZoneInformation, FindNextFileA, GetWindowsDirectoryA, WriteProfileStringA, GetProfileStringA, GetPrivateProfileStringA, WritePrivateProfileSectionA, WritePrivateProfileStringA, MoveFileExA, SetEndOfFile, GetModuleFileNameA, GetShortPathNameA, CreateThread, WaitForSingleObjectEx, SetFileTime, CreateDirectoryA, FindResourceA, IsBadReadPtr, GetStringTypeA, SetUnhandledExceptionFilter, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, SetStdHandle, GetFileType, GetStdHandle, SetHandleCount, UnhandledExceptionFilter, TlsGetValue, TlsAlloc, LCMapStringW, LCMapStringA, GetOEMCP, GetACP, GetCPInfo, DeleteCriticalSection, InitializeCriticalSection, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, LeaveCriticalSection, EnterCriticalSection, RaiseException, GetCommandLineA, GetStartupInfoA, ExitProcess, HeapSize, HeapReAlloc, ExitThread, TlsSetValue, ResumeThread, RtlUnwind, GetSystemTime, IsBadCodePtr, SetEnvironmentVariableA, CompareStringA, CompareStringW
> USER32.dll: GetSystemMetrics, ExitWindowsEx, GetWindowTextA, GetClientRect, FindWindowExA, SetWindowRgn, EnableWindow, MoveWindow, GetWindowThreadProcessId, GetClassNameA, CopyImage, SystemParametersInfoA, SendMessageA, GetForegroundWindow, GetParent, PostMessageA, CharLowerA, CharUpperA, wsprintfA, GetDesktopWindow, EnumWindows, IsIconic, SetForegroundWindow, SetActiveWindow, BringWindowToTop, AttachThreadInput, ShowWindow, IsWindowVisible, GetCursorPos, SetCursor, LoadCursorA, RemovePropA, DefWindowProcA, ReleaseDC, GetDC, ScreenToClient, CreateCursor, DestroyCursor, SetSystemCursor, RedrawWindow, SetCursorPos, GetSysColor, GetWindowRect, GetUserObjectSecurity, GetDlgItem, SetPropA, GetPropA, FindWindowA, CallWindowProcA, RegisterWindowMessageA, MessageBoxA, CloseDesktop, OpenInputDesktop, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationA, LoadImageA, GetCapture, EndPaint, BeginPaint, EnumDesktopWindows, OpenDesktopA, SetDlgItemTextA, GetWindowLongA, PostThreadMessageA, SetFocus, UpdateWindow, LoadIconA, SetWindowLongA, GetDlgItemTextA, IsDlgButtonChecked, CheckDlgButton, GetDlgCtrlID, EnumChildWindows, KillTimer, DialogBoxParamA, SetWindowTextA, SetTimer, DeleteMenu, GetSystemMenu, EndDialog, SendDlgItemMessageA, IsWindow, DispatchMessageA, TranslateMessage, DestroyWindow, CreateDialogParamA, GetMessageA, IsDialogMessageA, SendMessageTimeoutA, DestroyIcon, CloseWindowStation, ClientToScreen
> GDI32.dll: CreateRectRgn, SelectObject, CreateFontIndirectA, GetTextFaceA, GetTextMetricsA, SetBkColor, SetTextColor, DeleteObject, GetStockObject, GetTextExtentPoint32A, CreateHalftonePalette, DeleteDC, CreatePalette, GetDIBColorTable, CreateCompatibleDC, GetObjectA, GetDeviceCaps, StretchBlt, BitBlt, RealizePalette, SelectPalette, CreateFontA, CreateSolidBrush
> ADVAPI32.dll: EnumDependentServicesA, GetUserNameA, RegCloseKey, RegSetValueExA, StartServiceA, DeregisterEventSource, EnumServicesStatusA, LogonUserA, RegCreateKeyA, RegEnumValueA, RegDeleteKeyA, RegEnumKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, OpenThreadToken, RegOpenKeyExA, RegCreateKeyExA, RegQueryValueExA, RegDeleteValueA, CloseServiceHandle, OpenServiceA, OpenSCManagerA, UnlockServiceDatabase, QueryServiceLockStatusA, LockServiceDatabase, ChangeServiceConfigA, QueryServiceConfigA, QueryServiceStatus, CreateProcessAsUserA, RegOpenKeyA, RegEnumKeyExA, DeleteService, ControlService, RegQueryInfoKeyA, GetSidIdentifierAuthority, ReportEventA, RegisterEventSourceA, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, GetSecurityDescriptorSacl, SetSecurityDescriptorSacl, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, FreeSid, EqualSid, AllocateAndInitializeSid, RevertToSelf, LookupAccountSidA, IsValidSid, GetSecurityDescriptorOwner, CreateServiceA, DuplicateToken, DuplicateTokenEx, ImpersonateLoggedOnUser, CryptGetHashParam, CryptDestroyHash, CryptHashData, CryptReleaseContext, CryptCreateHash, CryptAcquireContextA
> SHELL32.dll: SHBrowseForFolderA, Shell_NotifyIconA, SHGetSpecialFolderLocation, SHChangeNotify, SHGetDesktopFolder, SHGetPathFromIDListA, ShellExecuteA, SHGetMalloc
> ole32.dll: CoUninitialize, CoInitializeEx, CoInitialize, CoCreateInstance, OleRun, CoCreateGuid, CoTaskMemFree, CLSIDFromString, CLSIDFromProgID
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Win32 Executable MS Visual C++ (generic) (51.4%)
Winzip Win32 self-extracting archive (generic) (31.4%)
Win32 Executable Generic (11.6%)
Generic Win/DOS Executable (2.7%)
DOS Executable Generic (2.7%)
sigcheck:
publisher....: MicroWorld Technologies Inc.
copyright....: Copyright (c) MicroWorld Technologies Inc.
product......: MicroWorld AntiVirus Toolkit Utility (MWAV)
description..: MicroWorld Anti Virus _ Spyware Toolkit Utility
original name: mwavscan.exe
internal name: mwavscan
file version.: 11, 0, 86, 0
comments.....:
signers......: MicroWorld Technologies Inc.
VeriSign Class 3 Code Signing 2004 CA
Class 3 Public Primary Certification Authority
signing date.: 3:20 PM 11/6/2009
verified.....: -


Mfg inet pwnZ