hallo, habe denke ich ganz dolle mist gebaut und steh nun dumm da. antivir kann ich gar nicht mehr aktivieren weil es sonst nur piepst. habe mal aufgeschrieben was in der quarantäne ist:

TR/PSW.AGENT.YR
TR/Vundo.Gen
BDS/Agent.alm

hier noch mein log file

Logfile of HijackThis v1.99.1
Scan saved at 01:20:55, on 29.02.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Programme\ltmoh\Ltmoh.exe
C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
C:\Programme\Synaptics\SynTP\SynTPLpr.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Java\jre1.6.0_03\bin\jusched.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\ircomm2k.exe
C:\WINDOWS\System32\svchost.exe
C:\DOKUME~1\Vias\LOKALE~1\Temp\Rar$EX00.515\HijackThis.exe
C:\Programme\AntiVir PersonalEdition Classic\avcenter.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\AntiVir PersonalEdition Classic\avcenter.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Programme\Microsoft Office\OFFICE11\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Gamburg provider - {0CA10898-7F98-4709-A479-B8134AB3D9F3} - klsock.dll (file missing)
O2 - BHO: (no name) - {2C0AD99D-B8D2-47A0-95BE-B56E1253585E} - C:\WINDOWS\system32\tussr.dll (file missing)
O2 - BHO: (no name) - {45C2A50F-8F4A-496E-AF02-D0207525BF5A} - C:\WINDOWS\system32\qomkhii.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Programme\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Programme\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programme\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [EPSON Stylus DX4000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBEE.EXE /FU "C:\WINDOWS\TEMP\E_S18A.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [XTNDConnect PC - ErPhn2] C:\PROGRA~1\GEMEIN~1\XCPCSync\TRANSL~1\ErPhn2\ErTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Programme\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [JavaCore] C:\Programme\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'worsock.dll' missing
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programme\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: qomkhii - qomkhii.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Virtueller Infrarot-Kommunikationsanschluß, Dienstprogramm (IrCOMM2kSvc) - Jan Kiszka - C:\WINDOWS\system32\ircomm2k.exe
O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programme\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programme\Spyware Doctor\pctsSvc.exe

kann mir bitte jemand helfen? habe natürlich auch gegoogelt aber nur was zum TR/Vundo.Gen gefunden. da stand mit superantispy bekomm ich es weg, hat aber leider nicht funktioniert. danke im vorraus für eure zeit

gruß

Vundofix

* Lade dir vundofix.exe
* Doppelklick VundoFix.exe
* Klicke "Scan" --> Vundo button.
* Nach dem Scannen, klicke den "Remove" Vundo button.
* Man wird nun gefragt, ob man "remove" will --> klicke YES
* Danach werden alle Desktop-Symbole verschwinden
* Dann wird man gefragt, ob der PC neustarten soll --> klicke OK.
* nach dem neustart, navigierst du zur datei C:\vundofix.txt, poste den inhalt
* C:\VundoFix Backups - löschen + Papierkorb leeren
* erstelle ein neues hjt-logfile und poste es.

hallo alexander,
danke das du dich meiner annimmst. habe deine anweisungen befolgt. vundo hat aber nichts gefunden. die desktopsymbole sind auch alle noch da. dazu muss ich sagen das diese symbole ja auch denke ich alle in ordnung gehen da ich gestern in meiner not diese programme alle installiert habe um die viren von meinem computer zu schmeißen. die haben auch alle ziemlich viel gefunden und wurden repariert. allerdings macht mein antivir immer noch terror. hier die textdatei von vundo:

VundoFix V6.7.10

Checking Java version...

Sun Java not detected
Scan started at 09:04:51 29.02.2008

Listing files found while scanning....

No infected files were found.


Beginning removal...


was nun?

grüße

VirutumodeBeGone

1. Download VirtumundoBegone und speichere es auf Deinem Desktop

2 .Jetzt starte im agesicherten Modus .

3, Wenn Du im abgesicherten Modus eingelooggt bist, führe VirtumundoBeGone durch einen Doppleklick auf VirtumundoBeGone.exe aus und folge den Anweisungen.

4. Wenn das Programm fertig ist, beende es, starte im normalen Modus neuExit when it has finished, and reboot back to normal mode.

5. Es sollte sich automatisch das Notepad öffnen und das Logfile präsentieren, dieses postest Du in Deinem Thread. Wenn nicht liegt es auf dem Desktop als VBG.txt.

so, habe deine anweisungen befolgt und nun funktioniert nichts mehr im normalen modus... nachdem er mir das logfile gezeigt hat, habe ich ihn runtergefahren und neu gestartet seither sehe ich nurnoch einen schwarzen bildschirm nach dem hochfahren (mouse funktioniert). nach ungefähr 10min erscheint dann das fenster explorer.exe muss beendet werden danach kommt nichts mehr, alles schwarz nur meine mouse funktioniert. hier mein teuer bezahltes logfile:


[02/29/2008, 11:34:16] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\Vias\Desktop\VirtumundoBeGone.exe" )
[02/29/2008, 11:34:26] - Detected System Information:
[02/29/2008, 11:34:26] - Windows Version: 5.1.2600, Service Pack 2
[02/29/2008, 11:34:26] - Current Username: Administrator (Admin)
[02/29/2008, 11:34:26] - Windows is in SAFE mode with Networking.
[02/29/2008, 11:34:26] - Searching for Browser Helper Objects:
[02/29/2008, 11:34:26] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/29/2008, 11:34:26] - BHO 2: {0CA10898-7F98-4709-A479-B8134AB3D9F3} (Gamburg provider)
[02/29/2008, 11:34:26] - BHO 3: {2C0AD99D-B8D2-47A0-95BE-B56E1253585E} ()
[02/29/2008, 11:34:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 11:34:26] - Checking for HKLM\...\Winlogon\Notify\tussr
[02/29/2008, 11:34:26] - Key not found: HKLM\...\Winlogon\Notify\tussr, continuing.
[02/29/2008, 11:34:26] - BHO 4: {45C2A50F-8F4A-496E-AF02-D0207525BF5A} ()
[02/29/2008, 11:34:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 11:34:26] - Checking for HKLM\...\Winlogon\Notify\qomkhii
[02/29/2008, 11:34:26] - Found: HKLM\...\Winlogon\Notify\qomkhii - This is probably Virtumundo.
[02/29/2008, 11:34:26] - Assigning {45C2A50F-8F4A-496E-AF02-D0207525BF5A} MSEvents Object
[02/29/2008, 11:34:26] - BHO list has been changed! Starting over...
[02/29/2008, 11:34:26] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/29/2008, 11:34:26] - BHO 2: {0CA10898-7F98-4709-A479-B8134AB3D9F3} (Gamburg provider)
[02/29/2008, 11:34:26] - BHO 3: {2C0AD99D-B8D2-47A0-95BE-B56E1253585E} ()
[02/29/2008, 11:34:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 11:34:26] - Checking for HKLM\...\Winlogon\Notify\tussr
[02/29/2008, 11:34:26] - Key not found: HKLM\...\Winlogon\Notify\tussr, continuing.
[02/29/2008, 11:34:26] - BHO 4: {45C2A50F-8F4A-496E-AF02-D0207525BF5A} (MSEvents Object)
[02/29/2008, 11:34:26] - ALERT: Found MSEvents Object!
[02/29/2008, 11:34:26] - BHO 5: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/29/2008, 11:34:26] - BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/29/2008, 11:34:26] - BHO 7: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[02/29/2008, 11:34:26] - Finished Searching Browser Helper Objects
[02/29/2008, 11:34:26] - *** Detected MSEvents Object
[02/29/2008, 11:34:26] - Trying to remove MSEvents Object...
[02/29/2008, 11:34:27] - Terminating Process: IEXPLORE.EXE
[02/29/2008, 11:34:27] - Terminating Process: RUNDLL32.EXE
[02/29/2008, 11:34:27] - Disabling Automatic Shell Restart
[02/29/2008, 11:34:27] - Terminating Process: EXPLORER.EXE
[02/29/2008, 11:34:27] - Suspending the NT Session Manager System Service
[02/29/2008, 11:34:27] - Terminating Windows NT Logon/Logoff Manager
[02/29/2008, 11:34:28] - Re-enabling Automatic Shell Restart
[02/29/2008, 11:34:28] - File to disable: C:\WINDOWS\system32\qomkhii.dll
[02/29/2008, 11:34:28] - Removing HKLM\...\Browser Helper Objects\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
[02/29/2008, 11:34:28] - Removing HKCR\CLSID\{45C2A50F-8F4A-496E-AF02-D0207525BF5A}
[02/29/2008, 11:34:28] - Adding Kill Bit for ActiveX for GUID: {45C2A50F-8F4A-496E-AF02-D0207525BF5A}
[02/29/2008, 11:34:28] - Deleting ATLEvents/MSEvents Registry entries
[02/29/2008, 11:34:28] - Removing HKLM\...\Winlogon\Notify\qomkhii
[02/29/2008, 11:34:28] - Searching for Browser Helper Objects:
[02/29/2008, 11:34:28] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/29/2008, 11:34:28] - BHO 2: {0CA10898-7F98-4709-A479-B8134AB3D9F3} (Gamburg provider)
[02/29/2008, 11:34:28] - BHO 3: {2C0AD99D-B8D2-47A0-95BE-B56E1253585E} ()
[02/29/2008, 11:34:28] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 11:34:28] - Checking for HKLM\...\Winlogon\Notify\tussr
[02/29/2008, 11:34:28] - Key not found: HKLM\...\Winlogon\Notify\tussr, continuing.
[02/29/2008, 11:34:28] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/29/2008, 11:34:28] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/29/2008, 11:34:28] - BHO 6: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[02/29/2008, 11:34:28] - Finished Searching Browser Helper Objects
[02/29/2008, 11:34:28] - Finishing up...
[02/29/2008, 11:34:28] - A restart is needed.
[02/29/2008, 11:34:28] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[02/29/2008, 11:34:34] - Attempting to Restart via STOP error (Blue Screen!)

[02/29/2008, 11:36:57] - VirtumundoBeGone v1.5 ( "C:\Dokumente und Einstellungen\Vias\Desktop\VirtumundoBeGone.exe" )
[02/29/2008, 11:37:02] - Detected System Information:
[02/29/2008, 11:37:02] - Windows Version: 5.1.2600, Service Pack 2
[02/29/2008, 11:37:02] - Current Username: Vias (Admin)
[02/29/2008, 11:37:02] - Windows is in SAFE mode with Networking.
[02/29/2008, 11:37:02] - Searching for Browser Helper Objects:
[02/29/2008, 11:37:02] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/29/2008, 11:37:02] - BHO 2: {0CA10898-7F98-4709-A479-B8134AB3D9F3} (Gamburg provider)
[02/29/2008, 11:37:02] - BHO 3: {2C0AD99D-B8D2-47A0-95BE-B56E1253585E} ()
[02/29/2008, 11:37:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/29/2008, 11:37:02] - Checking for HKLM\...\Winlogon\Notify\tussr
[02/29/2008, 11:37:02] - Key not found: HKLM\...\Winlogon\Notify\tussr, continuing.
[02/29/2008, 11:37:02] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[02/29/2008, 11:37:02] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/29/2008, 11:37:02] - BHO 6: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[02/29/2008, 11:37:02] - Finished Searching Browser Helper Objects
[02/29/2008, 11:37:02] - Finishing up...
[02/29/2008, 11:37:02] - Nothing found! Exiting...

hoffentlich hast du noch was in petto, trotzdem danke für deine hilfe
gruß

Als erste Maßnahme bitte, wenn möglich, im abgesicherten Modus (ohne Netzwerkunterstüzung) VirtumundoBegone noch einmal laufen lassen.