Die totale Katastrophe, bitte Hilfe!

franco1206 · 02.02.2008, 23:29

Asche auf mein Haupt! Ich habe das programm Kirby Alarm emult und installiert und da ist der Super-Gau losgegangen. Der PC hat sich neugestartet und ab da gehen alle Virus- und Spyprogramme nicht mehr! Norton, Spybot Search&Destroy, ccCleaner, SecurityTaskManager, nicht einmal HijackThis geht! Alle tot! Überall kommt die Meldung: "Das ist nicht ein Win32-gültiges Programm" (so sinngemäß auf Deutsch, denn ich habe ein ital. System installiert). Nur Ad-Aware funktioniert, und Registry Mechanik, aber die helfen nix. Neuinstallation der genannten Programmen war zwecklos, die gehen trotzdem nicht!!! Was soll ich bloß tun?? Jetzt bin ich völlig ohne Schutz!!! Was habe ich da erwischt???

Franco aus Meran

P.S.: andere "normale" Programme (einschließlich IE, Outlook Express, Word etc.) gehen, nur nicht, wie gesagt, die Virus- und Spyprogramme!

myrtille · 03.02.2008, 00:51

Hi,
versuch mal Folgendes:

- Download ComboFix von hier oder hier und speichere die Datei als combo-fix.exe ab
- Mache einen Doppelklick auf combo-fix.exe
- Lass Combofix durcharbeiten, dies kann mehrere Minuten dauern. Erlaube einen Neustart, sollte Combofix ihn wollen.
- Wenn combofix fertig ist, legt es ein Logfile an. Poste dieses Logfile und ein HJT Logfile als nächste Antwort
Achtung: Während Combofix läuft klicke nichts an, und benutze den Rechner nicht.

Ich vermute aber, dass du dir eine Baglevariante eingefangen hast, da würde ich dir dann doch eher eine komplette Neuinstallation deines Rechners empfehlen. Bagle ist böse.

lg myritlle

franco1206 · 03.02.2008, 01:53

hallo myrtille, danke für die hilfe, habe combi-fix laufen lassen, doch vorläufig hat sich an der situation leider nichts geändert, die virus- und spyprogramme gehen immer noch nicht. hier unten das combifix-log (muss ich in 2 blocks schicken, sonst ist der text zu lang - hoffentlich kannst du was damit anfangen, ich verstehe leider gar nix...!). hjt konnte ich nicht machen, weil das programm eben nicht geht.
grüße
franco

ComboFix 08-02.03.1 - User 2008-02-03 0:57:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.39.1040.18.610 [GMT 1:00]
Eseguito da: E:\INSTALLER\Combo-Fix.exe
* Creato nuovo punto di ripristino

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\_000110_.tmp.dll
C:\WINDOWS\system32\drivers\ctl_w32.sys
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\100281.exe
C:\WINDOWS\system32\drivers\down\100937.exe
C:\WINDOWS\system32\drivers\down\102281.exe
C:\WINDOWS\system32\drivers\down\102875.exe
C:\WINDOWS\system32\drivers\down\104312.exe
C:\WINDOWS\system32\drivers\down\105906.exe
C:\WINDOWS\system32\drivers\down\107437.exe
C:\WINDOWS\system32\drivers\down\110984.exe
C:\WINDOWS\system32\drivers\down\111453.exe
C:\WINDOWS\system32\drivers\down\112171.exe
C:\WINDOWS\system32\drivers\down\114000.exe
C:\WINDOWS\system32\drivers\down\120515.exe
C:\WINDOWS\system32\drivers\down\122703.exe
C:\WINDOWS\system32\drivers\down\130437.exe
C:\WINDOWS\system32\drivers\down\135078.exe
C:\WINDOWS\system32\drivers\down\135156.exe
C:\WINDOWS\system32\drivers\down\138343.exe
C:\WINDOWS\system32\drivers\down\139062.exe
C:\WINDOWS\system32\drivers\down\139562.exe
C:\WINDOWS\system32\drivers\down\145546.exe
C:\WINDOWS\system32\drivers\down\146234.exe
C:\WINDOWS\system32\drivers\down\147359.exe
C:\WINDOWS\system32\drivers\down\147890.exe
C:\WINDOWS\system32\drivers\down\149093.exe
C:\WINDOWS\system32\drivers\down\150062.exe
C:\WINDOWS\system32\drivers\down\150343.exe
C:\WINDOWS\system32\drivers\down\152437.exe
C:\WINDOWS\system32\drivers\down\152984.exe
C:\WINDOWS\system32\drivers\down\153671.exe
C:\WINDOWS\system32\drivers\down\154109.exe
C:\WINDOWS\system32\drivers\down\154453.exe
C:\WINDOWS\system32\drivers\down\156484.exe
C:\WINDOWS\system32\drivers\down\156843.exe
C:\WINDOWS\system32\drivers\down\158828.exe
C:\WINDOWS\system32\drivers\down\159718.exe
C:\WINDOWS\system32\drivers\down\160734.exe
C:\WINDOWS\system32\drivers\down\161390.exe
C:\WINDOWS\system32\drivers\down\162078.exe
C:\WINDOWS\system32\drivers\down\162140.exe
C:\WINDOWS\system32\drivers\down\164156.exe
C:\WINDOWS\system32\drivers\down\164390.exe
C:\WINDOWS\system32\drivers\down\164484.exe
C:\WINDOWS\system32\drivers\down\166781.exe
C:\WINDOWS\system32\drivers\down\166875.exe
C:\WINDOWS\system32\drivers\down\166953.exe
C:\WINDOWS\system32\drivers\down\167156.exe
C:\WINDOWS\system32\drivers\down\167984.exe
C:\WINDOWS\system32\drivers\down\168734.exe
C:\WINDOWS\system32\drivers\down\169328.exe
C:\WINDOWS\system32\drivers\down\169468.exe
C:\WINDOWS\system32\drivers\down\169609.exe
C:\WINDOWS\system32\drivers\down\170000.exe
C:\WINDOWS\system32\drivers\down\170031.exe
C:\WINDOWS\system32\drivers\down\170546.exe
C:\WINDOWS\system32\drivers\down\170921.exe
C:\WINDOWS\system32\drivers\down\172218.exe
C:\WINDOWS\system32\drivers\down\173250.exe
C:\WINDOWS\system32\drivers\down\173593.exe
C:\WINDOWS\system32\drivers\down\173843.exe
C:\WINDOWS\system32\drivers\down\173937.exe
C:\WINDOWS\system32\drivers\down\175968.exe
C:\WINDOWS\system32\drivers\down\176343.exe
C:\WINDOWS\system32\drivers\down\176421.exe
C:\WINDOWS\system32\drivers\down\176515.exe
C:\WINDOWS\system32\drivers\down\176546.exe
C:\WINDOWS\system32\drivers\down\177640.exe
C:\WINDOWS\system32\drivers\down\178406.exe
C:\WINDOWS\system32\drivers\down\179765.exe
C:\WINDOWS\system32\drivers\down\180968.exe
C:\WINDOWS\system32\drivers\down\181281.exe
C:\WINDOWS\system32\drivers\down\181406.exe
C:\WINDOWS\system32\drivers\down\181812.exe
C:\WINDOWS\system32\drivers\down\184875.exe
C:\WINDOWS\system32\drivers\down\184953.exe
C:\WINDOWS\system32\drivers\down\185218.exe
C:\WINDOWS\system32\drivers\down\185671.exe
C:\WINDOWS\system32\drivers\down\186453.exe
C:\WINDOWS\system32\drivers\down\188625.exe
C:\WINDOWS\system32\drivers\down\190046.exe
C:\WINDOWS\system32\drivers\down\190625.exe
C:\WINDOWS\system32\drivers\down\190906.exe
C:\WINDOWS\system32\drivers\down\191468.exe
C:\WINDOWS\system32\drivers\down\191937.exe
C:\WINDOWS\system32\drivers\down\192734.exe
C:\WINDOWS\system32\drivers\down\193781.exe
C:\WINDOWS\system32\drivers\down\194015.exe
C:\WINDOWS\system32\drivers\down\194515.exe
C:\WINDOWS\system32\drivers\down\195437.exe
C:\WINDOWS\system32\drivers\down\200578.exe
C:\WINDOWS\system32\drivers\down\203406.exe
C:\WINDOWS\system32\drivers\down\205046.exe
C:\WINDOWS\system32\drivers\down\207453.exe
C:\WINDOWS\system32\drivers\down\208328.exe
C:\WINDOWS\system32\drivers\down\210562.exe
C:\WINDOWS\system32\drivers\down\211203.exe
C:\WINDOWS\system32\drivers\down\212046.exe
C:\WINDOWS\system32\drivers\down\212828.exe
C:\WINDOWS\system32\drivers\down\214218.exe
C:\WINDOWS\system32\drivers\down\215062.exe
C:\WINDOWS\system32\drivers\down\215093.exe
C:\WINDOWS\system32\drivers\down\215687.exe
C:\WINDOWS\system32\drivers\down\215781.exe
C:\WINDOWS\system32\drivers\down\218156.exe
C:\WINDOWS\system32\drivers\down\220562.exe
C:\WINDOWS\system32\drivers\down\221093.exe
C:\WINDOWS\system32\drivers\down\221234.exe
C:\WINDOWS\system32\drivers\down\222375.exe
C:\WINDOWS\system32\drivers\down\223671.exe
C:\WINDOWS\system32\drivers\down\227734.exe
C:\WINDOWS\system32\drivers\down\231640.exe
C:\WINDOWS\system32\drivers\down\234234.exe
C:\WINDOWS\system32\drivers\down\234906.exe
C:\WINDOWS\system32\drivers\down\235781.exe
C:\WINDOWS\system32\drivers\down\235953.exe
C:\WINDOWS\system32\drivers\down\239031.exe
C:\WINDOWS\system32\drivers\down\239843.exe
C:\WINDOWS\system32\drivers\down\240078.exe
C:\WINDOWS\system32\drivers\down\240515.exe
C:\WINDOWS\system32\drivers\down\240906.exe
C:\WINDOWS\system32\drivers\down\247156.exe
C:\WINDOWS\system32\drivers\down\248218.exe
C:\WINDOWS\system32\drivers\down\248671.exe
C:\WINDOWS\system32\drivers\down\250500.exe
C:\WINDOWS\system32\drivers\down\251828.exe
C:\WINDOWS\system32\drivers\down\252765.exe
C:\WINDOWS\system32\drivers\down\255562.exe
C:\WINDOWS\system32\drivers\down\256312.exe
C:\WINDOWS\system32\drivers\down\258046.exe
C:\WINDOWS\system32\drivers\down\259046.exe
C:\WINDOWS\system32\drivers\down\261343.exe
C:\WINDOWS\system32\drivers\down\262953.exe
C:\WINDOWS\system32\drivers\down\264312.exe
C:\WINDOWS\system32\drivers\down\266812.exe
C:\WINDOWS\system32\drivers\down\269281.exe
C:\WINDOWS\system32\drivers\down\271359.exe
C:\WINDOWS\system32\drivers\down\273203.exe
C:\WINDOWS\system32\drivers\down\276187.exe
C:\WINDOWS\system32\drivers\down\276843.exe
C:\WINDOWS\system32\drivers\down\276984.exe
C:\WINDOWS\system32\drivers\down\277453.exe
C:\WINDOWS\system32\drivers\down\277765.exe
C:\WINDOWS\system32\drivers\down\278328.exe
C:\WINDOWS\system32\drivers\down\278453.exe
C:\WINDOWS\system32\drivers\down\282203.exe
C:\WINDOWS\system32\drivers\down\282609.exe
C:\WINDOWS\system32\drivers\down\286484.exe
C:\WINDOWS\system32\drivers\down\286578.exe
C:\WINDOWS\system32\drivers\down\286734.exe
C:\WINDOWS\system32\drivers\down\289703.exe
C:\WINDOWS\system32\drivers\down\313546.exe
C:\WINDOWS\system32\drivers\down\317250.exe
C:\WINDOWS\system32\drivers\down\317937.exe
C:\WINDOWS\system32\drivers\down\321718.exe
C:\WINDOWS\system32\drivers\down\323093.exe
C:\WINDOWS\system32\drivers\down\325328.exe
C:\WINDOWS\system32\drivers\down\328984.exe
C:\WINDOWS\system32\drivers\down\329343.exe
C:\WINDOWS\system32\drivers\down\330031.exe
C:\WINDOWS\system32\drivers\down\334656.exe
C:\WINDOWS\system32\drivers\down\336296.exe
C:\WINDOWS\system32\drivers\down\342906.exe
C:\WINDOWS\system32\drivers\down\349187.exe
C:\WINDOWS\system32\drivers\down\384812.exe
C:\WINDOWS\system32\drivers\down\394703.exe
C:\WINDOWS\system32\drivers\down\406140.exe
C:\WINDOWS\system32\drivers\down\447359.exe
C:\WINDOWS\system32\drivers\down\475500.exe
C:\WINDOWS\system32\drivers\down\478687.exe
C:\WINDOWS\system32\drivers\down\494687.exe
C:\WINDOWS\system32\drivers\down\499140.exe
C:\WINDOWS\system32\drivers\down\539062.exe
C:\WINDOWS\system32\drivers\down\539718.exe
C:\WINDOWS\system32\drivers\down\547015.exe
C:\WINDOWS\system32\drivers\down\549437.exe
C:\WINDOWS\system32\drivers\down\551843.exe
C:\WINDOWS\system32\drivers\down\562796.exe
C:\WINDOWS\system32\drivers\down\565656.exe
C:\WINDOWS\system32\drivers\down\579359.exe
C:\WINDOWS\system32\drivers\down\584609.exe
C:\WINDOWS\system32\drivers\down\585500.exe
C:\WINDOWS\system32\drivers\down\587171.exe
C:\WINDOWS\system32\drivers\down\588750.exe
C:\WINDOWS\system32\drivers\down\612171.exe
C:\WINDOWS\system32\drivers\down\615375.exe
C:\WINDOWS\system32\drivers\down\642781.exe
C:\WINDOWS\system32\drivers\down\66171.exe
C:\WINDOWS\system32\drivers\down\677109.exe
C:\WINDOWS\system32\drivers\down\682125.exe
C:\WINDOWS\system32\drivers\down\72546.exe
C:\WINDOWS\system32\drivers\down\79281.exe
C:\WINDOWS\system32\drivers\down\86359.exe
C:\WINDOWS\system32\drivers\down\89125.exe
C:\WINDOWS\system32\drivers\down\90406.exe
C:\WINDOWS\system32\drivers\down\90578.exe
C:\WINDOWS\system32\drivers\down\91750.exe
C:\WINDOWS\system32\drivers\down\94265.exe
C:\WINDOWS\system32\drivers\down\95781.exe
C:\WINDOWS\system32\drivers\down\96390.exe
C:\WINDOWS\system32\drivers\down\99890.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\init_sys.config
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CTL_W32
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\LEGACY_SROSA
-------\ctl_w32
-------\smtpdrv
-------\srosa

((((((((((((((((((((((((( Files Creati Da 2008-01-03 al 2008-02-03 )))))))))))))))))))))))))))))))))))
.

franco1206 · 03.02.2008, 01:54

block 2:

2008-02-03 01:04 . 2008-02-03 01:04 <DIR> d-------- C:\WINDOWS\system32\drivers\down
2008-02-03 00:38 . 2008-02-03 00:44 <DIR> d-------- C:\Programmi\Lavasoft
2008-02-02 23:30 . 2008-02-03 00:05 <DIR> d-------- C:\Programmi\SpywareBlaster
2008-02-02 19:07 . 2008-02-02 19:11 32 --a------ C:\WINDOWS\gca631.INI
2008-02-02 19:06 . 2008-02-02 19:06 82 --a------ C:\GCAL.INI
2008-02-02 18:43 . 2008-02-02 18:50 <DIR> d-------- C:\Programmi\WinTer
2008-02-02 18:43 . 2005-05-31 03:55 401,408 --a------ C:\WINDOWS\SwSetupu.exe
2008-02-02 18:34 . 2008-02-02 18:48 <DIR> d-------- C:\Programmi\AgendaPro
2008-01-30 18:26 . 2008-01-30 18:26 <DIR> d-------- C:\Programmi\Computer Artworks
2008-01-29 23:20 . 2008-01-29 23:20 1,440,054 --a------ C:\WINDOWS\todelmer5.bmp
2008-01-27 23:00 . 2008-02-02 16:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-27 23:00 . 2008-01-27 23:00 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-27 18:25 . 2008-01-04 22:58 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-27 18:25 . 2008-01-04 22:58 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-25 21:27 . 2008-01-25 21:27 <DIR> d-------- C:\Programmi\Windows Media Connect 2
2008-01-25 21:25 . 2008-01-25 21:25 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-25 21:25 . 2008-01-25 21:26 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-19 18:27 . 2008-01-21 17:06 5,184,054 --ah----- C:\WINDOWS\system32\toyhide.bmp
2008-01-19 18:26 . 2008-01-19 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\Elaborate Bytes
2008-01-19 18:13 . 2008-01-19 18:26 24 ---hs---- C:\WINDOWS\S5A94EEFC.tmp
2008-01-19 17:57 . 2008-01-19 17:57 <DIR> d-------- C:\Documents and Settings\User\Dati applicazioni\Elaborate Bytes
2008-01-19 15:30 . 2008-01-27 23:01 <DIR> d-------- C:\Documents and Settings\All Users\Dati applicazioni\WhiteCap (Holiday Edition)
2008-01-19 15:29 . 2008-01-19 15:30 <DIR> d-------- C:\Programmi\Winter Fun Pack 2004 for Windows XP
2008-01-19 14:01 . 2008-01-19 14:01 <DIR> d-------- C:\Programmi\Windows XP Fun Pack
2008-01-13 18:53 . 2008-01-04 22:58 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-01-12 17:24 . 2008-01-13 18:55 <DIR> d-------- C:\Documents and Settings\User\Dati applicazioni\DivX
2008-01-12 16:02 . 2008-02-02 18:16 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-01-12 15:50 . 2005-01-04 14:19 2,670,592 --------- C:\WINDOWS\UNNeroVision.exe
2008-01-12 15:50 . 2005-01-07 12:33 135,532 --------- C:\WINDOWS\UNNeroVision.cfg
2008-01-12 15:49 . 2004-07-09 08:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-01-12 15:49 . 2001-06-26 07:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-01-12 15:33 . 2008-01-12 15:33 <DIR> d-------- C:\Programmi\File comuni\Ahead
2008-01-12 15:33 . 2008-01-12 15:49 <DIR> d-------- C:\Programmi\Ahead
2008-01-12 15:33 . 2004-07-26 16:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-01-12 15:33 . 2004-07-26 16:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-01-12 15:33 . 2004-07-26 16:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-01-12 15:33 . 2004-07-26 16:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-01-12 15:33 . 2001-07-09 10:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-12 15:33 . 2004-03-02 16:37 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-01-12 15:33 . 2000-06-26 10:45 106,496 --------- C:\WINDOWS\system32\TwnLib20.dll
2008-01-12 15:33 . 2004-03-02 16:37 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-01-10 17:55 . 2008-01-10 17:55 <DIR> d-------- C:\Programmi\Sony
2008-01-10 17:55 . 2008-01-10 17:55 <DIR> d-------- C:\Documents and Settings\User\Dati applicazioni\Sony
2008-01-10 17:55 . 2001-10-19 15:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2008-01-10 17:55 . 2001-10-19 15:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2008-01-10 17:55 . 2002-10-09 13:21 566,272 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2008-01-10 17:55 . 2001-10-19 15:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2008-01-10 17:55 . 2001-10-19 03:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2008-01-10 17:55 . 2008-01-10 17:55 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2008-01-10 17:54 . 2008-01-10 17:54 <DIR> d-------- C:\Programmi\Sony Setup
2008-01-10 17:44 . 2008-01-10 17:44 121 --a------ C:\WINDOWS\Winchat.ini
2008-01-10 17:21 . 2008-01-10 17:21 <DIR> d-------- C:\Documents and Settings\User\Dati applicazioni\Sonic Foundry
2008-01-10 17:20 . 2008-01-10 17:20 <DIR> d-------- C:\Programmi\Sonic Foundry Setup
2008-01-10 13:30 . 2008-01-10 13:30 <DIR> d-------- C:\Programmi\MUSICMATCH
2008-01-10 13:14 . 2008-01-10 13:14 1,069 --a------ C:\WINDOWS\_isenv31.ini
2008-01-10 13:14 . 2008-01-10 13:14 633 --a------ C:\WINDOWS\_iserr31.ini
2008-01-10 12:47 . 2008-01-10 13:14 256 --a------ C:\WINDOWS\_delis32.ini
2008-01-08 02:16 . 2008-01-08 02:16 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-01-04 22:59 . 2008-01-04 22:59 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-04 22:59 . 2008-01-04 22:59 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-04 22:58 . 2008-01-04 22:58 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 22:58 . 2008-01-04 22:58 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-04 22:58 . 2008-01-04 22:58 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-04 22:56 . 2008-01-04 22:56 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 22:56 . 2008-01-04 22:56 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 00:04 --------- d-----w C:\Programmi\eMule
2008-02-03 00:04 --------- d-----w C:\Programmi\ClipMemAdvanced
2008-02-02 23:43 --------- d-----w C:\Programmi\File comuni\Wise Installation Wizard
2008-02-02 23:07 --------- d-----w C:\Programmi\File comuni\Symantec Shared
2008-02-02 23:06 --------- d-----w C:\Programmi\Symantec
2008-02-02 23:06 --------- d-----w C:\Programmi\Spybot - Search & Destroy
2008-02-02 23:06 --------- d-----w C:\Programmi\Registry Repair
2008-02-02 22:58 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Symantec
2008-02-02 09:41 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Retrospect
2008-01-30 17:26 --------- d--h--w C:\Programmi\InstallShield Installation Information
2008-01-27 17:25 --------- d-----w C:\Programmi\DivX
2008-01-16 20:01 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\Lavasoft
2008-01-12 14:59 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\Ahead
2008-01-08 16:34 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\AdobeUM
2008-01-07 13:37 --------- d-----w C:\Programmi\Google
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:58 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-01-04 21:58 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-02 19:45 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\SecTaskMan
2008-01-02 15:18 --------- d-----w C:\Programmi\Security Task Manager
2008-01-02 09:57 --------- d-----w C:\Programmi\IKEA HomePlanner
2007-12-30 11:04 --------- d-----w C:\Programmi\Trend Micro
2007-12-30 09:04 3,519,488 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2007-12-17 22:10 --------- d-----w C:\Documents and Settings\User\Dati applicazioni\ClipMemAdvanced
2007-12-17 22:10 --------- d-----w C:\Documents and Settings\All Users\Dati applicazioni\ClipMemAdvanced
2007-12-14 18:58 --------- d-----w C:\Programmi\ATI Technologies
2007-12-13 16:12 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-13 15:48 --------- d-----w C:\Programmi\Ubisoft
2007-12-12 21:31 --------- d-----w C:\Programmi\QuickTime
2007-12-05 13:34 --------- d-----w C:\Programmi\Dirprint
2007-12-05 12:54 --------- d-----w C:\Programmi\Exif Farm
2007-11-15 18:54 1,306,624 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2007-11-11 23:08 1,296,896 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2007-11-07 09:27 727,552 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-04 14:40 17,920 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2007-11-04 14:40 1,290,752 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2007-11-04 14:36 324,096 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2007-11-04 14:36 1,290,752 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2007-11-04 12:33 2,792,960 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2007-11-04 12:33 1,288,704 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2007-11-03 18:51 1,285,632 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2007-11-03 18:45 2,823,680 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-11-03 18:45 1,287,680 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-11-03 11:10 3,036,160 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-11-03 11:10 1,272,832 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-11-02 23:00 1,270,272 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-11-01 23:26 2,951,680 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2007-11-01 23:26 1,263,616 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2004-10-01 13:00 40,960 ----a-w C:\Programmi\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2006-08-08 02:04 691043]
"MSMSGS"="C:\Programmi\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 13:00 15360]
"eMuleAutoStart"="C:\Programmi\eMule\emule.exe" [2006-09-14 15:15 5001216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"zBrowser Launcher"="C:\Programmi\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"VirtualCloneDrive"="C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 14:21 94208]
"Tweak UI 1.33 deutsch"="TWEAKUI.CPL" [2000-10-06 23:13 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"TkBellExe"="C:\Programmi\File comuni\Real\Update_OB\realsched.exe" [2007-10-16 10:39 185632]
"RemoteControl"="C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 19:24 32768]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2007-12-12 22:31 282624]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2005-09-16 08:43 274432]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-09-19 09:41 35328]
"CnxTrApp"="C:\Programmi\StarModem\StarModem USB Network\CnxTrApp.dll" [2003-07-07 10:38 247296]
"CloneCDTray"="C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 14:47 57344]
"AnyDVD"="C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe" [2006-05-02 17:31 469504]
"googletalk"="C:\Programmi\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11:06 11776]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Acrobat Assistant.lnk - C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50 217193]
Adobe Gamma Loader.exe.lnk - C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 14:27:00 113664]
Logitech Desktop Messenger.lnk - C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-11-04 15:34:37 156160]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
QuicKeys Engine.lnk - C:\Programmi\CE Software\QuicKeys\QkEngine.exe [2007-11-29 11:35:32 217133]
Winter Fun Wallpaper Changer.lnk.disabled [2008-01-21 17:04:48 2389]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhdn32]
winhdn32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ctl_w32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywarefighterguard]

R1 SSHDRV84;SSHDRV84;C:\WINDOWS\system32\drivers\SSHDRV84.sys [2007-11-26 13:18]
R2 Utilità di pianificazione di LiveUpdate automatico;Utilità di pianificazione di LiveUpdate automatico;"C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe" [2006-08-03 16:45]
S0 Buu54;Buu54;C:\WINDOWS\system32\drivers\Buu54.sys []
S2 init_3068-6c6c;init_3068-6c6c;C:\WINDOWS\system32\init_3068-6c6c.sys []
S3 SpyFighter;SpyFighter Guard Device;C:\Programmi\SPYWAREfighter\spyfighter.sys []
S4 SPYWAREfighterRP;SPYWAREfighterRP;"C:\Programmi\SPYWAREfighter\spfprc.exe" []

.
Contenuto della cartella 'Scheduled Tasks'
"2008-01-22 22:39:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmi\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 01:04:14
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Programmi\ClipMemAdvanced\clipmem.exe
C:\PROGRA~1\CESOFT~1\QuicKeys\QKAPPS~1.EXE
C:\Programmi\iPod\bin\iPodService.exe
.
**************************************************************************
.
Ora fine scansione: 2008-02-03 1:09:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 00:09:16
.
2008-01-30 09:12:21 --- E O F ---

myrtille · 03.02.2008, 02:03

Hi,
das gröbste sollte geschafft sein, es bleibt allerdings noch einiges zu tun.
Mache daher bitte noch einen OnlineScan mit kapersky

Lies dir die Meldung anfangs aufmerksam durch. Besitzt du Kapersky als installiertes Antivirenprogramm? Nutzt du den IE? Hast du den notwendigen Internetzugang?

Das erstellte Log dann bitte hier posten.

Die Dateien, die du bisher nicht ausführen konntest wurden von Bagle modifiziert. Die beschädigten Programmen müssen alle deinstalliert und neuinstalliert werden.
Je nachdem ist es evtl für dich einfacher den Rechner komplett neuzuinstallieren?

Ich schau mir dein Log nochmal genauer an und melde mich nochmal.

lg myrtille

franco1206 · 04.02.2008, 13:44

hallo wieder myrtille! hat ein bisschen gedauert, doch hier bin ich. also: kaspersky hat (wie du siehst im anhang) eine datei/virus mit namen QKkbdhk.dll gefunden, die habe ich händisch entfernt -ich besitze nicht kaspersky, sondern norton- danach ließen sich tatsächlich alle antispy-programme (spybot, hijackthis etc.) reinstallieren und die funktionieren wieder. so werde ich dir in einer zweiten antwort auch das hjt-log senden können.
das einzige, was sich nicht reinstallieren lässt, ist NORTON (kommt immer eine meldung, dass die installation nicht möglich war). verstehe ich nicht warum. ich habe mir inzwischen die free-version von avira antivir gedownloadet.
noch etwas: spybot findet immer wieder Win32.Agent.bgy und Win32.Bagle.hi - wenn man sie eliminiert, sind sie bei jedem neustart wieder drin.
und avira findet plötzlich eine menge ungeziefer, sehr viele trojans, darunter einige mit "bagle" im namen (soll ich dir da auch das log schicken?).

hier zunächst das kaspersky-log und in der drauffolgenden antwort das hjt-log.

Sonntag, 3. Februar 2008 18:25:17
Betriebssystem: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Version von Kaspersky Online Scanner: 5.0.98.1
Letztes Update der Antiviren-Datenbanken: 3/02/2008
Anzahl der Einträge in den Antiviren-Datenbanken: 546264

Scan-Einstellungen
Folgende Antiviren-Datenbanken zur Untersuchung verwenden Erweiterte
Archive untersuchen ja
Mail-Datenbanken untersuchen ja

Untersuchungsobjekt Kritische Objekte
C:\WINDOWS
C:\DOCUME~1\User\IMPOST~1\Temp\

Untersuchungsergebnisse
Untersuchte Objekte insgesamt 14408
Viren gefunden 1
Infizierte Objekte gefunden 1
Verdächtige Objekte gefunden 0
Untersuchungszeit 00:09:26

Name des infizierten Objekts Virusname Letzte Aktion
C:\WINDOWS\CSC\00000001 Das Objekt ist gesperrt übersprungen

C:\WINDOWS\Debug\PASSWD.LOG Das Objekt ist gesperrt übersprungen

C:\WINDOWS\S5A94EEFC.tmp Das Objekt ist gesperrt übersprungen

C:\WINDOWS\SchedLgU.Txt Das Objekt ist gesperrt übersprungen

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\CatRoot2\edb.log Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\CatRoot2\tmp.edb Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\AppEvent.Evt Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\default Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\default.LOG Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\Internet.evt Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\SAM Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\SAM.LOG Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\SecEvent.Evt Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\SECURITY Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\SECURITY.LOG Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\software Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\software.LOG Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\SysEvent.Evt Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\system Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\config\system.LOG Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\h323log.txt Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\QKkbdhk.dll Infizierte Objekte: not-a-virus:Monitor.Win32.Dafunk übersprungen

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Das Objekt ist gesperrt übersprungen

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Das Objekt ist gesperrt übersprungen

C:\WINDOWS\WindowsUpdate.log Das Objekt ist gesperrt übersprungen

C:\DOCUME~1\User\IMPOST~1\Temp\JET46A9.tmp Das Objekt ist gesperrt übersprungen

C:\DOCUME~1\User\IMPOST~1\Temp\Perflib_Perfdata_120.dat Das Objekt ist gesperrt übersprungen

C:\DOCUME~1\User\IMPOST~1\Temp\~ROMFN_00000720 Das Objekt ist gesperrt übersprungen

Die Untersuchung wurde abgeschlossen.

franco1206 · 04.02.2008, 13:48

fortsetzung. hjt-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:42:28, on 04.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programmi\eMule\emule.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\ClipMemAdvanced\clipmem.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmi\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programmi\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Tweak UI 1.33 deutsch] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Programmi\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmi\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Programmi\StarModem\StarModem USB Network\CnxTrApp.dll",AppEntry -REG "Conexant\Conexant USB Network"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AnyDVD] C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [googletalk] C:\Programmi\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart
O4 - HKUS\S-1-5-21-602162358-329068152-682003330-1003\..\Run: [swg] C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-602162358-329068152-682003330-1003\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-602162358-329068152-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-602162358-329068152-682003330-1003\..\Run: [eMuleAutoStart] C:\Programmi\eMule\emule.exe -AutoStart (User '?')
O4 - S-1-5-21-602162358-329068152-682003330-1003 Startup: Clipmem Advanced.lnk = C:\Programmi\ClipMemAdvanced\clipmem.exe (User '?')
O4 - Startup: Clipmem Advanced.lnk = C:\Programmi\ClipMemAdvanced\clipmem.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Programmi\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuicKeys Engine.lnk = ?
O4 - Global Startup: Winter Fun Wallpaper Changer.lnk.disabled
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programmi\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/german/partner/de/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/support/tech/diagnostics/cabs/DiagCollectionControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{584BF8EF-DC86-404C-B036-96784E899F04}: NameServer = 212.216.112.112,212.216.172.62
O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Programmi\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Programmi\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Utilità di pianificazione di LiveUpdate automatico - Symantec Corporation - C:\Programmi\Symantec\LiveUpdate\ALUSchedulerSvc.exe

--
End of file - 7577 bytes

myrtille · 04.02.2008, 15:43

Ja, schick mir bitte mal die Logs, also beider sowohl Spybot als auch Antivir.
Mit ein bischen Glück sind die Meldungen nicht weiter dramatisch.

Was mit Norton los ist, weiß ich nicht genau. Hast du das Tool einfach deinstalliert oder einen Remover von Norton benutzt? Evtl sind noch Reste von Norton übrig, die eine Neuinstallierung behindern.
Reste die man zb hier im Log noch sieht:

Zitat:

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Wenn du jedoch mit Antivir glücklich bist, brauchst du Norton nicht unbedingt zu installieren.

Allerdings zeigt dein Log noch Spuren von weiterem Befall.
Ruf bitte die Seite virustotal auf und gib folgendes in das Fenster ein:

Zitat:

C:\windows\system32\winhdn32.dll

Poste das Ergebnis hier.
Mache bitte auch noch einen Scan mit Blacklight und poste das Ergebnis ebenfalls hier.

lg myrtille

Heike · 04.02.2008, 16:41

Zitat:

Zitat von franco1206

Asche auf mein Haupt! Ich habe das programm Kirby Alarm emult und installiert und da ist der Super-Gau losgegangen.

dann bleibe doch von Warez weg.

das Programm ist klasse und gar nicht teuer, warum bezahlst Du nicht sondern bestiehlst den Coder?

Eigentlich hätte Dir auch schlimmeres passieren können.

have fun,
Heike

franco1206 · 04.02.2008, 18:39

hallo myrtille, danke für deine mühe! bevor ich dir die anderen logs sende, eine frage: ich bin einfach nicht imstande, die datei "C:\windows\system32\winhdn32.dll" zu finden, obwohl ich alles unsichtbare -wirklich alles!- sichtbar gemacht habe. allerdings zeigt mir auch spybot, dass sie als winlogon-prozess aktiv ist (lässt sich aber nicht deaktivieren).
grüße
franco

myrtille · 04.02.2008, 19:15

Ich geh mal davon aus, dass die Datei trotzdem existiert.
Was passiert wenn du den Text "C:\windows\system32\winhdn32.dl" in das weiße Fenster schreibst und auf "send file" klickst?

Bitte auch die andern Logs noch liefern.

lg myrtille

franco1206 · 04.02.2008, 19:30

ach heike, wie bist du streng mit mir! du hast recht, außer der asche auf meinem haupt müsste ich mich von dir auch noch auspeitschen lasssen!
have fun, too!
franco

franco1206 · 04.02.2008, 23:42

hallo myrtille! wenn ich den text C:\windows\system32\winhdn32.dll in das feld eintippe passiert nichts, weil das online-scanner "meine" C:\windows\system32\winhdn32.dll analysieren will - und die finde ich eben nicht. ich sende dir mal das antivir-log (aufgeteilt, weil zu lang):

AntiVir PersonalEdition Classic
Report file date: lunedì 4 febbraio 2008 12:14

Scanning for 1091380 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: XP

Version information:
BUILD.DAT : 270 15603 Bytes 19/09/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 23/08/2007 13:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 16/08/2007 12:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 14/08/2007 15:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 21/08/2007 12:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 10:49:19
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 14/12/2007 10:49:19
ANTIVIR2.VDF : 7.0.2.49 1339904 Bytes 25/01/2008 10:49:20
ANTIVIR3.VDF : 7.0.2.86 285696 Bytes 04/02/2008 10:49:20
AVEWIN32.DLL : 7.6.0.62 3240448 Bytes 04/02/2008 10:49:21
AVWINLL.DLL : 1.0.0.7 14376 Bytes 26/02/2007 10:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 18/07/2007 07:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 13:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 04/02/2008 10:49:21
AVREG.DLL : 7.0.1.6 30760 Bytes 18/07/2007 07:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 28/08/2007 12:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 18/07/2007 07:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 08/03/2007 11:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 07/08/2007 12:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 21/08/2007 12:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 23/07/2007 09:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\programmi\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: lunedì 4 febbraio 2008 12:14

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'SpybotSD.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'retrorun.exe' - '1' Module(s) have been scanned
Scan process 'clipmem.exe' - '1' Module(s) have been scanned
Scan process 'QKAPPS~1.EXE' - '1' Module(s) have been scanned
Scan process 'QkEngine.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'emule.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'mim.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'MMDiag.exe' - '1' Module(s) have been scanned
Scan process 'googletalk.exe' - '1' Module(s) have been scanned
Scan process 'AnyDVD.exe' - '1' Module(s) have been scanned
Scan process 'CloneCDTray.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'EM_EXEC.EXE' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'VCDDaemon.exe' - '1' Module(s) have been scanned
Scan process 'iTouch.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'LEXPPS.EXE' - '1' Module(s) have been scanned
Scan process 'LEXBCES.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
44 processes with 44 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'E:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '38' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\User\Desktop\QKkbdhk.dll
[DETECTION] Is the Trojan horse TR/Keylog.Dafunk.A.2
[INFO] The file was moved to '4811f4a0.qua'!
C:\Programmi\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JD
[INFO] The file was deleted!
C:\QooBox\Quarantine\catchme2008-02-03_ 10343.79.zip
[0] Archive type: ZIP
--> srosa.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
--> wintems.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
--> mdelk.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
--> hldrrr.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JD
[INFO] The file was moved to '481afbb2.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '480bfbd1.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\wintems.exe.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4814fbd9.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '480afbe1.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\srosa.sys.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '4815fbe9.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\102281.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47d8fbba.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\102875.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47d8fbbd.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\120515.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47d6fbd1.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\122703.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47d8fbdd.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\130437.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47d6fbe0.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\135156.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47dbfbe2.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\169609.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47dffbec.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\180968.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47d6fbf0.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\194515.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47dafbf5.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\205046.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47dbfbee.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\447359.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47ddfbf6.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\478687.exe.vir
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was moved to '47defbfd.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\66171.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47d7fbfe.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\72546.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47dbfbfd.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\79281.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was moved to '47d8fc06.qua'!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\86359.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\91750.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\94265.exe.vir
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP150\A0061695.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '47d70025.qua'!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP150\A0061707.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP150\A0061708.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0061740.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0061741.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0061742.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0061754.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0061831.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0061835.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0061837.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062015.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062016.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062017.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062071.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062072.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062075.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062186.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062190.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062195.dll
[DETECTION] Is the Trojan horse TR/Drop.Klon.G.15.A
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062196.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062201.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062202.exe
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.EY.447
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062203.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062207.exe
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.EY.482
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062212.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062216.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062219.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062220.exe
[DETECTION] Contains detection pattern of the worm WORM/Ntech.AA
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062224.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062225.dll
[DETECTION] Is the Trojan horse TR/Drop.Klon.G.15.A
[INFO] The file was deleted!

franco1206 · 04.02.2008, 23:44

antivir - fortsetzung:

C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062229.exe
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.EY.498
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062230.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062232.dll
[DETECTION] Is the Trojan horse TR/Drop.Klon.G.15.A
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062237.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062239.exe
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.EY.407
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062245.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062248.exe
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.EY.407
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062251.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062254.exe
[DETECTION] Contains detection pattern of the rootkit RKIT/Agent.EY.407
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062255.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062259.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062261.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062264.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062265.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062267.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0062270.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0063305.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0063306.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0063350.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0063351.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP151\A0063352.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP153\A0063641.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP153\A0063642.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP153\A0063643.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0063733.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0063734.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0063736.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0063737.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0063738.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0064016.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0064019.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0064052.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0064064.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP154\A0064068.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064183.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064184.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064192.exe
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064193.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064194.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064196.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064231.exe
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064249.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064267.exe
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064271.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064346.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064348.exe
[DETECTION] Contains detection pattern of the worm WORM/Bagle.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064366.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064369.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064370.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064371.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064375.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064376.exe
[DETECTION] Is the Trojan horse TR/Bagle.Gen.B
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064403.sys
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064404.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064405.exe
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP159\A0064406.exe
[DETECTION] Is the Trojan horse TR/Killav.28714
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP160\A0064661.dll
[DETECTION] Is the Trojan horse TR/Keylog.Dafunk.A.2
[INFO] The file was deleted!
C:\System Volume Information\_restore{2F18CD30-25CD-4477-9A22-F8595E9BC225}\RP160\A0064663.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JD
[INFO] The file was deleted!
Begin scan in 'E:\' <130 GB>
E:\FOUND.007\FILE0003.CHK
[0] Archive type: ZIP
--> Kirby Alarm Pro 4.42.exe
[DETECTION] Is the Trojan horse TR/Dldr.Bagle.JD
[INFO] The file was deleted!
E:\INSTALLER\CLONE\SetupAnyDVD5911.exe
[DETECTION] Is the Trojan horse TR/Agent.1279046
[INFO] The file was deleted!
E:\INSTALLER\CODECS\AVICodecPackPlus2[Codec-Download.de].exe
[DETECTION] Contains detection pattern of the dropper DR/Webdir.B.7
[INFO] The file was deleted!
E:\INSTALLER\QuicKeys.v2.5.2.Winall.(c)racked-iNFECTED\QkEditor.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was deleted!
E:\INSTALLER\QuicKeys.v2.5.3.Winall.(c)racked-iNFECTED\QkEditor.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was deleted!

End of the scan: lunedì 4 febbraio 2008 13:39
Used time: 1:25:15 min

The scan has been done completely.

7699 Scanning directories
225543 Files were scanned
121 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
96 files were deleted
0 files were repaired
22 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
225422 Files not concerned
1570 Archives were scanned
2 Warnings
17 Notes

tschüs bis bald
franco

franco1206 · 04.02.2008, 23:49

p.s.: spybot-log folgt noch (ich hoffe, spybot liefert es).
good night
franco

04.02.2008, 19:15	#11
myrtille /// TB-Ausbilder	Die totale Katastrophe, bitte Hilfe! Ich geh mal davon aus, dass die Datei trotzdem existiert. Was passiert wenn du den Text "C:\windows\system32\winhdn32.dl" in das weiße Fenster schreibst und auf "send file" klickst? Bitte auch die andern Logs noch liefern. lg myrtille

Die totale Katastrophe, bitte Hilfe!

Plagegeister aller Art und deren Bekämpfung: Die totale Katastrophe, bitte Hilfe!