mit verschiedenen Trojanern infiziert (VundoGen etc.)

picketfence · 15.05.2008, 12:01

Hallo,

mein Rechner ist soweit ich das überblicke mit drei verschiedenen Trojanern infiziert: Vundo.Gen, PrivacySet.A, Trash.Gen.
ComboFix und MAM liefen bereits drüber hat aber nicht viel gebracht. Was kann ich tun? Im Anschluss die Hijack und ComboFix und MAM (MAM aber vor der Löschen-Ausführung)-Logs.
Für Hilfe wäre ich sehr dankbar!

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 12:47:46, on 15.05.2008
Platform: Unknown Windows (WinNT 6.00.1905 SP1)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\razerofa.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PDFCreator\PDFCreator.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Tino\Downloads\hijackthis\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E65C92F-E6D4-4027-964C-7B619301CDC1} - C:\Windows\system32\cbXRKBrO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\vtUlLBuR.dll,#1
O4 - HKLM\..\Run: [2204b1e7] rundll32.exe "C:\Windows\system32\qjpujlwn.dll",b
O4 - HKLM\..\Run: [BM2137827b] Rundll32.exe "C:\Windows\system32\pukvhypy.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE890BC3-393B-4DFC-9393-C4B75CF2F1E6}: NameServer = 24.129.114.64,66.92.233.130
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Dell Energieverwaltung der internen Netzwerkkarte (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

MAM:
Malwarebytes' Anti-Malware 1.12
Datenbank Version: 751

Scan Art: Komplett Scan (C:\|D:\|)
Objekte gescannt: 273904
Scan Dauer: 1 hour(s), 30 minute(s), 27 second(s)

Infizierte Speicher Prozesse: 0
Infizierte Speicher Module: 3
Infizierte Registrierungsschlüssel: 8
Infizierte Registrierungswerte: 4
Infizierte Datei Objekte der Registrierung: 2
Infizierte Verzeichnisse: 0
Infizierte Dateien: 9

Infizierte Speicher Prozesse:
(Keine Malware Objekte gefunden)

Infizierte Speicher Module:
C:\Windows\System32\cbXRKBrO.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\qjpujlwn.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\urqQiJAs.dll (Trojan.Vundo) -> No action taken.

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4ba99a30-78e9-442e-a84b-e16a5433a9b2} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{4ba99a30-78e9-442e-a84b-e16a5433a9b2} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2aa0726c-95b7-4216-aa43-b5bdd524892f} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2204b1e7 (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM2137827b (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2aa0726c-95b7-4216-aa43-b5bdd524892f} (Trojan.Vundo) -> No action taken.

Infizierte Datei Objekte der Registrierung:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxrkbro -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxrkbro -> No action taken.

Infizierte Verzeichnisse:
(Keine Malware Objekte gefunden)

Infizierte Dateien:
C:\Windows\System32\cbXRKBrO.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\OrBKRXbc.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\OrBKRXbc.ini2 (Trojan.Vundo) -> No action taken.
C:\Windows\System32\qjpujlwn.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\nwljupjq.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\ci.dll (Trojan.BHO) -> No action taken.
C:\Windows\System32\urqQiJAs.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\pukvhypy.dll (Trojan.Agent) -> No action taken.

picketfence · 15.05.2008, 12:02

Hier noch die ComboFix:
ComboFix 08-05-12.1 - Tino 2008-05-15 10:44:02.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1031.18.1128 [GMT 2:00]
ausgeführt von:: C:\Users\Tino\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\nwljupjq.ini
C:\Windows\System32\OrBKRXbc.ini
C:\Windows\System32\OrBKRXbc.ini2

.
((((((((((((((((((((((( Dateien erstellt von 2008-04-15 bis 2008-05-15 ))))))))))))))))))))))))))))))
.

2008-05-15 10:51 . 2008-05-13 11:32 57,344 --a------ C:\Windows\System32\urqQiJAs.dll
2008-05-15 10:51 . 2008-05-15 10:51 294 ---hs---- C:\Windows\System32\nwljupjq.ini
2008-05-15 09:58 . 2008-05-15 09:58 113,664 --a------ C:\Windows\System32\qjpujlwn.dll
2008-05-15 09:52 . 2008-05-15 09:52 123,392 --a------ C:\Windows\System32\pukvhypy.dll
2008-05-14 14:06 . 2008-05-14 14:06 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-05-14 13:24 . 2008-05-14 13:24 <DIR> d-------- C:\Users\All Users\Office Genuine Advantage
2008-05-14 13:24 . 2008-05-14 13:24 <DIR> d-------- C:\ProgramData\Office Genuine Advantage
2008-05-13 17:35 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-05-13 17:35 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-05-13 17:35 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-05-13 17:35 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-05-13 17:35 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-05-13 17:35 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-05-13 17:28 . 2008-05-13 17:28 <DIR> d-------- C:\Program Files\LucasArts
2008-05-13 11:37 . 2008-05-13 11:37 370,176 --a------ C:\Windows\System32\cbXRKBrO.dll
2008-05-13 11:32 . 2008-05-13 11:32 <DIR> d-------- C:\Program Files\DiskTrix
2008-05-05 16:05 . 2008-05-15 09:47 <DIR> d-------- C:\Users\Tino\AppData\Roaming\skypePM
2008-05-05 16:05 . 2008-05-05 16:05 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-05-05 16:04 . 2008-05-15 10:34 <DIR> d-------- C:\Users\Tino\AppData\Roaming\Skype
2008-05-05 16:03 . 2008-05-05 16:03 <DIR> d-------- C:\Users\All Users\Skype
2008-05-05 16:03 . 2008-05-05 16:03 <DIR> d-------- C:\ProgramData\Skype
2008-05-05 16:03 . 2008-05-05 16:03 <DIR> d-------- C:\Program Files\Skype
2008-05-05 16:03 . 2008-05-05 16:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-04-21 09:55 . 2008-04-21 09:55 <DIR> d-------- C:\Users\All Users\Apple
2008-04-21 09:55 . 2008-04-21 09:55 <DIR> d-------- C:\ProgramData\Apple
2008-04-21 09:55 . 2008-04-21 09:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-18 21:53 . 2008-04-18 22:21 <DIR> d-------- C:\Users\All Users\TrackMania
2008-04-18 21:53 . 2008-04-18 22:21 <DIR> d-------- C:\ProgramData\TrackMania
2008-04-17 21:32 . 2008-04-17 21:33 <DIR> d-------- C:\Program Files\CDex_170b2
2008-04-16 15:42 . 2008-04-16 15:45 <DIR> d-------- C:\Program Files\TmNationsForever
2008-04-15 21:01 . 2008-04-15 21:01 <DIR> d-------- C:\Users\Tino\AppData\Roaming\Ubisoft
2008-04-15 20:46 . 2008-04-15 20:46 <DIR> d-------- C:\Users\All Users\Ubisoft
2008-04-15 20:46 . 2008-04-15 20:46 <DIR> d-------- C:\ProgramData\Ubisoft
2008-04-15 20:33 . 2008-04-15 20:33 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-15 20:32 . 2008-04-15 20:32 <DIR> d-------- C:\Users\Tino\AppData\Roaming\InstallShield
2008-04-15 20:32 . 2008-04-15 20:32 54,156 --ah----- C:\Windows\QTFont.qfn
8 Datei(en), . 247,756 C:\ComboFix\Bytes
8 Datei(en), . 247,756 C:\ComboFix\Bytes

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 08:51 352,614 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-05-14 17:01 62,056 ----a-w C:\Users\Tino\AppData\Roaming\nvModes.dat
2008-05-14 10:36 --------- d-----w C:\ProgramData\Google Updater
2008-05-13 15:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 07:56 --------- d-----w C:\Program Files\ICQ6
2008-04-12 09:33 --------- d-----w C:\Program Files\Double Fine Productions
2008-04-09 18:51 --------- d-----w C:\ProgramData\Media Center Programs
2008-04-08 20:43 --------- d-----w C:\Program Files\Windows Mail
2008-04-08 20:42 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-06 21:40 --------- d-----w C:\Program Files\QuickTime
2008-04-06 21:39 --------- d-----w C:\ProgramData\Apple Computer
2008-04-03 11:28 --------- d--h--w C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-04-03 11:25 --------- d-----w C:\Program Files\Stardock Games
2008-04-03 08:56 --------- d-----w C:\Program Files\Crazy Machines II
2008-03-31 11:07 --------- d-----w C:\Program Files\HP
2008-03-29 11:18 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2008-03-28 13:39 20,520 ----a-w C:\Windows\system32\drivers\ggsemc.sys
2008-03-28 13:39 13,352 ----a-w C:\Windows\system32\drivers\ggflt.sys
2008-03-28 13:39 1,419,232 ----a-w C:\Windows\System32\wdfcoinstaller01005.dll
2008-03-28 13:33 --------- d-----w C:\ProgramData\Sony Ericsson
2008-03-28 13:31 --------- d-----w C:\Program Files\Sony Ericsson
2008-03-28 09:43 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-26 18:25 --------- d-----w C:\Program Files\Google
2008-03-25 17:30 --------- d-----w C:\ProgramData\NVIDIA
2008-03-25 17:28 174 --sha-w C:\Program Files\desktop.ini
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Journal
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Defender
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Calendar
2008-03-25 16:57 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-25 16:57 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-21 15:13 --------- d-----w C:\Program Files\The FilmMachine
2008-03-21 13:38 --------- d-----w C:\Users\Tino\AppData\Roaming\Media Player Classic
2008-03-21 13:35 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-21 13:13 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-21 10:28 --------- d-----w C:\Users\Tino\AppData\Roaming\Nero
2008-03-21 10:25 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-21 10:22 --------- d-----w C:\ProgramData\Nero
2008-03-21 10:22 --------- d-----w C:\Program Files\Nero
2008-03-20 17:12 --------- d-----w C:\Program Files\THQ
2008-03-20 16:53 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-03-20 12:31 --------- d-----w C:\Program Files\NeroInstall.bak
2008-03-13 13:40 413,696 ----a-w C:\Windows\System32\wrap_oal.dll
2008-03-13 13:40 110,592 ----a-w C:\Windows\System32\OpenAL32.dll
2008-03-03 13:05 54,672 ----a-w C:\Windows\System32\vsutil_loc0407.dll
2008-03-03 13:05 1,086,952 ----a-w C:\Windows\System32\zpeng24.dll
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-28 16:38 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
2008-02-26 15:14 972,072 ----a-w C:\Windows\UNRecode.exe
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-22 05:01 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-02-20 20:16 1,370,112 ----a-w C:\Windows\Internet Logs\xDBACD1.tmp
2008-02-18 15:04 95,600 ----a-w C:\Windows\System32\NeroCo.dll
2007-11-16 17:04 22,328 ----a-w C:\Users\Tino\AppData\Roaming\PnkBstrK.sys
2007-10-17 07:17 76 --sh--r C:\Windows\CT4CET.bin
2006-05-03 09:06 163,328 --sh--r C:\Windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\Windows\System32\msfDX.dll
.

------- Sigcheck -------

.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{21165375-4ACD-4562-9640-78D0B0CFD012}]
2008-05-13 11:37 370176 --a------ C:\Windows\system32\cbXRKBrO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 13:09 460784]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 09:33 125952]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 18:07 1828136]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 15:08 136136]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 09:33 202240]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-23 17:45 22058792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 09:38 1008184]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 08:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-23 07:34 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 07:54 36864]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-10-17 09:14 77824]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2007-07-18 15:26 775952]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 12:22 221184]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 17:10 184320]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-17 09:38 1862144]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 16:59 262401]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 19:21 147456]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 03:07 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 15:05 959976]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2221352]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 11:23 405504]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 22:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 22:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 22:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 22:24 86016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"MSServer"="C:\Windows\system32\urqQiJAs.dll" [2008-05-13 11:32 57344]
"2204b1e7"="C:\Windows\system32\qjpujlwn.dll" [2008-05-15 09:58 113664]
"BM2137827b"="C:\Windows\system32\pukvhypy.dll" [2008-05-15 09:52 123392]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-22 00:13:16 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10 210520]
PDFCreator.lnk - C:\Program Files\PDFCreator\PDFCreator.exe [2008-02-09 14:40:55 2641920]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-10 22:19:24 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\Windows\system32\urqQiJAs.dll [2008-05-13 11:32 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage Setup]
C:\Program Files\DAEMON Tools\AdVantageSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3039615548-3396779488-269229600-1000]
"EnableNotificationsRef"=dword:00000002
"EnableNotifications"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C7D53B8E-EA77-4D96-B36B-C617CDB8686F}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{E83A3957-59E0-442F-863F-5496D736BFA8}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{E4EF0566-FD20-475C-89F3-07439A3513AB}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{323E34C2-2DA2-4994-853F-052A563194DF}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{02245255-FFB9-464C-B4EA-0A69ED922F95}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BAEF8C3B-7DD0-4049-90EF-370151673BC1}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{7E5FE2F5-2695-4FCB-A696-CA9237B2C438}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{22897FBD-0FB6-49C3-A20B-4CB33E3F2239}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{48AC8F7F-5DDC-47F5-9323-58B51F83CDF6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{563022F6-DDDF-42A0-A9C0-93A0E7AEBD89}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{04D567FD-2BE1-408C-A3D2-2987E2B89FDD}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A283DDD0-3323-4AC3-9060-109FB7D29CAA}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{18B0FE4D-53C3-4EA5-BF23-5AB9247C3C2B}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{4673354A-FA89-4D39-B64E-14BB246DD0FE}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{B3DA8712-E4A0-434F-97CE-38CE6CF06D6E}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{817DFA6F-A647-4190-B75B-39353A77FD46}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{F32F758C-F57F-4FB6-8F62-0A4966BDBC17}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{A62C46F1-CB33-4FA1-9C6A-8F8B07C66D4D}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{627C14AD-D105-4F3F-A245-1F5D4295949C}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{577525A4-4917-46F2-BDD8-4ABB27140815}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{926A7E26-ED01-42FF-92AA-6A1C46CBA11C}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"TCP Query User{8D4C48F3-BD8F-421B-858F-CE3421A9DE36}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{ABEC8359-5062-431C-A2A2-554A8FD1D639}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{BA8CD49C-D6BA-473A-AAD7-5D06D084E520}"= UDP:C:\Program Files\Eidos\Kane and Lynch Dead Men\kaneandlynch.exe:Kane & Lynch: Dead Men
"{BF850267-E387-4435-A3EB-9DAFFCEE7413}"= TCP:C:\Program Files\Eidos\Kane and Lynch Dead Men\kaneandlynch.exe:Kane & Lynch: Dead Men
"TCP Query User{6EE16975-AA14-406D-AB3E-E16D86FBADF4}C:\\users\\tino\\downloads\\leecher\\leecher.exe"= UDP:C:\users\tino\downloads\leecher\leecher.exe:leecher.exe
"UDP Query User{4356964A-52DA-440F-8ED7-5C53BAEA7D80}C:\\users\\tino\\downloads\\leecher\\leecher.exe"= TCP:C:\users\tino\downloads\leecher\leecher.exe:leecher.exe
"TCP Query User{B779B951-EB47-4D4C-B952-CD374AA29445}C:\\users\\tino\\downloads\\leecher\\leecher.exe"= UDP:C:\users\tino\downloads\leecher\leecher.exe:leecher.exe
"UDP Query User{0CBF8502-5454-4270-97C7-FE50ED1FE845}C:\\users\\tino\\downloads\\leecher\\leecher.exe"= TCP:C:\users\tino\downloads\leecher\leecher.exe:leecher.exe
"TCP Query User{4815342F-F7AD-40EC-9983-3374A8BED78F}C:\\program files\\icq6\\icq.exe"= UDP:C:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{03CBC366-96BD-42FA-923C-828D2B3D97D2}C:\\program files\\icq6\\icq.exe"= TCP:C:\program files\icq6\icq.exe:ICQ Library
"{6125401C-7023-458D-A695-4FF15F5521D5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D4B771DF-F009-4556-9133-B67E5FF862C7}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{D05F05BD-53C0-42CC-8821-BDEE1CAF56DE}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{BF637F90-0E50-478D-8E0F-FBDE4A610345}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{D7F313FF-2643-4052-A82B-4B9312E8115C}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{39C5B51D-D733-4640-B980-B19D92712115}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{1B88CDE4-FA56-418E-BE8A-6DF5F1A26C2E}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{E24874D4-E5AE-43AA-B3A2-BDF75D63E7ED}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{EA0B3BB0-68FA-41DA-BCCC-E1133B74ECFF}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{4C762CA8-7B21-4D48-B0BF-438D32ABCD3F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F7239922-84F5-4F9D-8EBA-30FF7C565AA9}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CB591C8A-3163-4B46-B679-14B7E9D16A1D}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{B89F9E0C-EE04-4F72-B3E1-B213F9483FC9}"= UDP:C:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe:Sins of a Solar Empire
"{46211F86-F9B6-4B32-A62E-1ED0662108AC}"= TCP:C:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe:Sins of a Solar Empire
"{800BED4C-DCC3-4C3C-AB91-242E804BCF02}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{969EC694-B82F-4733-BB2B-510A3FB5A9DD}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{3426C106-D49B-400C-91B0-1716B3DCD861}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{0CEF7DC3-5729-4531-8595-C0ED851E698D}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{1974DCC9-D7B6-4502-96C5-11A5ABEE151C}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{1EBAD838-BC7E-4481-858F-D8E73DA78391}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{AA533B53-5160-4E3D-AE53-02D31BF0B126}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 21:05]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-08-29 14:25]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-07-18 15:30]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 18:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 07:55]
R3 physX32;physX32;C:\Windows\system32\DRIVERS\physX32.sys [2007-06-26 21:15]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\system32\DRIVERS\ggflt.sys [2008-03-28 15:39]
S3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [2006-10-09 15:46]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 09:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24f3f125-95e4-11dc-ae40-c027fb8d1625}]
\shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{928e1849-c023-11dc-81d5-0015c57f2f27}]
\shell\verb1\command - desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{954d8e25-819d-11dc-bd1a-0015c57f2f27}]
\shell\AutoRun\command - G:\INSTALL.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{954d8e35-819d-11dc-bd1a-0015c57f2f27}]
\shell\AutoRun\command - H:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8048dca-e1f2-11dc-aaf1-0015c57f2f27}]
\shell\AutoRun\command - F:\PsychoLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce3bd757-dff0-11dc-b01c-0015c57f2f27}]
\shell\AutoRun\command - G:\autorun.exe

picketfence · 15.05.2008, 12:03

ComboFix Teil 2:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-15 10:51:27
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\urqQiJAs.dll

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\qjpujlwn.dll
-> C:\Windows\system32\pukvhypy.dll
-> C:\Windows\system32\DLAAPI_W.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\wlanext.exe
C:\Windows\System32\conime.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\System32\stacsv.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\razerofa.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\System32\WerFault.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Dell Support Center\gs_agent\dsc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-05-15 10:57:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 08:56:37

14 Verzeichnis(se), 51,815,915,520 Bytes frei
22 Verzeichnis(se), 55,185,670,144 Bytes frei

350 --- E O F --- 2008-05-09 12:30:31

undoreal · 15.05.2008, 12:23

Hallo Picketfence.

Combofix sollte nur dann angewendet werden wenn dies ausdrücklich von einem erfahrenem Helfer empfohlen wurde!!! Es ist keine Allzweck Wunder Waffe die Infektionen restlos beseitigt sondern behebt, bei mangelnder Anwenderkenntnis oftmals nur die Symptome und macht es im Nachhinein sehr schwierig das Problem vollständig zu beheben..

Deine HJT Version ist veraltet und für VISTA nicht geegnet. Lösche es daher bitte komplett von deinem Rechner und erstelle ein neues log nach unten stehender Anleitung.

Erstellung eines Hijacklog

-Hier gibt es das Tool -> HijackThis
-Speichere es in einem eigenen Ordner! (z.B.: c:\Hijackthis\)
-Suche die Datei HiJackThis.exe und benenne sie um in 'This.com'
(Klick rechte Maustaste -> umbenennen)
-Starte nun mit Doppelklick auf This.com
-Klicke auf den rot markierten Button Do a system scan and save a log file
-Nach dem Scan öffnet sich ein Editor Fenster, kopiere nun dieses Logfile ab und füge es in deinen Beitrag im Forum mit ein)
- Wichtig: Durchsuche das Log-File nach persönlichen Informationen, wie z.B. deinen Realname, und editiere diese, bevor Du es postest.
- Alle Links im Log-File sollten wie folgt editiert werden -> z.B. h**p://meine-seite.de. Einfach, damit niemand auf die Idee kommt, auf die Links zu klicken.

Eine bebilderte Anleitung findet sich in unserem FAQ-Bereich: HJT-Anleitung

Dateien Online überprüfen lassen:

* Lasse dir auch die versteckten Dateien anzeigen!

* Suche die Seite Virtustotal auf. Kopiere folgenden Dateipfad per copy and paste in das Eingabefeld neben dem "Durchsuchen"-Button. Klicke danach auf "Senden der Datei"!

* Alternativ kannst du dir die Datei natürlich auch über den "Durchsuchen"-Button selbst heraussuchen.

Zitat:

C:\Windows\System32\pukvhypy.dll
C:\Windows\System32\cbXRKBrO.dll

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)
* Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.
(Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!)

picketfence · 15.05.2008, 12:37

Hallo,

sorry für die verfrühte Verwendung von ComboFix.

Hier das neue HijackThis und die Dateien:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:31:44, on 15.05.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\razerofa.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PDFCreator\PDFCreator.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Users\****\Downloads\hijackthis\This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://google.daemonsearch.com/intl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9E65C92F-E6D4-4027-964C-7B619301CDC1} - C:\Windows\system32\cbXRKBrO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\vtUlLBuR.dll,#1
O4 - HKLM\..\Run: [2204b1e7] rundll32.exe "C:\Windows\system32\qjpujlwn.dll",b
O4 - HKLM\..\Run: [BM2137827b] Rundll32.exe "C:\Windows\system32\pukvhypy.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE890BC3-393B-4DFC-9393-C4B75CF2F1E6}: NameServer = 24.129.114.64,66.92.233.130
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Dell Energieverwaltung der internen Netzwerkkarte (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 12776 bytes

Datei 1:

Datei pukvhypy.dll empfangen 2008.05.15 13:36:02 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt

Ergebnis: 7/32 (21.88%)
Laden der Serverinformationen...
Ihre Datei wartet momentan auf Position: ___.
Geschätzte Startzeit is zwischen ___ und ___ .
Dieses Fenster bis zum Abschluss des Scans nicht schließen.
Der Scanner, welcher momentan Ihre Datei bearbeitet ist momentan gestoppt. Wir warten einige Sekunden um Ihr Ergebnis zu erstellen.
Falls Sie längern als fünf Minuten warten, versenden Sie bitte die Datei erneut.
Ihre Datei wird momentan von VirusTotal überprüft,
Ergebnisse werden sofort nach der Generierung angezeigt.
Filter Drucken der Ergebnisse
Datei existiert nicht oder dessen Lebensdauer wurde überschritten
Dienst momentan gestoppt. Ihre Datei befindet sich in der Warteschlange (position: ). Diese wird abgearbeitet, wenn der Dienst wieder startet.

SIe können auf einen automatischen reload der homepage warten, oder ihre email in das untere formular eintragen. Klicken Sie auf "Anfragen", damit das System sie benachrichtigt wenn die Überprüfung abgeschlossen ist.
Email:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.15.0 2008.05.15 -
AntiVir 7.8.0.17 2008.05.15 -
Authentium 5.1.0.4 2008.05.15 -
Avast 4.8.1195.0 2008.05.14 -
AVG 7.5.0.516 2008.05.15 Generic10.XQM
BitDefender 7.2 2008.05.15 -
CAT-QuickHeal 9.50 2008.05.14 -
ClamAV 0.92.1 2008.05.15 -
DrWeb 4.44.0.09170 2008.05.15 -
eSafe 7.0.15.0 2008.05.14 -
eTrust-Vet 31.4.5788 2008.05.14 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.15 -
F-Secure 6.70.13260.0 2008.05.15 -
Fortinet 3.14.0.0 2008.05.15 -
GData 2.0.7306.1023 2008.05.15 -
Ikarus T3.1.1.26.0 2008.05.15 Trojan.Win32.Vundo.H
Kaspersky 7.0.0.125 2008.05.15 -
McAfee 5295 2008.05.14 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3101 2008.05.15 -
Norman 5.80.02 2008.05.14 W32/Virtumonde.VKD
Panda 9.0.0.4 2008.05.14 Suspicious file
Prevx1 V2 2008.05.15 Cloaked Malware
Rising 20.44.30.00 2008.05.15 -
Sophos 4.29.0 2008.05.15 Troj/Virtum-Gen
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.15 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.14 -
VirusBuster 4.3.26:9 2008.05.14 -
Webwasher-Gateway 6.6.2 2008.05.15 Win32.Malware.gen (suspicious)
weitere Informationen
File size: 123392 bytes
MD5...: f4e1d363f57cda348d00ebff7f46a0b7
SHA1..: 9b31910e265d4f081d376527a20eb51d1c7967f8
SHA256: 19977dcd62b22f4446f6080f15aa50af19d7aa36e87b813979180acf5ff6d588
SHA512: 0075dc3a67df7925287f0988a871012f9c9a5ca6654d4c07b1aaba8cdec62803
2d25587f6cf6199c9fad4eb0d57fce92e19e7898560966459b553cca2d0c2895
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000114b
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x7fd4 0x8000 7.22 cf9d0ce635c27baeefd4503999b19a8a
.rdata 0x9000 0x4327 0x4400 7.89 95f368eb6041abb94460ba02e4ea116f
.data 0xe000 0x1c6f1 0x11a00 7.98 e116489d2fd7a3e69d3943569d7d83d3

( 2 imports )
> user32.dll: DrawIcon, DestroyMenu, CreateIconFromResourceEx, CreateDialogIndirectParamA, CreateAcceleratorTableA, CharUpperA, CharToOemA, BeginPaint
> kernel32.dll: GetLastError, lstrlenA, lstrcpynA, lstrcpyA, lstrcmpiA, lstrcmpA, WriteFile, UnmapViewOfFile, TlsGetValue, EnumResourceLanguagesA, EnumResourceLanguagesW, FindResourceA, FreeResource, GetDateFormatA, GetLocalTime, GetStartupInfoA, GetVersionExA, ReadFile, SetLastError

( 0 exports )

Prevx info: NYLGAXJV.DLL - Prevx

picketfence · 15.05.2008, 12:40

Datei 2:

Datei cbXRKBrO.dll empfangen 2008.05.15 13:38:58 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt

Ergebnis: 6/32 (18.75%)
Laden der Serverinformationen...
Ihre Datei wartet momentan auf Position: 2.
Geschätzte Startzeit is zwischen 45 und 64 Sekunden.
Dieses Fenster bis zum Abschluss des Scans nicht schließen.
Der Scanner, welcher momentan Ihre Datei bearbeitet ist momentan gestoppt. Wir warten einige Sekunden um Ihr Ergebnis zu erstellen.
Falls Sie längern als fünf Minuten warten, versenden Sie bitte die Datei erneut.
Ihre Datei wird momentan von VirusTotal überprüft,
Ergebnisse werden sofort nach der Generierung angezeigt.
Filter Drucken der Ergebnisse
Datei existiert nicht oder dessen Lebensdauer wurde überschritten
Dienst momentan gestoppt. Ihre Datei befindet sich in der Warteschlange (position: ). Diese wird abgearbeitet, wenn der Dienst wieder startet.

SIe können auf einen automatischen reload der homepage warten, oder ihre email in das untere formular eintragen. Klicken Sie auf "Anfragen", damit das System sie benachrichtigt wenn die Überprüfung abgeschlossen ist.
Email:

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.15.0 2008.05.15 -
AntiVir 7.8.0.17 2008.05.15 -
Authentium 5.1.0.4 2008.05.15 -
Avast 4.8.1169.0 2008.05.12 -
AVG 7.5.0.516 2008.05.15 -
BitDefender 7.2 2008.05.15 -
CAT-QuickHeal 9.50 2008.05.14 -
ClamAV 0.92.1 2008.05.15 -
DrWeb 4.44.0.09170 2008.05.15 -
eSafe 7.0.15.0 2008.05.14 -
eTrust-Vet 31.4.5788 2008.05.14 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.15 -
F-Secure 6.70.13260.0 2008.05.15 -
Fortinet 3.14.0.0 2008.05.15 Adware/VirtuMonde
GData 2.0.7306.1023 2008.05.15 -
Ikarus T3.1.1.26.0 2008.05.15 -
Kaspersky 7.0.0.125 2008.05.15 -
McAfee 5295 2008.05.14 -
Microsoft 1.3408 2008.05.13 Trojan:Win32/Vundo.AF
NOD32v2 3101 2008.05.15 -
Norman 5.80.02 2008.05.14 -
Panda 9.0.0.4 2008.05.14 Suspicious file
Prevx1 V2 2008.05.15 Malicious Software
Rising 20.44.30.00 2008.05.15 -
Sophos 4.29.0 2008.05.15 Troj/Virtum-Gen
Sunbelt 3.0.1114.0 2008.05.12 -
Symantec 10 2008.05.15 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.14 -
VirusBuster 4.3.26:9 2008.05.14 -
Webwasher-Gateway 6.6.2 2008.05.15 Win32.Malware.gen!80 (suspicious)
weitere Informationen
File size: 370176 bytes
MD5...: 0fec7407f92f08c87e21b27a7f587c6a
SHA1..: 902891e96b6ee6486176824afea0d099ae98c4e6
SHA256: f533f8c499cfb6eac8b0366bd8575ab8e53c5bf3b75f00aee2cf7550b3776cf6
SHA512: 0cd78ab382674c9826ffabfd04697e37951183ca8ab79baf190a69da08561d30
79b77cf7da9a845dee8a17001a586d47864a0a0536bee12326f6f723d366f8ba
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000116c
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x84c9 0x8600 7.18 d65abf67944c0cff858bfd58067c3df0
.rdata 0xa000 0x43a51 0x43c00 8.00 cc4342cb09dfbd8fc73c458caa211649
.data 0x4e000 0x4fc29 0xe000 7.99 84d2a3718b6e5c365478622a7e450d0b

( 2 imports )
> user32.dll: DeleteMenu, CreateMenu, CreateIcon, CreateDialogParamA, CreateDesktopA, CreateAcceleratorTableA, CopyRect, CharUpperBuffA, CharUpperA, CharToOemBuffA, CharNextA, BeginPaint
> kernel32.dll: GetSystemTime, lstrlenA, lstrcpynA, lstrcmpiA, WriteFile, TlsSetValue, TlsFree, Sleep, SetLastError, RtlUnwind, RaiseException, OpenFileMappingA, OpenFile, CompareStringA, EnumResourceLanguagesA, FindResourceA, FreeResource, GetLocalTime, GetModuleHandleA, GetTimeFormatA, GetVersion, GetVersionExA, InitializeCriticalSection, LoadLibraryA

( 0 exports )

Prevx info: 60434571.DLL - Prevx

undoreal · 15.05.2008, 12:53

Bei dir gibt es eine Menge zu tun.

Daher fangen wir Schritt für Schritt an:

Folge dieser Anleitung. Schritte 1 und 2 durchführen. (1.Suche - 2.Bereinigung) Wiederhole diese Schritte so oft bis nichts mehr gefunden wird!

Danach führe dises Tool im abgesicherten Modus aus.

Poste bitte das VBG-Log (befindet sich auf deinem Desktop) und ein frisches HijackThis logfile.

picketfence · 15.05.2008, 14:05

So eigentlich hatte er nichts mehr gefunden. Nach der Durchführung des Scans im abgesicherten Modus und dem Neustart warnt AntiVir aber trotzdem immer wieder. Ich schicke dir erstmal die beiden Logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:02:31, on 15.05.2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Razer\razerhid.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Razer\razerofa.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PDFCreator\PDFCreator.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Users\****\Downloads\hijackthis\This.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://google.daemonsearch.com/intl/]Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157]MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =h**p://go.microsoft.com/fwlink/?LinkId=54896]Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896]Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157]MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {602C00BA-0CE9-40DD-B749-05C4362B6EBF} - C:\Windows\system32\cbXRKBrO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: {c83f1949-def3-eae9-99e4-252faa4a3d8f} - {f8d3a4aa-f252-4e99-9eae-3fed9491f38c} - C:\Windows\system32\cnecgudk.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\pmnkHXrP.dll,#1
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [razer] C:\Program Files\Razer\razerhid.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [2204b1e7] rundll32.exe "C:\Windows\system32\qjpujlwn.dll",b
O4 - HKLM\..\Run: [BM2137827b] Rundll32.exe "C:\Windows\system32\xsalgnuu.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE890BC3-393B-4DFC-9393-C4B75CF2F1E6}: NameServer = 24.129.114.64,66.92.233.130
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Dell Energieverwaltung der internen Netzwerkkarte (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 12206 bytes

[05/15/2008, 14:57:57] - VirtumundoBeGone v1.5 ( "C:\Users\++++\Desktop\Trojaner\VirtumundoBeGone.exe" )
[05/15/2008, 14:58:03] - Detected System Information:
[05/15/2008, 14:58:03] - Windows Version: 6.0.6001, Service Pack 1
[05/15/2008, 14:58:03] - Current Username: ++++ (Admin)
[05/15/2008, 14:58:03] - Windows is in SAFE mode with Networking.
[05/15/2008, 14:58:03] - Searching for Browser Helper Objects:
[05/15/2008, 14:58:03] - BHO 1: {108CB801-BAEC-4259-A561-8E82D414D693} ()
[05/15/2008, 14:58:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/15/2008, 14:58:03] - Checking for HKLM\...\Winlogon\Notify\cbXRKBrO
[05/15/2008, 14:58:03] - Key not found: HKLM\...\Winlogon\Notify\cbXRKBrO, continuing.
[05/15/2008, 14:58:03] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/15/2008, 14:58:03] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Anmelde-Hilfsprogramm)
[05/15/2008, 14:58:03] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/15/2008, 14:58:03] - BHO 5: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/15/2008, 14:58:03] - BHO 6: {f8d3a4aa-f252-4e99-9eae-3fed9491f38c} ()
[05/15/2008, 14:58:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/15/2008, 14:58:03] - Checking for HKLM\...\Winlogon\Notify\cnecgudk
[05/15/2008, 14:58:03] - Key not found: HKLM\...\Winlogon\Notify\cnecgudk, continuing.
[05/15/2008, 14:58:03] - Finished Searching Browser Helper Objects
[05/15/2008, 14:58:03] - Finishing up...
[05/15/2008, 14:58:03] - Nothing found! Exiting...

picketfence · 15.05.2008, 18:20

Hallo, könntest du vielleicht heute noch zurückschreiben? Ich brauche den Rechner ziemlich dringend. Vielen Dank dafür!

**Sunny** · 15.05.2008, 18:58

Zitat:

Zitat von picketfence

Hallo, könntest du vielleicht heute noch zurückschreiben? Ich brauche den Rechner ziemlich dringend. Vielen Dank dafür!

Nun mal keine Hetze hier ..

Bitte abarbeiten:

ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen.

picketfence · 15.05.2008, 19:37

Hallo,

hier die ComboFix-Log:

ComboFix 08-05-12.1 - *** 2008-05-15 20:13:06.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1031.18.1149 [GMT 2:00]
ausgeführt von:: C:\Users\***\Desktop\Trojaner\ComboFix.exe
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\OrBKRXbc.ini
C:\Windows\System32\OrBKRXbc.ini2

.
((((((((((((((((((((((( Dateien erstellt von 2008-04-15 bis 2008-05-15 ))))))))))))))))))))))))))))))
.

2008-05-15 20:17 . 2008-05-13 11:32 57,344 --a------ C:\Windows\System32\qoMdEUOI.dll
2008-05-15 14:42 . 2008-05-15 14:42 134,208 --a------ C:\Windows\System32\cnecgudk.dll
2008-05-15 14:40 . 2008-05-15 14:40 126,528 --a------ C:\Windows\System32\xsalgnuu.dll
2008-05-15 14:39 . 2008-05-15 14:39 <DIR> d-------- C:\VundoFix Backups
2008-05-15 14:04 . 2008-05-15 14:04 <DIR> d-------- C:\Program Files\CCleaner
2008-05-15 12:56 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-15 12:56 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-15 11:02 . 2008-05-15 11:02 <DIR> d-------- C:\Users\***\AppData\Roaming\Malwarebytes
2008-05-15 11:02 . 2008-05-15 11:02 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-05-15 11:02 . 2008-05-15 11:02 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-05-15 11:02 . 2008-05-15 12:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-15 10:51 . 2008-05-15 20:17 954 ---hs---- C:\Windows\System32\nwljupjq.ini
2008-05-15 09:58 . 2008-05-15 09:58 113,664 --a------ C:\Windows\System32\qjpujlwn.dll
2008-05-15 09:52 . 2008-05-15 09:52 123,392 --a------ C:\Windows\System32\pukvhypy.dll
2008-05-14 14:06 . 2008-05-14 14:06 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-05-14 13:24 . 2008-05-14 13:24 <DIR> d-------- C:\Users\All Users\Office Genuine Advantage
2008-05-14 13:24 . 2008-05-14 13:24 <DIR> d-------- C:\ProgramData\Office Genuine Advantage
2008-05-13 17:35 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-05-13 17:35 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-05-13 17:35 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-05-13 17:35 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-05-13 17:35 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-05-13 17:35 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-05-13 17:28 . 2008-05-13 17:28 <DIR> d-------- C:\Program Files\LucasArts
2008-05-13 11:37 . 2008-05-13 11:37 370,176 --a------ C:\Windows\System32\cbXRKBrO.dll
2008-05-13 11:32 . 2008-05-15 13:42 <DIR> d-------- C:\Program Files\DiskTrix
2008-05-05 16:05 . 2008-05-15 12:45 <DIR> d-------- C:\Users\***\AppData\Roaming\skypePM
2008-05-05 16:05 . 2008-05-05 16:05 56 --ah----- C:\Windows\System32\ezsidmv.dat
2008-05-05 16:04 . 2008-05-15 14:20 <DIR> d-------- C:\Users\***\AppData\Roaming\Skype
2008-05-05 16:03 . 2008-05-05 16:03 <DIR> d-------- C:\Users\All Users\Skype
2008-05-05 16:03 . 2008-05-05 16:03 <DIR> d-------- C:\ProgramData\Skype
2008-05-05 16:03 . 2008-05-05 16:03 <DIR> d-------- C:\Program Files\Skype
2008-05-05 16:03 . 2008-05-05 16:03 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-04-21 09:55 . 2008-04-21 09:55 <DIR> d-------- C:\Users\All Users\Apple
2008-04-21 09:55 . 2008-04-21 09:55 <DIR> d-------- C:\ProgramData\Apple
2008-04-21 09:55 . 2008-04-21 09:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-18 21:53 . 2008-04-18 22:21 <DIR> d-------- C:\Users\All Users\TrackMania
2008-04-18 21:53 . 2008-04-18 22:21 <DIR> d-------- C:\ProgramData\TrackMania
2008-04-17 21:32 . 2008-04-17 21:33 <DIR> d-------- C:\Program Files\CDex_170b2
2008-04-16 15:42 . 2008-04-16 15:45 <DIR> d-------- C:\Program Files\TmNationsForever
2008-04-15 21:01 . 2008-04-15 21:01 <DIR> d-------- C:\Users\***\AppData\Roaming\Ubisoft
2008-04-15 20:46 . 2008-04-15 20:46 <DIR> d-------- C:\Users\All Users\Ubisoft
2008-04-15 20:46 . 2008-04-15 20:46 <DIR> d-------- C:\ProgramData\Ubisoft
2008-04-15 20:33 . 2008-04-15 20:33 <DIR> d-------- C:\Program Files\Ubisoft
2008-04-15 20:32 . 2008-04-15 20:32 <DIR> d-------- C:\Users\***\AppData\Roaming\InstallShield
2008-04-15 20:32 . 2008-04-15 20:32 54,156 --ah----- C:\Windows\QTFont.qfn
8 Datei(en), . 247,757 C:\ComboFix\Bytes
8 Datei(en), . 247,757 C:\ComboFix\Bytes

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 18:17 352,614 ---ha-w C:\Windows\system32\drivers\vsconfig.xml
2008-05-15 16:49 --------- d-----w C:\Program Files\Windows Mail
2008-05-15 16:32 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-15 11:36 --------- d-----w C:\ProgramData\Google Updater
2008-05-14 17:01 62,056 ----a-w C:\Users\***\AppData\Roaming\nvModes.dat
2008-05-13 15:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 07:56 --------- d-----w C:\Program Files\ICQ6
2008-04-12 09:33 --------- d-----w C:\Program Files\Double Fine Productions
2008-04-09 18:51 --------- d-----w C:\ProgramData\Media Center Programs
2008-04-06 21:40 --------- d-----w C:\Program Files\QuickTime
2008-04-06 21:39 --------- d-----w C:\ProgramData\Apple Computer
2008-04-03 11:28 --------- d--h--w C:\ProgramData\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-04-03 11:25 --------- d-----w C:\Program Files\Stardock Games
2008-04-03 08:56 --------- d-----w C:\Program Files\Crazy Machines II
2008-03-31 11:07 --------- d-----w C:\Program Files\HP
2008-03-29 11:18 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2008-03-28 13:39 20,520 ----a-w C:\Windows\system32\drivers\ggsemc.sys
2008-03-28 13:39 13,352 ----a-w C:\Windows\system32\drivers\ggflt.sys
2008-03-28 13:39 1,419,232 ----a-w C:\Windows\System32\wdfcoinstaller01005.dll
2008-03-28 13:33 --------- d-----w C:\ProgramData\Sony Ericsson
2008-03-28 13:31 --------- d-----w C:\Program Files\Sony Ericsson
2008-03-28 09:43 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-26 18:25 --------- d-----w C:\Program Files\Google
2008-03-25 17:30 --------- d-----w C:\ProgramData\NVIDIA
2008-03-25 17:28 174 --sha-w C:\Program Files\desktop.ini
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Journal
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Defender
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-25 17:20 --------- d-----w C:\Program Files\Windows Calendar
2008-03-25 16:57 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-25 16:57 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-21 15:13 --------- d-----w C:\Program Files\The FilmMachine
2008-03-21 13:38 --------- d-----w C:\Users\***\AppData\Roaming\Media Player Classic
2008-03-21 13:35 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-21 13:13 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-21 10:28 --------- d-----w C:\Users\***\AppData\Roaming\Nero
2008-03-21 10:25 --------- d-----w C:\Program Files\Common Files\Nero
2008-03-21 10:22 --------- d-----w C:\ProgramData\Nero
2008-03-21 10:22 --------- d-----w C:\Program Files\Nero
2008-03-20 17:12 --------- d-----w C:\Program Files\THQ
2008-03-20 16:53 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-03-20 12:31 --------- d-----w C:\Program Files\NeroInstall.bak
2008-03-13 13:40 413,696 ----a-w C:\Windows\System32\wrap_oal.dll
2008-03-13 13:40 110,592 ----a-w C:\Windows\System32\OpenAL32.dll
2008-03-03 13:05 54,672 ----a-w C:\Windows\System32\vsutil_loc0407.dll
2008-03-03 13:05 1,086,952 ----a-w C:\Windows\System32\zpeng24.dll
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-28 16:38 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
2008-02-26 15:14 972,072 ----a-w C:\Windows\UNRecode.exe
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-22 05:01 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-02-20 20:16 1,370,112 ----a-w C:\Windows\Internet Logs\xDBACD1.tmp
2008-02-18 15:04 95,600 ----a-w C:\Windows\System32\NeroCo.dll
2007-11-16 17:04 22,328 ----a-w C:\Users\***\AppData\Roaming\PnkBstrK.sys
2007-10-17 07:17 76 --sh--r C:\Windows\CT4CET.bin
2006-05-03 09:06 163,328 --sh--r C:\Windows\System32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\Windows\System32\msfDX.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot_2008-05-15_14.34.55.66 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-15 12:31:09 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-15 18:17:08 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-15 18:13:02 6,225,920 ----a-w C:\Windows\erdnt\Hiv-backup\schema.dat
+ 2008-05-15 18:15:14 6,225,920 ----a-w C:\Windows\erdnt\subs\schema.dat
- 2008-04-08 20:42:01 1,165,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-05-15 16:32:09 1,165,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-04-08 20:42:01 20,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-05-15 16:32:09 20,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-04-08 20:42:01 159,504 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-05-15 16:32:09 159,504 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-04-08 20:42:01 184,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-05-15 16:32:09 184,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-04-08 20:42:01 217,864 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-05-15 16:32:09 217,864 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-04-08 20:42:01 18,704 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-05-15 16:32:09 18,704 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-04-08 20:42:01 35,088 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-05-15 16:32:09 35,088 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-04-08 20:42:01 845,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-05-15 16:32:09 845,584 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-04-08 20:42:01 922,384 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-05-15 16:32:09 922,384 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-04-08 20:42:01 272,648 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-05-15 16:32:09 272,648 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-04-08 20:42:01 888,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-05-15 16:32:09 888,080 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-04-08 20:42:01 1,172,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-05-15 16:32:09 1,172,240 ----a-r C:\Windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-05-15 12:29:14 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-15 16:44:40 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-15 12:31:22 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-05-15 18:17:28 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat
+ 2008-05-15 18:17:28 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-05-15 12:23:32 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2008-05-15 16:48:58 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2008-05-15 12:31:22 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-05-15 18:17:28 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2008-05-15 18:17:28 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
+ 2008-05-15 16:29:49 2,366 ----a-w C:\Windows\SoftwareDistribution\EventCache\{CA182A7E-E3E2-4480-846F-07D23AB5D591}.bin
- 2008-05-15 12:31:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-15 18:17:54 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-15 12:31:17 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-15 18:17:54 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-15 12:31:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-15 18:17:54 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\Windows\System32\mrt.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\Windows\System32\mrt.exe
- 2008-05-15 12:21:55 123,658 ----a-w C:\Windows\System32\perfc007.dat
+ 2008-05-15 16:49:43 123,658 ----a-w C:\Windows\System32\perfc007.dat
- 2008-05-15 12:21:55 101,916 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-05-15 16:49:43 102,094 ----a-w C:\Windows\System32\perfc009.dat
- 2008-05-15 12:21:55 621,940 ----a-w C:\Windows\System32\perfh007.dat
+ 2008-05-15 16:49:43 621,940 ----a-w C:\Windows\System32\perfh007.dat
- 2008-05-15 12:21:55 589,904 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-05-15 16:49:43 590,082 ----a-w C:\Windows\System32\perfh009.dat
- 2008-05-15 12:12:09 6,225,920 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
+ 2008-05-15 18:15:14 6,225,920 ----a-w C:\Windows\System32\SMI\Store\Machine\schema.dat
- 2008-05-15 12:16:25 8,988 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3039615548-3396779488-269229600-1000_UserData.bin
+ 2008-05-15 16:44:04 9,186 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3039615548-3396779488-269229600-1000_UserData.bin
- 2008-05-15 12:16:24 87,672 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-15 16:44:03 87,898 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-15 12:16:14 61,094 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-15 16:43:57 61,154 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-16 00:49:12 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16674_none_f05a2d326e88eb29\OESpamFilter.dat
+ 2008-04-16 00:44:28 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20815_none_f125abb58774f9cb\OESpamFilter.dat
+ 2008-04-16 00:44:37 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18054_none_f2560bb06b9f4438\OESpamFilter.dat
+ 2008-04-16 00:43:45 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22159_none_f2e4a9ed84b862b5\OESpamFilter.dat
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.

picketfence · 15.05.2008, 19:38

ComboFix Teil 2:

REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E50D29B8-E3A5-446C-972F-B78CEF715BC5}]
2008-05-13 11:37 370176 --a------ C:\Windows\system32\cbXRKBrO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f8d3a4aa-f252-4e99-9eae-3fed9491f38c}]
2008-05-15 14:42 134208 --a------ C:\Windows\system32\cnecgudk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 13:09 460784]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 09:33 125952]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 18:07 1828136]
"DAEMON Tools Pro Agent"="C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 15:08 136136]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 09:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"="C:\Windows\system32\qoMdEUOI.dll" [2008-05-13 11:32 57344]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 09:38 1008184]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 08:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-23 07:34 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 07:54 36864]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-10-17 09:14 77824]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"Launch LCDMon"="C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2007-07-18 15:26 775952]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 12:22 221184]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 17:10 184320]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-17 09:38 1862144]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 16:59 262401]
"razer"="C:\Program Files\Razer\razerhid.exe" [2005-05-17 19:21 147456]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 22:52 49152]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 03:07 61440]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 15:05 959976]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2221352]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 11:23 405504]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 22:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 22:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 22:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 22:24 86016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"2204b1e7"="C:\Windows\system32\qjpujlwn.dll" [2008-05-15 09:58 113664]
"BM2137827b"="C:\Windows\system32\xsalgnuu.dll" [2008-05-15 14:40 126528]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-22 00:13:16 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 22:40:10 210520]
PDFCreator.lnk - C:\Program Files\PDFCreator\PDFCreator.exe [2008-02-09 14:40:55 2641920]
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe [2007-07-10 22:19:24 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"= C:\Windows\system32\qoMdEUOI.dll [2008-05-13 11:32 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage Setup]
C:\Program Files\DAEMON Tools\AdVantageSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3039615548-3396779488-269229600-1000]
"EnableNotificationsRef"=dword:00000002
"EnableNotifications"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C7D53B8E-EA77-4D96-B36B-C617CDB8686F}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{E83A3957-59E0-442F-863F-5496D736BFA8}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{E4EF0566-FD20-475C-89F3-07439A3513AB}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{323E34C2-2DA2-4994-853F-052A563194DF}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{02245255-FFB9-464C-B4EA-0A69ED922F95}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{BAEF8C3B-7DD0-4049-90EF-370151673BC1}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{7E5FE2F5-2695-4FCB-A696-CA9237B2C438}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{22897FBD-0FB6-49C3-A20B-4CB33E3F2239}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{48AC8F7F-5DDC-47F5-9323-58B51F83CDF6}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{563022F6-DDDF-42A0-A9C0-93A0E7AEBD89}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{04D567FD-2BE1-408C-A3D2-2987E2B89FDD}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A283DDD0-3323-4AC3-9060-109FB7D29CAA}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{18B0FE4D-53C3-4EA5-BF23-5AB9247C3C2B}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{4673354A-FA89-4D39-B64E-14BB246DD0FE}"= UDP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{B3DA8712-E4A0-434F-97CE-38CE6CF06D6E}"= TCP:C:\Program Files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{817DFA6F-A647-4190-B75B-39353A77FD46}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{F32F758C-F57F-4FB6-8F62-0A4966BDBC17}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{A62C46F1-CB33-4FA1-9C6A-8F8B07C66D4D}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{627C14AD-D105-4F3F-A245-1F5D4295949C}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{577525A4-4917-46F2-BDD8-4ABB27140815}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{926A7E26-ED01-42FF-92AA-6A1C46CBA11C}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"TCP Query User{8D4C48F3-BD8F-421B-858F-CE3421A9DE36}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{ABEC8359-5062-431C-A2A2-554A8FD1D639}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"{BA8CD49C-D6BA-473A-AAD7-5D06D084E520}"= UDP:C:\Program Files\Eidos\Kane and Lynch Dead Men\kaneandlynch.exe:Kane & Lynch: Dead Men
"{BF850267-E387-4435-A3EB-9DAFFCEE7413}"= TCP:C:\Program Files\Eidos\Kane and Lynch Dead Men\kaneandlynch.exe:Kane & Lynch: Dead Men
"TCP Query User{6EE16975-AA14-406D-AB3E-E16D86FBADF4}C:\\users\\***\\downloads\\leecher\\leecher.exe"= UDP:C:\users\***\downloads\leecher\leecher.exe:leecher.exe
"UDP Query User{4356964A-52DA-440F-8ED7-5C53BAEA7D80}C:\\users\\***\\downloads\\leecher\\leecher.exe"= TCP:C:\users\***\downloads\leecher\leecher.exe:leecher.exe
"TCP Query User{B779B951-EB47-4D4C-B952-CD374AA29445}C:\\users\\***\\downloads\\leecher\\leecher.exe"= UDP:C:\users\***\downloads\leecher\leecher.exe:leecher.exe
"UDP Query User{0CBF8502-5454-4270-97C7-FE50ED1FE845}C:\\users\\***\\downloads\\leecher\\leecher.exe"= TCP:C:\users\***\downloads\leecher\leecher.exe:leecher.exe
"TCP Query User{4815342F-F7AD-40EC-9983-3374A8BED78F}C:\\program files\\icq6\\icq.exe"= UDP:C:\program files\icq6\icq.exe:ICQ Library
"UDP Query User{03CBC366-96BD-42FA-923C-828D2B3D97D2}C:\\program files\\icq6\\icq.exe"= TCP:C:\program files\icq6\icq.exe:ICQ Library
"{6125401C-7023-458D-A695-4FF15F5521D5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D4B771DF-F009-4556-9133-B67E5FF862C7}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{D05F05BD-53C0-42CC-8821-BDEE1CAF56DE}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{BF637F90-0E50-478D-8E0F-FBDE4A610345}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{D7F313FF-2643-4052-A82B-4B9312E8115C}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{39C5B51D-D733-4640-B980-B19D92712115}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{1B88CDE4-FA56-418E-BE8A-6DF5F1A26C2E}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)
"{E24874D4-E5AE-43AA-B3A2-BDF75D63E7ED}"= UDP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{EA0B3BB0-68FA-41DA-BCCC-E1133B74ECFF}"= TCP:C:\Program Files\THQ\S.T.A.L.K.E.R. - Shadow of Chernobyl\bin\dedicated\XR_3DA.exe:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)
"{4C762CA8-7B21-4D48-B0BF-438D32ABCD3F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F7239922-84F5-4F9D-8EBA-30FF7C565AA9}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CB591C8A-3163-4B46-B679-14B7E9D16A1D}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{B89F9E0C-EE04-4F72-B3E1-B213F9483FC9}"= UDP:C:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe:Sins of a Solar Empire
"{46211F86-F9B6-4B32-A62E-1ED0662108AC}"= TCP:C:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe:Sins of a Solar Empire
"{800BED4C-DCC3-4C3C-AB91-242E804BCF02}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{969EC694-B82F-4733-BB2B-510A3FB5A9DD}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{3426C106-D49B-400C-91B0-1716B3DCD861}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{0CEF7DC3-5729-4531-8595-C0ED851E698D}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{1974DCC9-D7B6-4502-96C5-11A5ABEE151C}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{1EBAD838-BC7E-4481-858F-D8E73DA78391}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{AA533B53-5160-4E3D-AE53-02D31BF0B126}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R1 DLARTL_M;DLARTL_M;C:\Windows\system32\Drivers\DLARTL_M.SYS [2007-02-08 21:05]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-08-29 14:25]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-07-18 15:30]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 18:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 07:55]
R3 physX32;physX32;C:\Windows\system32\DRIVERS\physX32.sys [2007-06-26 21:15]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\system32\DRIVERS\ggflt.sys [2008-03-28 15:39]
S3 MTOnlPktAlyX;MTOnlPktAlyX NDIS Protocol Driver;C:\PROGRA~1\T-Online\T-ONLI~1\BASIS-~1\Basis1\MTOnlPktAlyX.SYS [2006-10-09 15:46]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 09:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24f3f125-95e4-11dc-ae40-c027fb8d1625}]
\shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{928e1849-c023-11dc-81d5-0015c57f2f27}]
\shell\verb1\command - desktop.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{954d8e25-819d-11dc-bd1a-0015c57f2f27}]
\shell\AutoRun\command - G:\INSTALL.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{954d8e35-819d-11dc-bd1a-0015c57f2f27}]
\shell\AutoRun\command - H:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8048dca-e1f2-11dc-aaf1-0015c57f2f27}]
\shell\AutoRun\command - F:\PsychoLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce3bd757-dff0-11dc-b01c-0015c57f2f27}]
\shell\AutoRun\command - G:\autorun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, h**p://www.gmer.net
Rootkit scan 2008-05-15 20:17:48
Windows 6.0.6001 Service Pack 1 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

C:\Users\***\AppData\Local\Google\Google Desktop\07efa07df2af\sidebar_plugins_00000000__ss_un_uploaded_events 2560 bytes
C:\Users\***\AppData\Local\Temp\si2413.tmp 0 bytes
C:\Users\***\AppData\Local\Temp\STS3BB8.tmp 88 bytes

Scan erfolgreich abgeschlossen
versteckte Dateien: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\qoMdEUOI.dll

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\qjpujlwn.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\System32\wlanext.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\IoctlSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Windows\System32\stacsv.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\System32\conime.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\razerofa.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\guardgui.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Windows\System32\wbem\WMIADAP.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-05-15 20:22:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-15 18:22:43
ComboFix2.txt 2008-05-15 12:36:30
ComboFix3.txt 2008-05-15 12:19:34

Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
23 Verzeichnis(se), 65,633,492,992 Bytes frei

430 --- E O F --- 2008-05-15 16:49:47

**Sunny** · 15.05.2008, 19:52

Scripten mit Combofix

Öffne den Editor ( Start -> Zubehör -> Editor ) kopiere nun folgenden Text in das weiße Feld:

Code:

ATTFilter

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43128818-37A4-452D-B84B-F51BA0FD8710}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8d3a4aa-f252-4e99-9eae-3fed9491f38c}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2AA0726C-95B7-4216-AA43-B5BDD524892F}"=-

FILE::
C:\Windows\System32\nwljupjq.ini
C:\Windows\System32\qjpujlwn.dll
C:\Windows\System32\pukvhypy.dll
C:\Windows\system32\cbXRKBrO.dll
C:\Windows\system32\cnecgudk.dll
C:\Windows\system32\qjpujlwn.dll
C:\Windows\system32\qoMdEUOI.dll

Folder::
C:\VundoFix Backups

Speichere diese Datei nun auf dem Desktop unter -> cfscript.txt

Nun die Datei cfscript.txt mit der rechten Maustaste auf das Sysmbol von Combofix ziehen!

Danach das Combofix nochmal ausführen, das System neu starten und das Log von Combofix posten

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann

Malwarebytes' Anti-Malware

Lies dir die Entfernungsanleitung durch und lass alles entfernen was gefunden wurde:

Download von Malwarebytes' Anti-Malware

picketfence · 15.05.2008, 20:29

Das Erstellen des Scripts und das Ausführen mit CF funktioniert leider nicht. Es kommt zum Blue Screen und Neustart des Rechners ohne Ausführung der Löschaktion durch CF.
Was ist da möglich????

raman · 15.05.2008, 21:42

Lass bitte bei dem Script killall:: und den Part mit registry:: weg und versuchs nochmal....

mit verschiedenen Trojanern infiziert (VundoGen etc.)

Plagegeister aller Art und deren Bekämpfung: mit verschiedenen Trojanern infiziert (VundoGen etc.)