kernel.exe <- wie werde ich sie los ?

#16 boote in den abgesicherten Modus - mit Internetzugang.
dort lädst du Combofix, wendest es an und postest hier das Log, was erstellt wird
ComboFix
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#17 ...bringt auch nix wenn ich dieses programm starte oder das ander macht das wie gewohnt weiter mit herunterfahrn usw. nur beim neu starten wird dann kein signal an mein monitor geleitet und das bei jeden neustart. also bleibt der monitor schwarz und ich kann nicht einsehen was passiert den log kann ich nicht einsehen und speichern. oder wird der automatisch gespeichertn wenn ich dann auf power dücke und den rechner auto runterfahrn lass? zeit neuer kommt das auch wenn ich ganz normal an mache kein signal zum monitor geht erst nach mehrmaligen an und aus kommt dann irgendwann ein signal

#18

Zitat

erst nach mehrmaligen an und aus kommt dann irgendwann ein signal

und dann siehst du wieder das desktop ?

ich fürchte, du musst die XP-CD einlegen ...und formatieren
__________
MfG Sabina

rund um die PC-Sicherheit

#19 ja irgendwann kommt dann mal ein signal nach zich mal an und aus machen

oder ist es da was verlangt wurde ?

ComboFix 08-04-15.4 - BASTARD 2008-04-16 17:58:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.1096 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\BASTARD\Eigene Dateien\Azureus Downloads\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
ADS - svchost.exe: deleted 28672 bytes in 1 streams.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\BASTARD\Lokale Einstellungen\Temporary Internet Files\CPV.stt
C:\Programme\CPV
C:\Programme\Helper
C:\Programme\Temporary
C:\WINDOWS\b138.exe
C:\WINDOWS\b155.exe
C:\WINDOWS\mrofinu.exe
C:\WINDOWS\system32\_000102_.tmp.dll
C:\WINDOWS\system32\QruuDJlm.ini
C:\WINDOWS\system32\QruuDJlm.ini2
C:\WINDOWS\Temp\1263045852.exe
C:\WINDOWS\Temp\1524523350.exe
C:\WINDOWS\Temp\551102296.exe
C:\WINDOWS\Temp\779846792.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_fci
-------\Service_fci


((((((((((((((((((((((( Dateien erstellt von 2008-03-16 bis 2008-04-16 ))))))))))))))))))))))))))))))
.

2008-04-16 12:19 . 2008-04-16 17:47 <DIR> d-------- C:\fixwareout
2008-04-15 20:19 . 2008-04-15 20:24 103,776 --a------ C:\Dokumente und Einstellungen\BASTARD\System_Restore.exe
2008-04-15 20:18 . 2008-04-15 20:18 251,216 --a------ C:\Dokumente und Einstellungen\BASTARD\IView.exe
2008-04-15 20:17 . 2008-04-15 20:18 357,768 --a------ C:\Dokumente und Einstellungen\BASTARD\SymXPep2.dll
2008-04-15 11:46 . 2008-04-15 11:46 <DIR> d-------- C:\Programme\Lavasoft
2008-04-15 11:46 . 2008-04-15 11:48 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-04-15 11:45 . 2008-04-15 11:59 <DIR> d-------- C:\Programme\Security Task Manager
2008-04-15 11:45 . 2008-04-16 11:58 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\SecTaskMan
2008-04-15 10:22 . 2008-04-15 10:54 <DIR> d-------- C:\Programme\Norton AntiVirus
2008-04-15 10:10 . 2008-04-15 10:29 60,808 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-15 10:09 . 2008-04-15 10:29 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-15 10:03 . 2008-04-15 10:29 <DIR> d-------- C:\Programme\Symantec
2008-04-15 09:51 . 2008-04-16 12:00 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Symantec Shared
2008-04-15 07:39 . 2008-04-15 07:39 0 --a------ C:\WINDOWS\system32\spcxx.clk
2008-04-12 06:04 . 2008-04-12 06:08 <DIR> d-------- C:\Programme\Inet_Get_2
2008-04-09 15:03 . 2008-04-09 15:03 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 11:27 . 2008-04-09 11:27 2 --a------ C:\1553564877
2008-04-09 11:26 . 2008-04-09 11:26 99,328 --a------ C:\kbvxxo.exe
2008-04-09 11:26 . 2008-04-09 11:26 58,880 --a------ C:\mxuxc.exe
2008-04-09 11:26 . 2008-04-15 11:24 0 --a------ C:\WINDOWS\system32\1.htm
2008-04-09 08:30 . 2008-04-09 08:30 <DIR> d-------- C:\Programme\Gemeinsame Dateien\InstallerA
2008-04-09 08:30 . 2008-04-09 08:30 <DIR> d-------- C:\Programme\CryptIt

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 16:00 136 ----a-w C:\WINDOWS\system32\drivers\ALCICH.DAT
2008-04-16 15:21 --------- d-----w C:\Dokumente und Einstellungen\BASTARD\Anwendungsdaten\Azureus
2008-04-15 09:48 --------- d-----w C:\Programme\ICQToolbar
2008-04-15 09:45 --------- d-----w C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-04-15 09:40 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Symantec
2008-04-15 08:29 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-15 08:29 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-13 19:41 --------- d-----w C:\Programme\DivX
2008-04-09 05:53 --------- d-----w C:\Programme\FlashFXP
2008-04-08 18:45 --------- d-----w C:\Programme\Gemeinsame Dateien\Ahead
2008-04-07 09:12 --------- d-----w C:\Programme\The Witcher
2008-04-07 09:10 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-03-18 13:15 --------- d-----w C:\Dokumente und Einstellungen\BASTARD\Anwendungsdaten\OpenOffice.org2
2008-03-14 11:14 --------- d-----w C:\Programme\Disciples 2
2008-03-11 14:32 --------- d-----w C:\Programme\Azureus
2008-03-07 17:04 --------- d-----w C:\Programme\Java
2008-03-06 19:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 19:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 19:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-05 10:17 --------- d-----w C:\Programme\Ontrack
2008-03-04 19:45 --------- d-----w C:\Programme\File Scavenger 3.2
2008-02-27 20:43 --------- d-----w C:\Programme\ICQ6
2008-02-20 09:51 --------- d-----w C:\Programme\ScummVM
2007-03-30 13:54 702,096 ----a-w C:\Programme\APR2007_d3dx10_33_x64.cab
2007-03-30 13:54 699,466 ----a-w C:\Programme\APR2007_d3dx10_33_x86.cab
2007-03-30 13:54 56,902 ----a-w C:\Programme\APR2007_xinput_x86.cab
2007-03-30 13:54 45,302 ----a-w C:\Programme\dxdllreg_x86.cab
2007-03-30 13:54 199,384 ----a-w C:\Programme\APR2007_XACT_x64.cab
2007-03-30 13:54 155,350 ----a-w C:\Programme\APR2007_XACT_x86.cab
2007-03-30 13:54 100,434 ----a-w C:\Programme\APR2007_xinput_x64.cab
2007-03-30 13:54 1,610,998 ----a-w C:\Programme\APR2007_d3dx9_33_x64.cab
2007-03-30 13:54 1,610,311 ----a-w C:\Programme\APR2007_d3dx9_33_x86.cab
2007-03-30 13:38 85,883 ----a-w C:\Programme\dxupdate.cab
2007-03-30 13:38 77,160 ----a-w C:\Programme\DSETUP.dll
2007-03-30 13:38 503,144 ----a-w C:\Programme\DXSETUP.exe
2007-03-30 13:38 1,673,576 ----a-w C:\Programme\dsetup32.dll
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-04-15 11:41 116088 --a------ C:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"T-Online_Software_6\WLAN-Access Finder"="C:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exe" [2007-07-25 17:50 671796]
"Ashampoo Magical Optimizer Taskplaner"="C:\PROGRA~1\Ashampoo\ASHAMP~1\AMO_TA~1.exe" [2007-09-13 16:47 1268064]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:57 15360]
"DAEMON Tools Pro Agent"="C:\Programme\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 14:45 133576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-01-26 08:57 344064]
"ATICCC"="C:\Programme\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43 45056]
"SoundMan"="soundman.exe" [2001-05-29 19:02 124416 C:\WINDOWS\soundman.exe]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"TkBellExe"="C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" [2007-07-05 00:28 185896]
"type32"="C:\Programme\Microsoft IntelliType Pro\type32.exe" [2003-05-15 17:45 114688]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"NeroFilterCheck"="C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"osCheck"="C:\Programme\Norton AntiVirus\osCheck.exe" [2007-08-24 22:53 714608]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 09:58 160768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:57 15360]
"InfoCockpit"="C:\Programme\T-Online\T-Online_Software_6\Info-Cockpit\IC_START.exe" [2007-07-30 14:27 176128]
"T-Online_Software_6\WLAN-Access Finder"="C:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exe" [2007-07-25 17:50 671796]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Azureus\\Azureus.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\\Programme\\Messenger\\msmsgs.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
"C:\\Programme\\FlashFXP\\FlashFXP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programme\\Conference\\Conference.dll"=

R2 MZCCntrl;T-Online WLAN Adapter Steuerungsdienst;C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe [2007-01-09 16:16]
R3 MACNDIS5;MACNDIS5 NDIS Protocol Driver;C:\PROGRA~1\GEMEIN~1\MARMIK~1\MACNDIS5.SYS [2006-10-04 09:14]
S2 LiveUpdate Notice;LiveUpdate Notice;"C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]
S3 gsplittm;gsplittm;C:\DOKUME~1\BASTARD\LOKALE~1\Temp\gsplittm.sys []
S3 MIINPazX;MIINPazX NDIS Protocol Driver;C:\PROGRA~1\GEMEIN~1\MARMIK~1\MInfraIS\MIINPazX.SYS [2006-10-09 15:03]
S3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [2006-10-09 13:46]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
tapisrv REG_MULTI_SZ Tapisrv

.
Inhalt des "geplante Tasks" Ordners
"2008-04-16 15:00:00 C:\WINDOWS\Tasks\A6A238739185B47F.job"
- c:\dokume~1\bastard\anwend~1\winiso~1\corntonsmanager.exe
"2008-04-15 09:35:36 C:\WINDOWS\Tasks\Norton AntiVirus - Systemprüfung ausführen - BASTARD.job"

#20 Hallo,

««
Versteckte- und Systemdateien sichtbar machen
http://virus-protect.org/invisible.html

««
Virustotal http://www.virustotal.com/flash/index_en.html

C:\Dokumente und Einstellungen\BASTARD\System_Restore.exe
C:\Dokumente und Einstellungen\BASTARD\IView.exe
C:\Dokumente und Einstellungen\BASTARD\SymXPep2.dll

Auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren mit Strg V) --> Klick auf die zu prüfende Datei und öffnen--> klick auf "Senden der Datei"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> hier kopieren

------------------------------------------------------------------

2.
http://virus-protect.org/artikel/tools/otmoveIt.html
öffne: OTMoveIt.exe

Kopiere rein: im linken Fenster ,wo steht: Paste Standard List of Files/Folders to be Move

Zitat

C:\Dokumente und Einstellungen\BASTARD\Anwendungsdaten\WinTouch
C:\Programme\CPV
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\great coal love default
C:\WINDOWS\Tasks\A6A238739185B47F.job
C:\Programme\Inet_Get_2
C:\kbvxxo.exe
C:\mxuxc.exe
C:\1553564877
C:\WINDOWS\system32\1.htm

Klicke auf den Roten MoveIt!

------------

3.
wende fixwareout an - poste nach Neustart den report (nur, falls du s noch nicht angewendet hast....)
FixWareout
http://virus-protect.org/artikel/tools/fixwareout.html

4.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit "Speichern unter" auf dem Desktop. Gebe bei Dateityp "Alle Dateien" an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\WINDOWS\Downloaded Program Files" >>files.txt
dir "C:\Programme\Common Files" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%" >>files.txt
dir "C:\Program Files" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temporary Internet Files\Content.IE5" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temp" >>files.txt
dir "C:\WINDOWS\Temp" >>files.txt
dir "C:\Temp" >>files.txt
dir "C:\Programme" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Anwendungsdaten" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Anwendungsdaten" >>files.txt
dir "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten" >>files.txt
dir "C:\Programme\Gemeinsame Dateien" >>files.txt
dir "C:\Windows\tasks" >>files.txt
notepad files.txt

5.
poste ein neues Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#21 zu schritt 1

C:\Dokumente und Einstellungen\BASTARD\System_Restore.exe

AhnLab-V3 2008.4.17.0 2008.04.17 -
AntiVir 7.6.0.85 2008.04.16 -
Authentium 4.93.8 2008.04.16 -
Avast 4.8.1169.0 2008.04.16 -
AVG 7.5.0.516 2008.04.16 -
BitDefender 7.2 2008.04.17 -
CAT-QuickHeal 9.50 2008.04.16 -
ClamAV 0.92.1 2008.04.17 -
DrWeb 4.44.0.09170 2008.04.16 -
eSafe 7.0.15.0 2008.04.16 -
eTrust-Vet 31.3.5705 2008.04.17 -
Ewido 4.0 2008.04.16 -
F-Prot 4.4.2.54 2008.04.16 -
F-Secure 6.70.13260.0 2008.04.17 -
FileAdvisor 1 2008.04.17 -
Fortinet 3.14.0.0 2008.04.17 -
Ikarus T3.1.1.26.0 2008.04.17 -
Kaspersky 7.0.0.125 2008.04.17 -
McAfee 5275 2008.04.16 -
Microsoft 1.3408 2008.04.17 -
NOD32v2 3032 2008.04.16 -
Norman 5.80.02 2008.04.16 -
Panda 9.0.0.4 2008.04.17 -
Prevx1 V2 2008.04.17 -
Rising 20.40.30.00 2008.04.17 -
Sophos 4.28.0 2008.04.17 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.17 -
TheHacker 6.2.92.281 2008.04.17 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.16 -
Webwasher-Gateway 6.6.2 2008.04.17 BlockReason.0
weitere Informationen
File size: 103776 bytes
MD5...: 31ecffc21405ff060fb1581e87116145
SHA1..: 4c3631554e13aa6faa5e444c42592d824aabaa64
SHA256: 1e3841de73fd62cd3f384e31dfbbbba59c7e107de54621c74ac0d53f65c99fb7
SHA512: 5c0588b6f38165c116db5dbf5b2ace1a30dae2b02952c8179f1287b835c9978c
2c65e03e68f3a9ed59420aff4c10123b4e3ad8ab5fe88754e81fe012950b92ad
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401df9
timedatestamp.....: 0x47a9bff7 (Wed Feb 06 14:11:03 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xfe2c 0x10000 6.67 02377e68e7b97545dd032448c31e7024
.rdata 0x11000 0x302a 0x4000 4.57 39485b87dd2abe591d46ee73873f98c2
.data 0x15000 0x3188 0x2000 2.29 1ef457ee0340c9c253461608c95c3bea
.rsrc 0x19000 0x240 0x1000 3.63 394e4c6ae416fbfd1a1839464c15d776

( 3 imports )
> ole32.dll: CoInitializeEx, CoInitializeSecurity, CoUninitialize, CoSetProxyBlanket, CoCreateInstance
> OLEAUT32.dll: -, -, -
> KERNEL32.dll: InterlockedIncrement, LocalFree, lstrlenA, ReadFile, SetEndOfFile, GetLocaleInfoA, InterlockedDecrement, WideCharToMultiByte, GetEnvironmentVariableA, GetLastError, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, CloseHandle, RaiseException, GetProcAddress, GetModuleHandleA, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsA, MultiByteToWideChar, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCommandLineW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, Sleep, CreateFileA, InitializeCriticalSection, VirtualAlloc, HeapReAlloc, SetStdHandle, FlushFileBuffers, HeapSize, LoadLibraryA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW

( 0 exports )
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=31ecffc21405ff060fb1581e87116145

C:\Dokumente und Einstellungen\BASTARD\IView.exe

AhnLab-V3 2008.4.17.0 2008.04.17 -
AntiVir 7.6.0.85 2008.04.16 -
Authentium 4.93.8 2008.04.16 -
Avast 4.8.1169.0 2008.04.16 -
AVG 7.5.0.516 2008.04.16 -
BitDefender 7.2 2008.04.17 -
CAT-QuickHeal 9.50 2008.04.16 -
ClamAV 0.92.1 2008.04.17 -
DrWeb 4.44.0.09170 2008.04.16 -
eSafe 7.0.15.0 2008.04.16 -
eTrust-Vet 31.3.5705 2008.04.17 -
Ewido 4.0 2008.04.16 -
F-Prot 4.4.2.54 2008.04.16 -
F-Secure 6.70.13260.0 2008.04.17 -
FileAdvisor 1 2008.04.17 -
Fortinet 3.14.0.0 2008.04.17 -
Ikarus T3.1.1.26.0 2008.04.17 -
Kaspersky 7.0.0.125 2008.04.17 -
McAfee 5275 2008.04.16 -
Microsoft 1.3408 2008.04.17 -
NOD32v2 3032 2008.04.16 -
Norman 5.80.02 2008.04.16 -
Panda 9.0.0.4 2008.04.17 Suspicious file
Prevx1 V2 2008.04.17 -
Rising 20.40.30.00 2008.04.17 -
Sophos 4.28.0 2008.04.17 -
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.17 -
TheHacker 6.2.92.281 2008.04.17 -
VBA32 3.12.6.4 2008.04.16 -
VirusBuster 4.3.26:9 2008.04.16 -
Webwasher-Gateway 6.6.2 2008.04.17 BlockReason.0
weitere Informationen
File size: 251216 bytes
MD5...: 74d0328546d234191fa9bbcae0f8dd09
SHA1..: 8569dd2f68e04bc279e734130b2a302ca9574029
SHA256: a1ff5703529a4c2167266cd8bfebec3d23fadd0a3b168a9c47f8877c56d937b2
SHA512: ad61ef4d44d98ea98b1ea6f44a90567376eaf2d64de226e967f85cf537b8c373
bf7a99cd620333375f47728ffa3b52857ac231e2a3c3829f79ad168fd11149ed
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4139ef
timedatestamp.....: 0x47501480 (Fri Nov 30 13:47:44 2007)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2cf0c 0x2d000 6.71 62628880a481f4f9097f53f170786bb0
.rdata 0x2e000 0x99f0 0xa000 4.83 e0fbb4f55ac2baaf5779f75273f3a17a
.data 0x38000 0x5ef8 0x3000 3.13 936d7a2261308ed1cc4e7c7c95d5b33b
.rsrc 0x3e000 0x1000 0x1000 3.86 e4b1b4d779bf7f7606da26839e764ccf

( 8 imports )
> KERNEL32.dll: GetVersionExA, lstrcmpW, GlobalFindAtomA, GlobalAddAtomA, WritePrivateProfileStringA, GlobalFlags, GetCPInfo, GetOEMCP, HeapAlloc, HeapFree, HeapReAlloc, RaiseException, VirtualAlloc, RtlUnwind, GetProcessHeap, GetSystemTimeAsFileTime, SetStdHandle, GetFileType, ExitProcess, HeapSize, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, GetFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetACP, LCMapStringA, LCMapStringW, SetHandleCount, GetStartupInfoA, Sleep, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetConsoleCP, GetConsoleMode, GetTimeZoneInformation, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GetLocaleInfoW, SetEnvironmentVariableA, GetFileAttributesA, FileTimeToLocalFileTime, FileTimeToSystemTime, GlobalGetAtomNameA, InterlockedIncrement, InterlockedDecrement, GetModuleFileNameW, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, LocalAlloc, GetCurrentThread, GetCurrentThreadId, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, lstrcmpA, FreeLibrary, GlobalDeleteAtom, SetErrorMode, GetFullPathNameA, GetVolumeInformationA, GetCurrentProcess, DuplicateHandle, GetThreadLocale, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, DeleteFileA, GetCurrentProcessId, GetModuleFileNameA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, FormatMessageA, LocalFree, SetLastError, CreateFileA, ReadFile, WriteFile, CloseHandle, GetCommandLineA, GetModuleHandleA, GetCurrentDirectoryA, LoadLibraryA, GetProcAddress, GetTempPathA, lstrlenA, CompareStringW, CompareStringA, FindFirstFileA, FindClose, GetEnvironmentVariableA, GetVersion, FindResourceA, LoadResource, LockResource, SizeofResource, GetLastError, WideCharToMultiByte, MultiByteToWideChar, TerminateProcess, InterlockedExchange
> USER32.dll: ShowWindow, UnregisterClassA, SetWindowTextA, SetCursor, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, CheckMenuItem, RegisterWindowMessageA, LoadIconA, WinHelpA, GetCapture, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetFocus, IsWindow, GetForegroundWindow, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu, CreateWindowExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, PtInRect, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, SetWindowPos, SystemParametersInfoA, IsIconic, GetWindowPlacement, GetWindowRect, GetWindow, CharUpperA, GetSubMenu, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, DestroyMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, MessageBoxA, EnableWindow, IsWindowEnabled, GetLastActivePopup, GetWindowLongA, GetParent, SendMessageA, GetWindowThreadProcessId, GetSystemMetrics, PostQuitMessage, PostMessageA, UnhookWindowsHookEx, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetWindowTextA, LoadCursorA, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, GetClassInfoExA
> GDI32.dll: DeleteDC, PtVisible, CreateBitmap, GetStockObject, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, GetDeviceCaps, DeleteObject, GetClipBox, SetMapMode, SetTextColor, SetBkColor, RestoreDC, SaveDC, RectVisible
> comdlg32.dll: GetFileTitleA
> WINSPOOL.DRV: ClosePrinter, DocumentPropertiesA, OpenPrinterA
> ADVAPI32.dll: RegQueryValueA, RegEnumKeyA, RegDeleteKeyA, RegSetValueExA, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA, RegCloseKey
> SHLWAPI.dll: PathStripToRootA, PathIsUNCA, PathFindFileNameA, PathFindExtensionA
> OLEAUT32.dll: -, -, -

( 0 exports )
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=74d0328546d234191fa9bbcae0f8dd09

C:\Dokumente und Einstellungen\BASTARD\SymXPep2.dll

AhnLab-V3 2008.4.10.2 2008.04.10 -
AntiVir 7.6.0.81 2008.04.10 -
Authentium 4.93.8 2008.04.10 -
Avast 4.8.1169.0 2008.04.10 -
AVG 7.5.0.516 2008.04.10 -
BitDefender 7.2 2008.04.10 -
CAT-QuickHeal 9.50 2008.04.10 -
ClamAV 0.92.1 2008.04.10 -
DrWeb 4.44.0.09170 2008.04.10 -
eTrust-Vet 31.3.5687 2008.04.10 -
Ewido 4.0 2008.04.10 -
F-Prot 4.4.2.54 2008.04.08 -
F-Secure 6.70.13260.0 2008.04.10 -
FileAdvisor 1 2008.04.10 -
Fortinet 3.14.0.0 2008.04.10 -
Ikarus T3.1.1.26 2008.04.10 -
Kaspersky 7.0.0.125 2008.04.10 -
McAfee 5270 2008.04.09 -
Microsoft 1.3408 2008.04.10 -
NOD32v2 3016 2008.04.10 -
Norman 5.80.02 2008.04.10 -
Panda 9.0.0.4 2008.04.10 -
Prevx1 V2 2008.04.10 -
Rising 20.39.32.00 2008.04.10 -
Sophos 4.28.0 2008.04.10 -
Sunbelt 3.0.1032.0 2008.04.08 -
Symantec 10 2008.04.10 -
TheHacker 6.2.92.271 2008.04.10 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.09 -
Webwasher-Gateway 6.6.2 2008.04.10 -
weitere Informationen
File size: 357768 bytes
MD5...: 632dfd6a7c80d9be52e8f0d9b6d108fa
SHA1..: a7fa8f97d52fa0c593b17928c23ef4d35b175dca
SHA256: 7e78ef6d111f6436b852da3e4383ec016082d57b3c601b6c68a793caa5b57240
SHA512: bd0c8b260db71f87c605782f5b934842269ebe695daf2ca377e5fad75150f1be
1bdbce2e2a00c7ca81f4d02586d19e1db987f3b3b07e6065a240b07e9669f774
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10019ff0
timedatestamp.....: 0x46b8d03f (Tue Aug 07 20:04:15 2007)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x26ef4 0x27000 6.67 b597fc02b03827cb4850a6c834c5bc7e
.rdata 0x28000 0x22435 0x23000 4.16 a4dd9b7b81a7bb3df94896c74fb224a7
.data 0x4b000 0x5520 0x4000 4.76 34e4b308516937a3186137c33cccfdb5
.rsrc 0x51000 0x1d48 0x2000 4.83 296232072cd61b718ea6f13ee041987a
.reloc 0x53000 0x4938 0x5000 5.07 9738ac5d809c4950873197d00ba2e149

( 8 imports )
> WININET.dll: InternetCrackUrlW
> KERNEL32.dll: GetConsoleMode, GetConsoleCP, HeapAlloc, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, LCMapStringA, SetThreadLocale, GetModuleHandleW, MultiByteToWideChar, InterlockedDecrement, InterlockedIncrement, GetModuleFileNameW, lstrcmpiW, DeleteCriticalSection, InitializeCriticalSection, LeaveCriticalSection, EnterCriticalSection, LCMapStringW, GetStringTypeA, GetStringTypeW, SetLastError, GetCurrentThreadId, GetCurrentProcess, FlushInstructionCache, MulDiv, GetThreadLocale, FormatMessageW, RaiseException, GetFileAttributesW, LoadLibraryExW, GetLastError, lstrlenW, FreeLibrary, GetProcessHeap, HeapFree, GetProcAddress, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, GetSystemTimeAsFileTime, VirtualAlloc, CreateFileA, GetStartupInfoA, GetFileType, SetHandleCount, IsValidCodePage, GetOEMCP, GetCPInfo, HeapCreate, GetModuleFileNameA, GetStdHandle, ExitProcess, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetCommandLineA, VirtualQuery, GetModuleHandleA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, HeapDestroy, HeapReAlloc, HeapSize, GetVersionExA, InterlockedExchange, GetACP, GetLocaleInfoA, InterlockedCompareExchange, LoadLibraryA, IsProcessorFeaturePresent, VirtualFree, VirtualProtect, CloseHandle, GetLocalTime, GetCurrentProcessId, OutputDebugStringW, WriteFile, CreateFileW, SetFilePointer, GlobalLock, GlobalSize, GlobalUnlock, GlobalAlloc, GlobalFree, GetSystemInfo, GetVersionExW, Sleep, GetTickCount, TerminateProcess, GetSystemDirectoryW, WideCharToMultiByte, SetUnhandledExceptionFilter, FlushFileBuffers, UnhandledExceptionFilter, IsDebuggerPresent, RtlUnwind
> USER32.dll: IsChild, IntersectRect, EqualRect, OffsetRect, SetWindowRgn, GetClientRect, CharNextW, DefWindowProcW, DestroyWindow, SetWindowLongW, UnregisterClassA, GetWindowLongW, ShowWindow, GetClassInfoExW, LoadCursorW, ReleaseDC, GetDC, SetWindowPos, CreateWindowExW, RegisterClassExW, InvalidateRect, IsWindow, GetParent, GetFocus, BeginPaint, SetFocus, CallWindowProcW, EndPaint
> GDI32.dll: SaveDC, SetMapMode, SetWindowOrgEx, SetViewportOrgEx, DeleteDC, RestoreDC, CreateDCW, CreateRectRgnIndirect, SetTextAlign, TextOutW, GetDeviceCaps, LPtoDP
> ADVAPI32.dll: RegEnumValueW, RegEnumKeyExW, RegQueryInfoKeyW, RegSetValueExW, RegCreateKeyExW, RegDeleteValueW, RegDeleteKeyW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey
> ole32.dll: OleSaveToStream, CreateStreamOnHGlobal, StringFromGUID2, CoTaskMemFree, StringFromCLSID, CoTaskMemAlloc, GetHGlobalFromStream, CoCreateInstance, CreateOleAdviseHolder, OleRegEnumVerbs, OleRegGetUserType, OleRegGetMiscStatus, CoTaskMemRealloc, OleLoadFromStream
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> SHLWAPI.dll: PathAppendW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

zu fixwareout: hab diese txt gefunden weiß aber nicht ob das der log ist den ihr braucht. konnt beim reboot nix sehen bildschirm schwarz.

Username "BASTARD" - 2008-04-17 9:22:18 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Der DNS-Auflösungscache wurde geleert.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"ATIPTA"="\"C:\\Programme\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"ATICCC"="\"C:\\Programme\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"SoundMan"="soundman.exe"
"Adobe Reader Speed Launcher"="\"C:\\Programme\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"TkBellExe"="\"C:\\Programme\\Gemeinsame Dateien\\Real\\Update_OB\\realsched.exe\" -osboot"
"type32"="\"C:\\Programme\\Microsoft IntelliType Pro\\type32.exe\""
"SunJavaUpdateSched"="\"C:\\Programme\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"NeroFilterCheck"="C:\\Programme\\Gemeinsame Dateien\\Ahead\\Lib\\NeroCheck.exe"
"osCheck"="\"C:\\Programme\\Norton AntiVirus\\osCheck.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"T-Online_Software_6\\WLAN-Access Finder"="C:\\Programme\\T-Online\\WLAN-Access Finder\\ToWLaAcF.exe /StartMinimized"
"Ashampoo Magical Optimizer Taskplaner"="\"C:\\PROGRA~1\\Ashampoo\\ASHAMP~1\\AMO_TA~1.EXE\" -TRAY"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"DAEMON Tools Pro Agent"="\"C:\\Programme\\DAEMON Tools Pro\\DTProAgent.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

#22 ««
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit "Speichern unter" auf dem Desktop. Gebe bei Dateityp "Alle Dateien" an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\WINDOWS\Downloaded Program Files" >>files.txt
dir "C:\Programme\Common Files" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%" >>files.txt
dir "C:\Program Files" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temporary Internet Files\Content.IE5" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Temp" >>files.txt
dir "C:\WINDOWS\Temp" >>files.txt
dir "C:\Temp" >>files.txt
dir "C:\Programme" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Lokale Einstellungen\Anwendungsdaten" >>files.txt
dir "C:\Dokumente und Einstellungen\%UserName%\Anwendungsdaten" >>files.txt
dir "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten" >>files.txt
dir "C:\Programme\Gemeinsame Dateien" >>files.txt
dir "C:\Windows\tasks" >>files.txt
notepad files.txt

««
poste ein neues Log vom HijackThis
__________
MfG Sabina

rund um die PC-Sicherheit

#23 listen.bat =

Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\WINDOWS\Downloaded Program Files

2007-03-26 16:46 5,085 swflash.inf
2007-09-03 09:06 511 tgctlsr.inf
2 Datei(en) 5,596 Bytes
0 Verzeichnis(se), 22,328,414,208 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Programme

Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Dokumente und Einstellungen\BASTARD

2008-04-16 12:19 <DIR> .
2008-04-16 12:19 <DIR> ..
2008-03-13 16:23 248 default.pls
2008-04-17 13:28 <DIR> Desktop
2008-04-17 13:27 <DIR> Eigene Dateien
2008-01-11 11:09 <DIR> Favoriten
2007-07-30 03:34 11,755 hs_err_pid1272.log
2007-06-26 17:21 10,601 hs_err_pid140.log
2007-06-06 22:46 9,606 hs_err_pid144.log
2007-11-27 02:10 10,820 hs_err_pid1916.log
2007-10-10 11:36 10,360 hs_err_pid1920.log
2007-11-06 22:20 10,934 hs_err_pid1928.log
2007-12-05 23:06 11,226 hs_err_pid1932.log
2007-11-28 08:01 10,389 hs_err_pid1944.log
2007-12-05 13:15 10,646 hs_err_pid1948.log
2007-11-08 23:39 10,800 hs_err_pid1976.log
2007-07-02 14:12 9,971 hs_err_pid1984.log
2007-12-10 09:20 10,759 hs_err_pid1988.log
2007-11-21 16:20 10,504 hs_err_pid1992.log
2007-11-17 21:32 11,114 hs_err_pid1996.log
2007-12-12 12:45 10,506 hs_err_pid2000.log
2007-12-11 22:18 10,224 hs_err_pid2004.log
2007-10-04 14:23 10,664 hs_err_pid2008.log
2007-07-04 12:58 11,187 hs_err_pid2012.log
2007-09-21 18:25 9,779 hs_err_pid2016.log
2007-10-11 15:31 11,211 hs_err_pid2020.log
2007-10-09 03:47 11,387 hs_err_pid2024.log
2007-12-13 00:37 11,234 hs_err_pid2028.log
2007-06-07 23:42 9,898 hs_err_pid2032.log
2007-06-24 23:04 11,184 hs_err_pid2040.log
2007-06-03 17:18 10,435 hs_err_pid3328.log
2007-07-30 15:57 11,045 hs_err_pid3484.log
2007-11-21 03:49 11,575 hs_err_pid3524.log
2007-12-06 10:31 11,693 hs_err_pid3768.log
2007-10-12 12:37 10,186 hs_err_pid3856.log
2007-05-06 13:02 11,255 hs_err_pid840.log
2008-04-15 20:18 251,216 IView.exe
2007-04-16 14:28 <DIR> Startmen�
2008-04-15 20:18 357,768 SymXPep2.dll
2008-04-15 20:24 103,776 System_Restore.exe
2007-12-25 19:47 <DIR> WINDOWS
34 Datei(en) 1,035,956 Bytes
7 Verzeichnis(se), 22,328,410,112 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Program Files

2008-01-14 19:26 <DIR> .
2008-01-14 19:26 <DIR> ..
2007-12-17 11:24 <DIR> Gay-Lesbian-Photo
2007-04-16 14:34 <DIR> ICQLite
2008-01-14 19:26 <DIR> InterActual
0 Datei(en) 0 Bytes
5 Verzeichnis(se), 22,328,410,112 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Dokumente und Einstellungen\BASTARD\Lokale Einstellungen\Temporary Internet Files\Content.IE5

Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Dokumente und Einstellungen\BASTARD\Lokale Einstellungen\Temp

2008-04-17 12:51 <DIR> .
2008-04-17 12:51 <DIR> ..
2008-04-17 11:01 9,658 AZU54052.tmp
2008-04-17 11:04 10,341,032 Azureus3.0.5.2.jar
2008-04-14 13:21 127 D653F3EC.TMP
2008-04-17 11:12 <DIR> e4j129.tmp_dir18212
2008-04-17 11:12 <DIR> hsperfdata_BASTARD
2008-04-17 11:59 0 JETF9A7.tmp
2008-04-17 09:34 684 jusched.log
2008-04-17 09:31 16,384 Perflib_Perfdata_1f4.dat
2008-04-17 09:31 16,384 Perflib_Perfdata_f00.dat
2008-04-16 21:21 77,824 swt-gdip-win32-3430.dll
2008-04-16 18:24 323,584 swt-win32-3430.dll
2008-04-17 10:05 <DIR> WAS183A.tmp
2008-04-17 11:55 1,714 wmplog00.sqm
2008-04-17 09:29 <DIR> WPDNSE
2008-04-17 10:05 1,020 ~ROMFN_00000790
11 Datei(en) 10,788,411 Bytes
6 Verzeichnis(se), 22,328,406,016 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\WINDOWS\Temp

2008-04-17 09:31 <DIR> .
2008-04-17 09:31 <DIR> ..
2008-04-14 13:29 127 D653F3EC.TMP
2008-04-17 09:29 255 WGAErrLog.txt
2008-04-17 09:31 409 WGANotify.settings
3 Datei(en) 791 Bytes
2 Verzeichnis(se), 22,328,406,016 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Temp

2007-10-23 08:48 <DIR> .
2007-10-23 08:48 <DIR> ..
0 Datei(en) 0 Bytes
2 Verzeichnis(se), 22,328,406,016 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Programme

2008-04-16 21:34 <DIR> .
2008-04-16 21:34 <DIR> ..
2007-06-22 14:27 <DIR> Adobe
2008-01-16 08:46 <DIR> AGEIA Technologies
2007-04-17 11:24 <DIR> Alcohol Soft
2007-03-30 14:19 1,348,242 Apr2005_d3dx9_25_x64.cab
2007-03-30 14:19 1,079,850 Apr2005_d3dx9_25_x86.cab
2007-03-30 14:19 1,398,718 Apr2006_d3dx9_30_x64.cab
2007-03-30 14:19 1,116,109 Apr2006_d3dx9_30_x86.cab
2007-03-30 14:19 917,318 Apr2006_MDX1_x86.cab
2007-03-30 14:19 4,163,518 Apr2006_MDX1_x86_Archive.cab
2007-03-30 14:19 180,021 Apr2006_XACT_x64.cab
2007-03-30 14:19 133,991 Apr2006_XACT_x86.cab
2007-03-30 14:19 87,989 Apr2006_xinput_x64.cab
2007-03-30 14:19 46,898 Apr2006_xinput_x86.cab
2007-03-30 15:54 702,096 APR2007_d3dx10_33_x64.cab
2007-03-30 15:54 699,466 APR2007_d3dx10_33_x86.cab
2007-03-30 15:54 1,610,998 APR2007_d3dx9_33_x64.cab
2007-03-30 15:54 1,610,311 APR2007_d3dx9_33_x86.cab
2007-03-30 15:54 199,384 APR2007_XACT_x64.cab
2007-03-30 15:54 155,350 APR2007_XACT_x86.cab
2007-03-30 15:54 100,434 APR2007_xinput_x64.cab
2007-03-30 15:54 56,902 APR2007_xinput_x86.cab
2008-02-12 12:17 <DIR> Ascaron Entertainment
2007-10-29 08:12 <DIR> Ashampoo
2007-04-16 15:13 <DIR> ATI Technologies
2007-03-30 14:19 1,351,430 Aug2005_d3dx9_27_x64.cab
2007-03-30 14:19 1,078,532 Aug2005_d3dx9_27_x86.cab
2007-03-30 14:19 183,863 AUG2006_XACT_x64.cab
2007-03-30 14:19 138,195 AUG2006_XACT_x86.cab
2007-03-30 14:19 88,102 AUG2006_xinput_x64.cab
2007-03-30 14:19 47,018 AUG2006_xinput_x86.cab
2007-04-16 20:55 <DIR> Avance Sound Manager
2007-04-16 20:55 <DIR> AvRack
2007-05-24 23:05 <DIR> AVSMedia
2008-04-17 11:12 <DIR> Azureus
2007-03-30 14:19 1,156,363 BDANT.cab
2007-03-30 14:19 976,020 BDAXP.cab
2007-10-10 00:39 <DIR> Bethesda Softworks
2008-01-19 10:33 <DIR> Black Isle
2007-10-02 07:53 <DIR> Combined Community Codec Pack
2007-04-16 13:52 <DIR> ComPlus Applications
2007-12-10 09:40 <DIR> Conference
2008-04-09 08:30 <DIR> CryptIt
2008-01-16 14:02 <DIR> CyberLink
2008-01-24 12:56 <DIR> DAEMON Tools Pro
2007-03-30 14:19 1,358,864 Dec2005_d3dx9_28_x64.cab
2007-03-30 14:19 1,080,344 Dec2005_d3dx9_28_x86.cab
2007-03-30 14:19 213,767 DEC2006_d3dx10_00_x64.cab
2007-03-30 14:19 192,680 DEC2006_d3dx10_00_x86.cab
2007-03-30 14:19 1,572,114 DEC2006_d3dx9_32_x64.cab
2007-03-30 14:19 1,575,336 DEC2006_d3dx9_32_x86.cab
2007-03-30 14:19 193,435 DEC2006_XACT_x64.cab
2007-03-30 14:19 146,559 DEC2006_XACT_x86.cab
2007-09-20 17:38 <DIR> directx
2008-04-13 21:41 <DIR> DivX
2007-03-30 15:38 77,160 DSETUP.dll
2007-03-30 15:38 1,673,576 dsetup32.dll
2007-03-30 15:54 45,302 dxdllreg_x86.cab
2007-03-30 14:19 13,265,040 dxnt.cab
2007-03-30 15:38 503,144 DXSETUP.exe
2007-03-30 15:38 85,883 dxupdate.cab
2007-06-24 18:28 <DIR> Electronic Arts
2007-03-30 14:19 1,248,387 Feb2005_d3dx9_24_x64.cab
2007-03-30 14:19 1,014,113 Feb2005_d3dx9_24_x86.cab
2007-03-30 14:19 1,363,684 Feb2006_d3dx9_29_x64.cab
2007-03-30 14:19 1,085,608 Feb2006_d3dx9_29_x86.cab
2007-03-30 14:19 179,247 Feb2006_XACT_x64.cab
2007-03-30 14:19 133,297 Feb2006_XACT_x86.cab
2007-03-30 14:19 198,275 FEB2007_XACT_x64.cab
2007-03-30 14:19 151,583 FEB2007_XACT_x86.cab
2008-03-04 21:45 <DIR> File Scavenger 3.2
2008-04-09 07:53 <DIR> FlashFXP
2007-07-10 10:19 <DIR> Free WMA to MP3 Converter
2008-01-17 22:41 <DIR> G-Collections
2008-04-15 11:41 <DIR> Gemeinsame Dateien
2008-04-17 12:01 <DIR> ICQ6
2007-06-18 15:17 <DIR> ICQLite
2008-04-15 11:48 <DIR> ICQToolbar
2008-04-12 06:08 <DIR> Inet_Get_2
2008-04-09 15:05 <DIR> Internet Explorer
2008-03-07 19:04 <DIR> Java
2007-03-30 14:19 1,336,890 Jun2005_d3dx9_26_x64.cab
2007-03-30 14:19 1,065,813 Jun2005_d3dx9_26_x86.cab
2007-03-30 14:19 181,745 JUN2006_XACT_x64.cab
2007-03-30 14:19 134,631 JUN2006_XACT_x86.cab
2007-04-25 23:37 <DIR> KalOnlineEng
2008-04-15 11:46 <DIR> Lavasoft
2007-10-13 17:37 <DIR> Messenger
2007-04-16 13:55 <DIR> microsoft frontpage
2008-01-24 16:00 <DIR> Microsoft IntelliType Pro
2007-10-13 17:37 <DIR> Movie Maker
2007-04-16 13:52 <DIR> MSN
2007-04-16 13:51 <DIR> MSN Gaming Zone
2007-05-21 10:08 <DIR> MSXML 4.0
2007-06-24 23:30 <DIR> Nero
2007-10-13 17:37 <DIR> NetMeeting
2008-04-15 10:54 <DIR> Norton AntiVirus
2007-03-30 14:19 86,925 Oct2005_xinput_x64.cab
2007-03-30 14:19 46,247 Oct2005_xinput_x86.cab
2007-03-30 14:19 1,413,862 OCT2006_d3dx9_31_x64.cab
2007-03-30 14:19 1,128,177 OCT2006_d3dx9_31_x86.cab
2007-03-30 14:19 183,321 OCT2006_XACT_x64.cab
2007-03-30 14:19 138,977 OCT2006_XACT_x86.cab
2007-04-16 13:52 <DIR> Online Services
2007-04-16 13:53 <DIR> Online-Dienste
2008-03-05 12:17 <DIR> Ontrack
2007-10-13 17:37 <DIR> OpenOffice.org 2.2
2007-04-16 14:13 <DIR> Opera
2007-06-13 15:02 <DIR> Outlook Express
2007-10-13 17:37 <DIR> ratDVD
2007-07-03 19:04 <DIR> Real
2007-10-13 17:37 <DIR> Real Alternative
2007-09-09 23:25 <DIR> Reality Pump
2008-02-20 11:51 <DIR> ScummVM
2008-04-15 11:59 <DIR> Security Task Manager
2007-04-23 13:23 <DIR> Skype
2007-10-13 17:35 <DIR> Sony Ericsson
2007-08-06 00:57 <DIR> Steam
2008-04-15 10:29 <DIR> Symantec
2007-04-16 14:19 <DIR> T-Online
2008-01-23 21:42 <DIR> THQ
2007-12-01 13:10 <DIR> Virtualdub (Deutsch)
2007-08-06 00:53 <DIR> Winamp
2007-10-13 17:38 <DIR> Windows Media Connect 2
2007-10-13 17:38 <DIR> Windows Media Player
2007-04-18 12:30 <DIR> Windows NT
2007-12-17 10:44 <DIR> Windows Sidebar
2007-10-08 05:23 <DIR> WinIsoPoll
2007-10-13 17:38 <DIR> WinRAR
2007-04-19 00:19 <DIR> WinZip
2007-04-16 13:55 <DIR> xerox
2007-10-13 17:38 <DIR> XMedia Recode
2007-10-22 08:37 <DIR> ZOO Digital Publishing
58 Datei(en) 53,701,104 Bytes
76 Verzeichnis(se), 22,328,389,632 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Dokumente und Einstellungen\BASTARD\Lokale Einstellungen\Anwendungsdaten

2007-07-03 21:16 <DIR> .SIPPS
2007-06-07 02:13 <DIR> Adobe
2007-06-24 23:41 <DIR> Ahead
2008-04-17 09:29 <DIR> ApplicationHistory
2007-10-29 16:31 <DIR> Ashampoo Antivirus
2007-04-16 20:28 <DIR> ATI
2008-04-17 11:13 242,176 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2007-04-16 14:19 140 fusioncache.dat
2007-05-25 10:37 15,856 GDIPFONTCACHEV1.DAT
2007-07-05 00:28 <DIR> Google
2007-04-16 14:56 <DIR> Help
2007-05-12 04:08 <DIR> Identities
2008-01-29 16:45 <DIR> Microsoft
2008-01-16 08:53 <DIR> MyGames
2007-10-10 00:52 <DIR> Oblivion
2007-09-05 13:34 <DIR> ratDVD
2008-03-04 18:07 <DIR> WMTools Downloaded Files
3 Datei(en) 258,172 Bytes
14 Verzeichnis(se), 22,328,397,824 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Dokumente und Einstellungen\BASTARD\Anwendungsdaten

2007-05-16 23:52 <DIR> Adobe
2007-06-28 15:59 <DIR> Ahead
2007-04-16 20:28 <DIR> ATI
2008-04-16 09:05 0 AVSDVDPlayer.m3u
2008-04-17 13:28 <DIR> Azureus
2007-08-04 15:22 <DIR> Command & Conquer 3 Tiberium Wars
2007-06-27 18:00 <DIR> CyberLink
2008-01-24 12:48 <DIR> DAEMON Tools Pro
2007-04-19 00:36 <DIR> DivX
2007-08-23 17:39 <DIR> FlashFXP
2007-12-03 15:34 <DIR> Frater
2007-11-26 04:50 <DIR> GetRight
2007-04-16 14:56 <DIR> Help
2007-06-18 15:17 <DIR> ICQ
2007-04-16 21:22 <DIR> ICQ Toolbar
2007-04-16 14:35 <DIR> ICQLite
2007-04-16 14:10 <DIR> Identities
2007-04-16 14:46 <DIR> Macromedia
2007-09-05 23:31 <DIR> Media Player Classic
2007-06-18 15:16 <DIR> Mozilla
2007-04-26 08:34 <DIR> MusicIP
2008-03-18 15:15 <DIR> OpenOffice.org2
2007-04-16 14:13 <DIR> Opera
2007-07-05 00:28 <DIR> Real
2008-01-21 14:34 <DIR> ScummVM
2007-07-07 20:13 <DIR> Skype
2007-10-22 12:39 <DIR> Sudeki
2007-04-17 15:31 <DIR> Sun
2007-04-16 14:19 <DIR> T-Online
2007-12-03 15:35 <DIR> The Chosen
1 Datei(en) 0 Bytes
29 Verzeichnis(se), 22,328,397,824 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Dokumente und Einstellungen\All Users\Anwendungsdaten

2007-06-22 14:28 <DIR> Adobe
2007-06-27 18:00 <DIR> CyberLink
2008-01-24 12:55 <DIR> DAEMON Tools Pro
2007-10-29 22:16 <DIR> great coal love default
2007-08-20 07:17 <DIR> Internet debug mess great
2008-04-15 11:48 <DIR> Lavasoft
2007-06-16 22:07 <DIR> Real
2008-04-16 11:58 <DIR> SecTaskMan
2007-04-23 13:23 <DIR> Skype
2007-05-21 00:34 <DIR> Sony Ericsson
2008-04-15 11:40 <DIR> Symantec
2007-04-16 14:19 <DIR> T-Online
2007-06-29 17:37 <DIR> TEMP
2007-04-17 23:11 <DIR> Windows Genuine Advantage
2007-04-27 00:45 <DIR> WinZip
0 Datei(en) 0 Bytes
15 Verzeichnis(se), 22,328,393,728 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Programme\Gemeinsame Dateien

2008-04-15 11:41 <DIR> .
2008-04-15 11:41 <DIR> ..
2007-06-22 14:28 <DIR> Adobe
2008-04-08 20:45 <DIR> Ahead
2007-05-24 23:06 <DIR> AVSMedia
2007-04-16 13:52 <DIR> Dienste
2008-04-09 08:30 <DIR> InstallerA
2007-04-25 23:36 <DIR> InstallShield
2007-04-17 15:31 <DIR> Java
2007-08-29 12:03 <DIR> Marmiko Shared
2007-11-24 00:16 <DIR> Microsoft Shared
2007-04-16 13:52 <DIR> MSSoap
2007-07-03 21:16 <DIR> Nero
2007-04-16 14:29 <DIR> ODBC
2007-07-05 00:28 <DIR> Real
2007-04-23 13:23 <DIR> Skype
2007-04-16 14:29 <DIR> SpeechEngines
2007-04-16 14:17 <DIR> SWF Studio
2008-04-16 12:00 <DIR> Symantec Shared
2007-06-13 15:02 <DIR> System
2007-05-21 00:34 <DIR> Teleca Shared
2007-06-02 15:10 <DIR> Totem Shared
2008-04-15 11:45 <DIR> Wise Installation Wizard
2007-07-05 00:28 <DIR> xing shared
0 Datei(en) 0 Bytes
24 Verzeichnis(se), 22,328,393,728 Bytes frei
Datentr„ger in Laufwerk C: ist K--
Volumeseriennummer: 5C99-84CD

Verzeichnis von C:\Windows\tasks

2008-04-15 11:35 596 Norton AntiVirus - Systempr�fung ausf�hren - BASTARD.job
1 Datei(en) 596 Bytes
0 Verzeichnis(se), 22,328,393,728 Bytes frei

hijackthis new log =

Logfile of HijackThis v1.99.1
Scan saved at 13:30, on 2008-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\soundman.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Microsoft IntelliType Pro\type32.exe
C:\Programme\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\AMO_TA~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Opera\Opera.exe
C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\kernel.exe
C:\Programme\T-Online\T-Online_Software_6\Basis-Software\Basis2\sc_watch.exe
C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis2\PROFIL~1.EXE
C:\PROGRA~1\T-Online\T-ONLI~1\Notifier\Notifier.exe
C:\Programme\Winamp\winamp.exe
C:\Programme\Azureus\Azureus.exe
C:\Programme\ICQ6\ICQ.exe
C:\Programme\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Programme\Symantec\LiveUpdate\AUPDATE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\notepad.exe
C:\Dokumente und Einstellungen\BASTARD\Eigene Dateien\Azureus Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\GEMEIN~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\Programme\FlashFXP\IEFlash.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Programme\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [type32] "C:\Programme\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [osCheck] "C:\Programme\Norton AntiVirus\osCheck.exe"
O4 - HKCU\..\Run: [T-Online_Software_6\WLAN-Access Finder] C:\Programme\T-Online\WLAN-Access Finder\ToWLaAcF.exe /StartMinimized
O4 - HKCU\..\Run: [Ashampoo Magical Optimizer Taskplaner] "C:\PROGRA~1\Ashampoo\ASHAMP~1\AMO_TA~1.EXE" -TRAY
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Programme\DAEMON Tools Pro\DTProAgent.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Outpost Security Suite Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {44990301-3c9d-426d-81df-aab636fa4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9A0E174-9E7D-4447-847C-2179293CAC5F}: NameServer = 217.237.149.205 217.237.151.51
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatisches LiveUpdate - Scheduler (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Programme\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: T-Online WLAN Adapter Steuerungsdienst (MZCCntrl) - Deutsche Telekom AG, Marmiko IT-Solutions GmbH - C:\Programme\Gemeinsame Dateien\Marmiko Shared\MZCCntrl.exe
O23 - Service: NBService - Nero AG - C:\Programme\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPD-LC\symlcsvc.exe

#24 Hallo,

««
http://virus-protect.org/artikel/tools/otmoveIt.html
öffne: OTMoveIt.exe

Kopiere rein: im linken Fenster ,wo steht: Paste Standard List of Files/Folders to be Move

Zitat

C:\Dokumente und Einstellungen\BASTARD\IView.exe
C:\Dokumente und Einstellungen\BASTARD\SymXPep2.dll
C:\Dokumente und Einstellungen\BASTARD\System_Restore.exe
C:\Programme\Inet_Get_2
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\great coal love default
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Internet debug mess great

Klicke auf den Roten MoveIt!


poste hier, was rechts im Fenster erscheint

»»
wende windowsscan an + poste das komplette log
http://virus-protect.org/artikel/tools/windowsscan.html
__________
MfG Sabina

rund um die PC-Sicherheit

#25 wenn ich die OTMoveIt.exe öffne kommt ein fenster wo dann steht cleanUp button dann will der neu starten ist das richtig? komme ja gar nicht dazu das zeug rein zu kopieren.

#26 ««

gvkiller
http://virus-protect.org/artikel/tools/gvkiller.html
Doppelklick GV-Killer und TextEditor wird sich öffnen
kopiere das Unterstehende rein:

Zitat

C:\Dokumente und Einstellungen\BASTARD\IView.exe
C:\Dokumente und Einstellungen\BASTARD\SymXPep2.dll
C:\Dokumente und Einstellungen\BASTARD\System_Restore.exe
C:\Programme\Inet_Get_2
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\great coal love default
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Internet debug mess great

speichere die Daten (Speichern als...)


input.txt - Speichern



Klicke "Kill on reboot" und lass den Rechner neu starten


-------------

wende windowsscan an + poste das komplette log
http://virus-protect.org/artikel/tools/windowsscan.html



«
__________
MfG Sabina

rund um die PC-Sicherheit

#27 das kam dann bei GV Killer

Logfile GV_Killer_01.txt v7.0.7 - Copyright © GV_Soft Guido Vaesen
Rapport datum: 2008-04-17 17:47:52 log van BASTARD , Beheerder van deze computer
Platform: Windows XP Home SP2 DEU Normale modus

BEGIN Geplande taken-----------------------------------------------------------------
C:\WINDOWS\tasks\A6A238739185B47F.job
C:\WINDOWS\tasks\Norton AntiVirus - Systemprüfung ausführen - BASTARD.job
EINDE Geplande taken-----------------------------------------------------------------


Lijst Notify keys--------------------------------------------------------------------
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify
AtiExtEvent Ati2evxx.dll
WgaLogon WgaLogon.dll
Settings
Einde Notify keys--------------------------------------------------------------------

Verklaring Errorcodes----------------------------------------------------------------
code 00 : Bestand is verwijderd.
code 53 : Bestand of map werd niet gevonden op uw PC.
code 70 : Bestand was in gebruik.
code 75 : Services zijn nog geladen of bestand in gebruik.
code M0 : Map is verwijderd.
code ML : Map is volledig leeg gemaakt.
code MN : Map werd niet gevonden op uw PC, is niet leeg gemaakt.
code MV : Map werd niet gevonden op uw PC, is niet verwijderd.
code K0 : Register key is verwijderd.
Einde Errorcodes--------------------------------------------------------------------

BEGIN Inhoud van Input.txt-----------------------------------------------------------
C:\Dokumente und Einstellungen\BASTARD\IView.exe
C:\Dokumente und Einstellungen\BASTARD\SymXPep2.dll
C:\Dokumente und Einstellungen\BASTARD\System_Restore.exe
C:\Programme\Inet_Get_2
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\great coal love default
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Internet debug mess great
EINDE Inhoud van Input.txt-----------------------------------------------------------

00 C:\Dokumente und Einstellungen\BASTARD\IView.exe
00 C:\Dokumente und Einstellungen\BASTARD\SymXPep2.Logfile GV_Killer_01.txt v7.0.7 - Copyright © GV_Soft Guido Vaesen
Rapport datum: 2008-04-17 18:02:02 log van BASTARD , Beheerder van deze computer
Platform: Windows XP Home SP2 DEU Normale modus

BEGIN Geplande taken-----------------------------------------------------------------
C:\WINDOWS\tasks\Norton AntiVirus - Systemprüfung ausführen - BASTARD.job
EINDE Geplande taken-----------------------------------------------------------------


Lijst Notify keys--------------------------------------------------------------------
HKLM\software\microsoft\windows nt\currentversion\winlogon\notify
AtiExtEvent Ati2evxx.dll
WgaLogon WgaLogon.dll
Settings
Einde Notify keys--------------------------------------------------------------------

Verklaring Errorcodes----------------------------------------------------------------
code 00 : Bestand is verwijderd.
code 53 : Bestand of map werd niet gevonden op uw PC.
code 70 : Bestand was in gebruik.
code 75 : Services zijn nog geladen of bestand in gebruik.
code M0 : Map is verwijderd.
code ML : Map is volledig leeg gemaakt.
code MN : Map werd niet gevonden op uw PC, is niet leeg gemaakt.
code MV : Map werd niet gevonden op uw PC, is niet verwijderd.
code K0 : Register key is verwijderd.
Einde Errorcodes--------------------------------------------------------------------

BEGIN Inhoud van Input.txt-----------------------------------------------------------
C:\Dokumente und Einstellungen\BASTARD\IView.exe
C:\Dokumente und Einstellungen\BASTARD\SymXPep2.dll
C:\Dokumente und Einstellungen\BASTARD\System_Restore.exe
C:\Programme\Inet_Get_2
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\great coal love default
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Internet debug mess great
EINDE Inhoud van Input.txt-----------------------------------------------------------

53 C:\Dokumente und Einstellungen\BASTARD\IView.exe
53 C:\Dokumente und Einstellungen\BASTARD\SymXPep2.dll
53 C:\Dokumente und Einstellungen\BASTARD\System_Restore.exe
53 C:\Programme\Inet_Get_2
53 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\great coal love default
53 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Internet debug mess great

;0255372-OEM-0059777-46160=3LJ3057A02

;EINDE GV_Killer ---------------------------------------------------------------------

das bei dem scan

Die 30 neuesten Dateien im Ordner Windows:

***** ***** ***** ***** *****
***** Scanning C:\WINDOWS *****
***** ***** ***** ***** *****

2008-04-17 win.ini 18 03:708
2008-04-17 0.log 18 02:0
2008-04-17 WindowsUpdate.log 18 02:2,035,874
2008-04-17 bootstat.dat 18 01:2,048
2008-04-17 SchedLgU.Txt 17 46:32,290
2008-04-17 wiadebug.log 17 13:216
2008-04-17 NeroDigital.ini 17 01:116
2008-04-17 wiaservc.log 16 18:50
2008-04-17 ntbtlog.txt 09 10:301,178
2008-04-16 system.ini 18 01:227
2008-04-16 PSEXESVC.EXE 17 59:53,248
2008-04-16 wmsetup.log 15 04:140,697
2008-04-15 setupapi.log 10 26:685,918
2008-04-13 setupact.log 21 13:179,065
2008-04-12 cdplayer.ini 23 55:1,375
2008-04-09 iis6.log 15 05:147,531
2008-04-09 ntdtcsetup.log 15 05:194,538
2008-04-09 comsetup.log 15 05:321,809
2008-04-09 imsins.log 15 05:1,355
2008-04-09 ocmsn.log 15 05:49,409
2008-04-09 tsoc.log 15 05:362,721
2008-04-09 KB948881.log 15 05:15,225
2008-04-09 ocgen.log 15 05:449,703
2008-04-09 msgsocm.log 15 05:47,201
2008-04-09 FaxSetup.log 15 05:932,069
2008-04-09 imsins.BAK 15 05:1,355
2008-04-09 KB941693.log 15 05:20,579


Die 50 neuesten Dateien im Ordner Windows\system32:

***** ***** ***** ***** *****
***** Scanning C:\WINDOWS\system32 *****
***** ***** ***** ***** *****

2008-04-17 wpa.dbl 18 03:13,060
2008-04-15 1.htm 11 24:0
2008-04-15 S32EVNT1.DLL 10 29:60,808
2008-04-15 spcxx.clk 07 39:0
2008-04-12 FNTCACHE.DAT 04 36:102,232
2008-04-09 MRT.INI 15 03:127
2008-04-09 svchost.exe 11 27:14,336
2008-04-06 MRT.exe 07 56:19,836,024
2008-03-31 perfh009.dat 06 32:380,350
2008-03-31 perfc009.dat 06 32:52,764
2008-03-31 perfh007.dat 06 32:391,000
2008-03-31 perfc007.dat 06 32:63,580
2008-03-31 PerfStringBackup.INI 06 32:897,954
2008-03-20 win32k.sys 10 03:1,845,376
2008-03-05 MAPISVC.INF 12 18:634
2008-03-01 mshtml.dll 18 24:3,591,680
2008-03-01 wininet.dll 14 54:826,368
2008-03-01 webcheck.dll 14 54:233,472
2008-03-01 urlmon.dll 14 54:1,159,680
2008-03-01 url.dll 14 54:105,984
2008-03-01 pngfilt.dll 14 54:44,544
2008-03-01 occache.dll 14 54:102,912
2008-03-01 mstime.dll 14 54:671,232
2008-03-01 msrating.dll 14 54:193,024
2008-03-01 mshtmled.dll 14 54:478,208
2008-03-01 msfeedsbs.dll 14 53:52,224
2008-03-01 msfeeds.dll 14 53:459,264
2008-03-01 inetcpl.cpl 14 53:1,831,424
2008-03-01 jsproxy.dll 14 53:27,648
2008-03-01 iernonce.dll 14 53:44,544
2008-03-01 iertutil.dll 14 53:267,776
2008-03-01 ieframe.dll 14 53:6,066,176
2008-03-01 iedkcs32.dll 14 53:384,512
2008-03-01 ieaksie.dll 14 53:230,400
2008-03-01 ieakeng.dll 14 53:153,088
2008-03-01 icardie.dll 14 53:63,488
2008-03-01 extmgr.dll 14 53:133,120
2008-03-01 dxtrans.dll 14 53:214,528
2008-03-01 ieapfltr.dll 14 53:383,488
2008-03-01 advpack.dll 14 53:124,928
2008-03-01 dxtmsft.dll 14 53:347,136
2008-02-29 ie4uinit.exe 10 54:70,656
2008-02-22 ieudinit.exe 12 00:13,824
2008-02-21 dtu_de.qm 04 11:3,136
2008-02-21 divxsm.tlb 04 05:4,816
2008-02-21 DivXsm.exe 04 05:524,288
2008-02-21 dsm_de.qm 04 05:10,152


***** ***** ***** ***** *****
***** Scanning C:\WINDOWS\system32\drivers\etc\hosts *****
***** ***** ***** ***** *****

127.0.0.1 localhost



***** ***** ***** ***** *****
***** Scanning Processe *****
***** ***** ***** ***** *****




Microsoft Windows XP [Version 5.1.2600]


http://www.paules-pc-forum.de
***** Malware Team *****


***** Ende des Scans 2008-04-17 um 18:06:25.92 ***

#28 ««
lösche mit GV-Killer oder manuell:

Zitat

C:\1553564877
C:\kbvxxo.exe
C:\mxuxc.exe
C:\WINDOWS\system32\spcxx.clk
C:\WINDOWS\system32\1.htm
C:\WINDOWS\tasks\A6A238739185B47F.job

««
wende sdfix im abgesicherten Modus an + poste den report
http://virus-protect.org/artikel/tools/sdfix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#29 ich denk mal ich soll das ding posten ^^

SDFix: Version 1.171
Run by BASTARD on 2008-04-17 at 20:08

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\155356~1 - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 20:27:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Programme\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:64,db,72,7d,11,c0,7a,f6,11,da,c5,5d,51,fe,12,37,9d,28,2d,a1,17,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,b3,04,e5,9b,77,20,91,f4,af,34,14,d8,05,ca,b1,25,75,..
"hdf12"=hex:aa,62,7a,76,4b,10,b6,80,ff,a0,5d,ef,4c,19,2c,aa,dd,09,20,ae,eb,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:89,ef,a6,28,ab,68,cd,72,e2,da,13,0f,5d,ee,a9,31,01,c9,64,fb,66,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]
"hdf12"=hex:f7,75,58,d7,4b,f6,df,b7,0a,91,76,29,3c,64,47,f3,87,94,52,49,19,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
"p0"="C:\Programme\DAEMON Tools Pro\"
"h0"=dword:00000000
"hdf12"=hex:64,db,72,7d,11,c0,7a,f6,11,da,c5,5d,51,fe,12,37,9d,28,2d,a1,17,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001]
"a0"=hex:20,01,00,00,b3,04,e5,9b,77,20,91,f4,af,34,14,d8,05,ca,b1,25,75,..
"hdf12"=hex:aa,62,7a,76,4b,10,b6,80,ff,a0,5d,ef,4c,19,2c,aa,dd,09,20,ae,eb,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0]
"hdf12"=hex:89,ef,a6,28,ab,68,cd,72,e2,da,13,0f,5d,ee,a9,31,01,c9,64,fb,66,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1]
"hdf12"=hex:f7,75,58,d7,4b,f6,df,b7,0a,91,76,29,3c,64,47,f3,87,94,52,49,19,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\Azureus\\Azureus.exe"="C:\\Programme\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Programme\\ICQ6\\ICQ.exe"="C:\\Programme\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"
"C:\\Programme\\Messenger\\msmsgs.exe"="C:\\Programme\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Programme\\Skype\\Phone\\Skype.exe"="C:\\Programme\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Programme\\FlashFXP\\FlashFXP.exe"="C:\\Programme\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Programme\\Conference\\Conference.dll"="C:\\Programme\\Conference\\Conference.dll:*:Enabled:Audio/Video Conference"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Programme\\FlashFXP\\FlashFXP.exe"="C:\\Programme\\FlashFXP\\FlashFXP.exe:*:Enabled:FlashFXP v3"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 8 Aug 2007 400 A..H. --- "C:\Programme\Gemeinsame Dateien\Symantec Shared\COH\COH32LU.reg"
Wed 8 Aug 2007 403 A..H. --- "C:\Programme\Gemeinsame Dateien\Symantec Shared\COH\COHDLU.reg"
Sun 24 Jun 2007 444 ...HR --- "C:\Dokumente und Einstellungen\BASTARD\Anwendungsdaten\SecuROM\UserData\securom_v7_01.bak"

Finished!

#30 ich verstehe nicht, wieso sdfix das hier geloescht hat:
Trojan Files Found:

C:\155356~1 - Deleted - sollte doch schon lange entfernt sein

««
poste bitte ein neues Log von Combofix
__________
MfG Sabina

rund um die PC-Sicherheit