Bagle das Schw... gibt es wirklivh kein Mittel ihn auszutreiben Das Monster hat mich anheingefallen

meller · 13.10.2011, 14:00

Hallo,

ich bin total geschockt, da ich von Bagle befallen bin. Ich hab alles neu gemacht und mein System gerade neu aufgespielt, kann es nicht glauben, dass ich nun alles neu machen sollte ( wohl am besten...) da der Bagel sich immer weiter auf meinem System verbreitet.

Immer wenn ich hochfahre meldet sich winupgro.exe und wird beim reaustelefonieren geblockt.Systemherstellung ist nicht mehr möglich. (Kann man die vielleicht irgendwo manuell wieder eischalten) Habe Avira Recuse CD laufen , wie auch Kapersky Recuse CD ( damit hab ich bisjetzt jeden bekommen!) , hat viel gefunden aber nichts, immer noch winupgro.exe. Umbennen und löschen von winupgrw.exe ändert nichts, auch nicht seek and destroy. Fies ist der Bagel, das nehm ich ihm persönlich, wenn ich Findykilll im browser eingebe, bootet schließt der Browser, Wenn ich Findykill ausführe bootet der Desktop neu , unglaublich, vielleicht findykill umbenennen. Kann man da nichts machen, das Ding ist doch von 2005, Das glaub ich nicht

Viele Grüße

cosinus · 16.10.2011, 13:53

Zitat:

Ich hab alles neu gemacht und mein System gerade neu aufgespielt

Alles formatiert oder nicht?
Ausführbare Dateien (Programme, Spiele) ausgeführt, die auch vom verseuchten System verarbeitet wurden?

meller · 17.10.2011, 19:01

ICH HAB ETWAS GEFUNDEN, zumindest weis "Er" um "Wen" es sich handelt

Ein klienes DOS Proggy: ComboFix.exe

hxxp://www.computing.net/answers/security/winupgroexe-removal/24091.html

__________<

I don't think Combofix install but run this uninstaller just in case.

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Rename the setup file, ComboFix, before you download it. To do that once the "enter name of file to save to" box appears as the download begins, in the filename box rename ComboFix to tool.exe> click save.

Please download tool.exe to the desktop from one of the following links:

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any Anti-Malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Dank an jabuck December 23, 2008 at 17:53:50 Pacific

Screens von Proggy , ht so ca. 15 Min Gedauert

hxxp://www.freeimagehosting.net/c540f
hxxp://www.freeimagehosting.net/5a65f
hxxp://www.freeimagehosting.net/71665

Ausserdem spuckt Combofix noch diese log aus:

Combofix Logfile:

Code:

ATTFilter

ComboFix 11-10-17.02 - lianli 17.10.2011  xxxxxxxxxx - x64
Microsoft Windows 7 Professional  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ausgeführt von:: c:\users\lianli\Downloads\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
FW: ZoneAlarm Firewall *Enabled* {D17DF357-CFF5-F001-D1C1-FCD21DFE3D5E}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Neuer Wiederherstellungspunkt wurde erstellt
.
.
((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\INSTALL.LOG
c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe
c:\users\lianli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Chronograph-Clocket4.gadget
c:\users\lianli\AppData\Local\Microsoft\Windows\Temporary Internet Files\Windows12111_ConfigRepository.bin
c:\users\lianli\AppData\Roaming\drivers\downld
c:\users\lianli\AppData\Roaming\drivers\winupgro.exe
c:\windows\IsUn0407.exe
c:\windows\iun6002.exe
.
.
(((((((((((((((((((((((   Dateien erstellt von 2011-09-17 bis 2011-10-17  ))))))))))))))))))))))))))))))
.
.
2011-10-17 17:31 . 2011-10-17 17:31	--------	d-----w-	c:\users\Default\AppData\Local\temp
2011-10-12 22:17 . 2011-10-12 22:31	--------	d---a-w-	C:\Kaspersky Rescue Disk 10.0
2011-10-12 20:39 . 2011-10-12 20:39	--------	d-----w-	c:\programdata\Kaspersky Lab
2011-10-12 19:17 . 2011-10-12 19:17	--------	d-----w-	c:\program files\CDBurnerXP
2011-10-12 19:14 . 2011-10-12 19:15	--------	d-----w-	C:\rsit
2011-10-12 19:14 . 2011-10-12 19:14	--------	d-----w-	c:\program files (x86)\trend micro
2011-10-11 18:43 . 2011-10-11 18:55	--------	d-----w-	c:\users\lianli\AppData\Roaming\HLSW
2011-10-11 18:43 . 2011-10-11 18:43	--------	d-s---w-	c:\program files (x86)\HLSW
2011-10-11 08:51 . 2011-10-11 08:51	--------	d-----w-	C:\MediaMonkey
2011-10-10 22:14 . 2011-10-10 22:14	--------	d-----w-	c:\users\lianli\AppData\Local\ACDSee
2011-10-10 22:14 . 2011-10-10 22:14	--------	d-----w-	c:\users\lianli\AppData\Roaming\ACD Systems
2011-10-10 22:13 . 2011-10-10 22:13	--------	d-----w-	c:\programdata\ACD Systems
2011-10-10 22:13 . 2011-10-10 22:13	--------	d-----w-	c:\program files (x86)\Common Files\ACD Systems
2011-10-10 22:13 . 2011-10-10 22:13	--------	d-----w-	c:\program files (x86)\ACD Systems
2011-10-10 21:57 . 2011-10-10 21:57	--------	d-----w-	c:\program files\notepad2
2011-10-10 18:19 . 2011-10-10 18:21	--------	d-----w-	c:\users\lianli\AppData\Roaming\SmartDraw
2011-10-10 18:18 . 2011-10-10 18:19	--------	d-----w-	c:\program files (x86)\SmartDraw 2009
2011-10-10 12:51 . 2011-10-11 20:03	--------	d-----w-	c:\users\lianli\AppData\Local\MediaMonkey
2011-10-10 12:51 . 2011-10-10 12:59	--------	d-----w-	c:\program files (x86)\MediaMonkey
2011-10-10 12:49 . 2011-10-10 17:50	--------	d-----w-	c:\program files\ProcessExplorer
2011-10-10 12:44 . 2011-10-10 12:44	--------	d-----w-	c:\program files (x86)\Access Lock
2011-10-10 01:00 . 2011-10-10 22:12	--------	d-----w-	c:\windows\Downloaded Installations
2011-10-09 23:43 . 2011-10-09 23:43	--------	d-----w-	c:\program files (x86)\ReflexiveArcade
2011-10-09 23:28 . 2011-10-17 17:31	--------	d--h--w-	c:\users\lianli\AppData\Roaming\drivers
2011-10-09 22:11 . 2011-10-09 22:11	--------	d-----w-	c:\users\lianli\AppData\Local\QlikTech
2011-10-09 22:10 . 2011-10-09 22:10	--------	d-----w-	c:\program files (x86)\QlikView
2011-10-09 22:10 . 2011-10-09 22:10	--------	d-----w-	c:\users\lianli\AppData\Roaming\QlikTech
2011-10-09 22:09 . 2011-10-09 22:09	--------	d-----w-	c:\users\lianli\AppData\Local\Downloaded Installations
2011-10-09 21:15 . 2011-10-09 21:16	--------	d-----w-	c:\program files (x86)\ICQ Status Checker
2011-10-09 21:15 . 2008-11-13 08:26	616024	----a-w-	c:\windows\SysWow64\comctl32.ocx
2011-10-09 21:14 . 2011-10-09 21:17	--------	d-----w-	c:\program files (x86)\ICQ Status Extension
2011-10-09 21:13 . 2009-03-11 23:59	124688	----a-w-	c:\windows\SysWow64\MSWINSCK.OCX
2011-10-09 21:13 . 2011-10-09 21:16	--------	d-----w-	c:\program files (x86)\ICQ Away Reader
2011-10-09 21:04 . 2011-10-09 21:04	--------	d-----w-	c:\program files (x86)\ICQ-Banner-Remover
2011-10-09 21:03 . 2011-10-09 23:48	--------	d-----w-	c:\users\lianli\AppData\Roaming\DesktopIconForAmazon
2011-10-09 20:42 . 2011-10-09 21:17	--------	d-----w-	c:\program files (x86)\SweetIM
2011-10-09 19:37 . 2011-10-09 19:37	--------	d-----w-	c:\users\lianli\AppData\Roaming\TechSmith
2011-10-09 19:35 . 2011-10-09 19:35	--------	d-----w-	c:\programdata\TechSmith
2011-10-09 19:28 . 2011-10-09 19:38	--------	d-----w-	c:\users\lianli\AppData\Local\TechSmith
2011-10-09 19:27 . 2011-10-09 19:43	--------	d-----w-	c:\program files (x86)\TechSmith
2011-10-09 19:22 . 2011-10-09 19:31	--------	d-----w-	c:\program files (x86)\Common Files\Wise Installation Wizard
2011-10-09 18:14 . 2011-10-11 18:18	--------	d-----w-	c:\users\lianli\AppData\Roaming\ICQ
2011-10-09 18:14 . 2011-10-09 18:14	--------	d-----w-	c:\windows\aod
2011-10-09 18:14 . 2011-10-09 21:02	--------	d-----w-	c:\program files (x86)\ICQ
2011-10-09 17:31 . 2011-10-09 17:31	--------	d-----w-	c:\program files (x86)\DAEMON Tools Lite
2011-10-09 17:30 . 2011-10-09 23:49	--------	d-----w-	c:\program files (x86)\DAEMON Tools Toolbar
2011-10-09 17:28 . 2011-10-09 17:31	526392	----a-w-	c:\windows\system32\drivers\sptd.sys
2011-10-09 17:06 . 2011-10-09 17:06	--------	d-----w-	c:\program files\Phantombility
2011-10-09 15:46 . 2011-10-09 15:46	--------	d-----w-	c:\users\lianli\AppData\Local\eMule
2011-10-09 15:46 . 2011-10-09 15:46	--------	d-----w-	c:\programdata\eMule
2011-10-09 15:36 . 2011-10-09 15:36	--------	d-----w-	c:\users\lianli\AppData\Roaming\DAEMON Tools Pro
2011-10-09 15:36 . 2011-10-09 15:36	--------	d-----w-	c:\programdata\DAEMON Tools Pro
2011-10-09 15:06 . 2011-10-09 15:06	--------	d-----w-	c:\users\lianli\AppData\Roaming\Duden
2011-10-08 11:24 . 2011-09-13 00:26	9049936	----a-w-	c:\programdata\Microsoft\Windows Defender\Definition Updates\{2C3365AB-9E33-4B29-B653-7B4286C88DB8}\mpengine.dll
2011-10-08 08:52 . 2011-10-08 11:24	--------	d-----w-	c:\programdata\Spybot - Search & Destroy
2011-10-08 08:52 . 2011-10-08 08:53	--------	d-----w-	c:\program files (x86)\Spybot - Search & Destroy
2011-10-04 00:26 . 2011-10-04 00:26	--------	d-----w-	c:\windows\Sun
2011-10-03 23:13 . 2011-10-03 23:14	--------	d-----w-	c:\users\lianli\AppData\Local\Google
2011-10-03 23:13 . 2011-10-03 23:13	--------	d-----w-	c:\program files (x86)\Google
2011-10-03 22:34 . 2011-10-03 22:34	--------	d-----w-	c:\program files (x86)\Common Files\Java
2011-10-03 22:34 . 2011-10-03 22:34	472808	----a-w-	c:\windows\SysWow64\deployJava1.dll
2011-10-03 22:34 . 2011-10-03 22:34	--------	d-----w-	c:\program files (x86)\Java
2011-10-02 13:27 . 2011-10-11 18:39	--------	d-----w-	c:\program files (x86)\GameSpy Arcade
2011-09-22 16:34 . 2011-09-22 16:40	--------	d-----w-	c:\program files (x86)\filesearchex
2011-09-22 16:00 . 2010-09-30 15:10	34624	----a-w-	c:\windows\system32\TURegOpt.exe
2011-09-22 16:00 . 2010-09-30 15:06	25920	----a-w-	c:\windows\system32\authuitu.dll
2011-09-22 16:00 . 2010-09-30 15:06	21312	----a-w-	c:\windows\SysWow64\authuitu.dll
2011-09-22 16:00 . 2010-09-30 15:06	36160	----a-w-	c:\windows\system32\uxtuneup.dll
2011-09-22 16:00 . 2010-09-30 15:06	29504	----a-w-	c:\windows\SysWow64\uxtuneup.dll
2011-09-22 16:00 . 2011-09-22 16:00	--------	d-----w-	c:\program files (x86)\TuneUp Utilities 2011
2011-09-22 14:37 . 2011-09-22 14:37	--------	d-sh--w-	c:\programdata\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2011-09-22 14:07 . 2011-09-22 14:07	--------	d-----w-	c:\windows\SysWow64\Adobe
2011-09-22 14:07 . 2001-11-14 18:19	16384	----a-w-	c:\windows\SysWow64\FileOps.exe
2011-09-22 14:04 . 2011-09-22 14:06	--------	d-----w-	c:\program files (x86)\Photoshop Elements 2
2011-09-19 17:17 . 2011-10-12 22:18	--------	d--h--w-	c:\windows\msdownld.tmp
2011-09-18 22:28 . 2011-09-18 22:28	--------	d-----w-	c:\program files (x86)\Skillbrains
2011-09-18 20:45 . 2011-09-18 20:45	--------	d-----w-	c:\users\lianli\AppData\Local\CrashRpt
2011-09-18 20:45 . 2011-09-18 20:45	--------	d-----w-	c:\users\lianli\AppData\Local\Arktos
2011-09-18 15:29 . 2011-10-09 23:48	--------	d-----w-	c:\program files (x86)\Microsoft Games for Windows - LIVE
2011-09-18 15:29 . 2011-09-18 15:29	--------	d-----w-	c:\windows\SysWow64\xlive
.
.
.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-16 17:46 . 2011-07-31 11:04	234536	----a-w-	c:\windows\SysWow64\PnkBstrB.xtr
2011-10-16 17:46 . 2011-07-30 16:56	234536	----a-w-	c:\windows\SysWow64\PnkBstrB.exe
2011-10-12 20:20 . 2011-07-26 19:33	25640	----a-w-	c:\windows\gdrv.sys
2011-10-12 20:18 . 2011-07-26 19:33	30528	----a-w-	c:\windows\GVTDrv64.sys
2011-10-08 11:39 . 2011-08-10 14:55	6656	----a-w-	c:\windows\system32\lpcio.dll
2011-10-03 23:13 . 2011-07-01 21:05	404640	----a-w-	c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-09-18 10:14 . 2011-07-26 19:34	25640	----a-w-	c:\windows\etdrv.sys
2011-09-09 13:58 . 2011-03-28 16:36	18328	----a-w-	c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-08-29 16:39 . 2011-07-30 16:56	794408	----a-w-	c:\windows\SysWow64\Pbsvc.exe
2011-08-29 16:39 . 2011-07-30 16:56	75064	----a-w-	c:\windows\SysWow64\PnkBstrA.exe
2011-08-28 16:05 . 2011-08-28 16:05	22	--sha-w-	c:\users\lianli\AppData\Roaming\Sys2662.Config.Repository.bin
2011-07-22 05:42 . 2011-08-10 18:15	2303488	----a-w-	c:\windows\system32\jscript9.dll
2011-07-22 05:36 . 2011-08-10 18:15	1389056	----a-w-	c:\windows\system32\wininet.dll
2011-07-22 05:32 . 2011-08-10 18:15	2382848	----a-w-	c:\windows\system32\mshtml.tlb
2011-07-22 02:54 . 2011-08-10 18:15	1797632	----a-w-	c:\windows\SysWow64\jscript9.dll
2011-07-22 02:48 . 2011-08-10 18:15	1126912	----a-w-	c:\windows\SysWow64\wininet.dll
2011-07-22 02:44 . 2011-08-10 18:15	2382848	----a-w-	c:\windows\SysWow64\mshtml.tlb
.
.
((((((((((((((((((((((((((((   Autostartpunkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt. 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WFGStartup"="c:\program files\World Flash Gold\WFGStartup.exe" [2001-04-04 19968]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-08-02 4910912]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-04-21 281768]
"ZoneAlarm Client"="c:\program files (x86)\Zone Labs\ZoneAlarm\zlclient.exe" [2011-02-18 1043968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
KillerTray.lnk - c:\program files\Bigfoot Networks\Killer Driver\KillerTray.exe [2011-9-10 916992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages	REG_MULTI_SZ   	kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
"Mirabilis ICQ"=c:\progra~2\ICQ\ICQNet.exe
.
R1 sensorsview;sensorsview;c:\program files\SensorsViewPro41\drv\sensorsview32_64.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update-Dienst (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-03 136176]
R2 Killer Port Manager;Killer Port Manager;c:\program files\Bigfoot Networks\Killer Driver\PortManager.exe [2010-01-15 238080]
R3 ALSysIO;ALSysIO;c:\users\lianli\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]
R3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;c:\windows\system32\drivers\BVRPMPR5a64.SYS [x]
R3 cmudaxp;ASUS Xonar D2 Audio Interface;c:\windows\system32\drivers\cmudaxp.sys [x]
R3 EagleX64;EagleX64;c:\windows\system32\drivers\EagleX64.sys [x]
R3 etdrv;etdrv;c:\windows\etdrv.sys [2011-09-18 25640]
R3 gupdatem;Google Update-Dienst (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-03 136176]
R3 GVTDrv64;GVTDrv64;c:\windows\GVTDrv64.sys [2011-10-12 30528]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 X6va005;X6va005;c:\users\lianli\AppData\Local\Temp\005806C.tmp [x]
S0 phmcd;phmcd;c:\windows\system32\DRIVERS\phmcd.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira AntiVir Planer;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-04-21 136360]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesService64.exe [2010-09-30 1967936]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [x]
S3 MEIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Nv834x64;Killer NIC Gaming Adapter Service;c:\windows\system32\DRIVERS\NetB7x64.sys [x]
S3 NvEdge64;Killer NIC NDIS-Edge Service;c:\windows\system32\DRIVERS\KEd7x64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\TuneUp Utilities 2011\TuneUpUtilitiesDriver64.sys [2010-08-19 11856]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc
.
Inhalt des "geplante Tasks" Ordners
.
2011-10-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-03 23:13]
.
2011-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-10-03 23:13]
.
2011-10-17 c:\windows\Tasks\update-S-1-5-21-2690563473-3262397440-2294422468-1000.job
- c:\program files (x86)\Skillbrains\Updater\Updater.exe [2011-09-18 20:09]
.
2011-10-17 c:\windows\Tasks\update-sys.job
- c:\program files (x86)\Skillbrains\Updater\Updater.exe [2011-09-18 20:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio8788"="c:\windows\Syswow64\cmicnfgp.dll" [2009-10-30 8151040]
"Cmaudio8788GX"="c:\windows\syswow64\HsMgr.exe" [2008-07-11 200704]
"Cmaudio8788GX64"="c:\windows\system\HsMgr64.exe" [2008-07-11 282112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
.
------- Zusätzlicher Suchlauf -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: An vorhandene PDF-Datei anfügen - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: In Adobe PDF konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Nach Microsoft E&xel exportieren - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Web-Suche - c:\program files (x86)\SweetIM\Toolbars\Internet Explorer\resources\menuext.html
IE: {{7644E42D-B096-457F-8B5B-901238FC81AE} - c:\program files (x86)\ICQ7.6\ICQ.exe
LSP: %SYSTEMROOT%\system32\BfLLR.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\lianli\AppData\Roaming\Mozilla\Firefox\Profiles\wvdvvc2b.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.de/
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
.
Wow6432Node-HKCU-Run-msnmsgr - c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
AddRemove-Adobe Photoshop Elements 2.0 - c:\windows\ISUN0407.EXE
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
AddRemove-WorldFlashGold Z8 - c:\windows\iun6002.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\X6va005]
"ImagePath"="\??\c:\users\lianli\AppData\Local\Temp\005806C.tmp"
.
--------------------- Gesperrte Registrierungsschluessel ---------------------
.
[HKEY_USERS\S-1-5-21-2690563473-3262397440-2294422468-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3296D94A-332F-4D38-1145-0D45E1A3D6E2}*]
"hamiekphbamolkkj"=hex:6a,61,63,69,6d,62,61,67,63,6d,69,62,70,65,68,66,6b,6d,
   64,70,00,00
"kaecepmmjkohlnhmnlcpbm"=hex:6f,61,66,64,69,63,63,63,65,69,65,6d,65,63,6c,65,
   63,63,68,70,65,62,6d,70,61,6d,66,6d,6e,66,00,ac
"jabegcdjinpkbjobbbdb"=hex:6c,62,62,6b,6b,70,6d,65,64,62,6f,6a,69,67,70,6b,65,
   68,6e,69,66,64,65,6d,61,68,6b,70,6e,68,65,68,62,67,64,69,69,6e,70,67,64,70,\
"iagiclllnhockmhffi"=hex:6a,61,62,69,6a,6c,62,6a,62,67,65,69,6d,62,69,6d,6f,68,
   64,66,00,c0
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10x_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10x.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Zeit der Fertigstellung: 2011-10-17  19:34:05
ComboFix-quarantined-files.txt  2011-10-17 17:34
.
Vor Suchlauf: 11 Verzeichnis(se), 114.800.615.424 Bytes frei
Nach Suchlauf: 16 Verzeichnis(se), 116.894.973.952 Bytes frei
.
- - End Of File - - 72E9DE9032FC2DB2DDD9F8371984E9C0

--- --- ---

Winupgro.exe in Downld:/ aka LCD Screen Protector LCD ist auf jeden Fall nicht mehr da !!!

cosinus · 18.10.2011, 18:18

Zitat:

Ein klienes DOS Proggy: ComboFix.exe

Sry aber das ist Unsinn. Das hat rein garnichts mit DOS zu tun.

Einen ganz klaren Hinweis gibt es auch zu http://www.trojaner-board.de/95175-combofix.html

Zitat:

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden, wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Bagle das Schw... gibt es wirklivh kein Mittel ihn auszutreiben Das Monster hat mich anheingefallen

Plagegeister aller Art und deren Bekämpfung: Bagle das Schw... gibt es wirklivh kein Mittel ihn auszutreiben Das Monster hat mich anheingefallen