TR./Vundo.Gen Befall!

Vickel · 17.05.2008, 12:57

Hallo

Ich hoffe ihr könnt mir hier weiter helfen. Ich habe überhauot keine Ahnung von Viren und ihre Beseitigung. Ich hab mir dummerweise einen Virus eingefangen und bekomme in unregelmäßigen Abständen von AntiVir Viren Meldungen. Aber gestern war es extrem. Ich habe um die 80 Meldungen im Sekundentakt bekommen. Ich musste den Laptop herunterfahren sonst hätte ich hier garnichts mehr geschafft. Als ich ihn dann wieder angemacht hab, kamen nur ein paar. Und als ich ihn heute angemacht hab, kam garnichts... Ich hab die Viren alle mal in Quarantäne geschickt.
Einmal hat mir AntiVir auch einen Trojaner namens TR./Monder.dj angezeigt, aber nur einmal. Also ich poste jetzt einfach mal den logfile und hoffe dass das ich das schonmal richtig mache und auf Hilfe von euch.

Hijackthis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:03, on 17.05.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Users\user\Documents\HiJackThis\HijackThis.exe
C:\Windows\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\user\AppData\Local\Temp\yayyApol.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\user\AppData\Local\Temp\ssqRHYSm.dll,c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Vicky
O17 - HKLM\Software\..\Telephony: DomainName = Vicky
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB5AA3CB-203E-4396-93E7-846C5F7D1B9E}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Vicky
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = Vicky
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 8697 bytes

Aber HijackThis hat am Anfang angezeigt das mein System irgendwelche hosts nich erlaubt oder so...

Pfade:

C:\Users\user\AppData\Local\Temp\cffclosq.dll den einmal
C:\Users\user\AppData\Local\Temp\jkkkJYqP.dll den über 80 mal
C:\Users\user\AppData\Local\Temp\pljhtbpa.dll den zweimal

so ich hoffe diese Informationen reichen fürs erste... Ich bitte um Hilfe.

Danke im vorraus schonmal.

mfg Vicky

**Sunny** · 17.05.2008, 12:59

Hallo Vickel und

ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen.

Vickel · 17.05.2008, 14:42

Vielen Dank erstmal für die schnelle Antwort.:aplaus:

Habe alles gemacht so wie beschrieben.

Hier der log

ComboFix 08-05-15.3 - user 2008-05-17 15:23:53.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.426 [GMT 2:00]
ausgeführt von:: C:\Users\user\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

((((((((((((((((((((((( Dateien erstellt von 2008-04-17 bis 2008-05-17 ))))))))))))))))))))))))))))))
.

2008-05-08 15:27 . 2008-05-08 15:27 <DIR> d-------- C:\Program Files\CCleaner
2008-05-06 21:29 . 2008-05-06 21:29 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-05-06 21:26 . 2008-05-06 21:26 <DIR> d-------- C:\Users\user\AppData\Roaming\Nero
2008-05-06 21:19 . 2008-05-06 21:19 <DIR> d-------- C:\Users\All Users\Nero
2008-05-06 21:19 . 2008-05-06 21:19 <DIR> d-------- C:\ProgramData\Nero
2008-05-06 21:19 . 2008-05-06 21:19 <DIR> d-------- C:\Program Files\Nero
2008-05-06 21:19 . 2008-05-06 21:23 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-05-06 11:19 . 2008-05-06 11:19 <DIR> d-------- C:\Users\All Users\Messenger Plus!
2008-05-06 11:19 . 2008-05-06 11:19 <DIR> d-------- C:\ProgramData\Messenger Plus!
2008-05-05 22:45 . 2008-05-05 22:45 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2008-05-05 18:07 . 2008-05-05 18:22 <DIR> d-------- C:\windows gadgets
2008-05-03 23:07 . 2008-05-17 10:19 <DIR> d-------- C:\Users\user\AppData\Roaming\skypePM
2008-05-03 23:07 . 2008-05-03 23:07 56 --ah----- C:\Users\All Users\ezsidmv.dat
2008-05-03 23:07 . 2008-05-03 23:07 56 --ah----- C:\ProgramData\ezsidmv.dat
2008-05-03 23:05 . 2008-05-17 12:42 <DIR> d-------- C:\Users\user\AppData\Roaming\Skype
2008-05-03 23:04 . 2008-05-03 23:04 <DIR> d-------- C:\Users\All Users\Skype
2008-05-03 23:04 . 2008-05-03 23:04 <DIR> d-------- C:\ProgramData\Skype
2008-05-03 23:04 . 2008-05-03 23:04 <DIR> d-------- C:\Program Files\Skype
2008-05-03 23:04 . 2008-05-03 23:04 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-03 21:23 . 2008-05-06 21:05 <DIR> d-a------ C:\Users\All Users\TEMP
2008-05-03 21:23 . 2008-05-06 21:05 <DIR> d-a------ C:\ProgramData\TEMP
2008-05-03 21:23 . 2008-05-03 21:23 <DIR> d-------- C:\Program Files\Magic AAC to MP3 Converter
2008-05-02 23:39 . 2008-05-02 23:47 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-02 23:38 . 2008-05-02 23:38 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-05-02 23:38 . 2008-05-02 23:38 <DIR> d-------- C:\ProgramData\WLInstaller
2008-05-02 23:25 . 2008-05-02 23:25 <DIR> d-------- C:\Windows\PCHEALTH
2008-05-02 23:25 . 2008-05-02 23:39 <DIR> d-------- C:\Program Files\Windows Live
2008-05-02 22:15 . 2008-05-02 22:15 <DIR> d-------- C:\Users\All Users\LightScribe
2008-05-02 22:15 . 2008-05-02 22:15 <DIR> d-------- C:\ProgramData\LightScribe
2008-05-02 22:14 . 2008-05-02 22:14 <DIR> d-------- C:\Users\user\AppData\Roaming\Droppix
2008-05-02 22:14 . 2008-05-02 22:52 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-05-02 22:14 . 2005-11-09 09:00 1,012,736 --a------ C:\Windows\System32\vorbis.dll
2008-05-02 22:14 . 2004-06-05 19:33 139,264 --a------ C:\Windows\System32\RLAPEDec.ax
2008-05-02 22:14 . 2004-04-27 16:05 98,304 --a------ C:\Windows\System32\RLMPCDec.ax
2008-05-02 22:14 . 2005-11-09 09:00 12,800 --a------ C:\Windows\System32\ogg.dll
2008-05-02 22:08 . 2008-05-02 22:51 <DIR> d-------- C:\Users\All Users\Droppix
2008-05-02 22:08 . 2008-05-02 22:51 <DIR> d-------- C:\ProgramData\Droppix
2008-05-02 13:28 . 2008-05-11 19:31 <DIR> d-------- C:\Users\user\AppData\Roaming\ICQ
2008-05-02 13:27 . 2008-05-02 13:31 <DIR> d-------- C:\Program Files\ICQ6
2008-05-01 19:52 . 2008-05-05 21:32 <DIR> d-------- C:\Users\user\AppData\Roaming\Winamp
2008-05-01 19:52 . 2008-05-01 19:53 <DIR> d-------- C:\Program Files\Winamp
2008-05-01 19:52 . 2007-03-08 01:51 129,784 --------- C:\Windows\System32\pxafs.dll
2008-04-28 11:19 . 2008-04-28 11:20 <DIR> d-------- C:\DVDVideoSoft
2008-04-28 11:17 . 2008-04-28 11:17 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-04-28 11:17 . 2008-04-28 11:17 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-04-28 11:05 . 2008-04-28 11:14 <DIR> d-------- C:\Program Files\Free FLV Converter
2008-04-28 00:12 . 2008-04-28 00:12 <DIR> d-------- C:\Temp
2008-04-28 00:04 . 2008-04-28 00:04 <DIR> d-------- C:\Users\user\AppData\Roaming\AVS4YOU
2008-04-28 00:04 . 2008-04-28 00:04 <DIR> d-------- C:\Users\All Users\AVS4YOU
2008-04-28 00:04 . 2008-04-28 00:04 <DIR> d-------- C:\ProgramData\AVS4YOU
2008-04-28 00:02 . 2008-04-28 00:10 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-28 00:02 . 2008-04-28 00:10 <DIR> d-------- C:\Program Files\AVS4YOU
2008-04-26 22:37 . 2008-04-26 22:37 88 -r-hs---- C:\Windows\System32\C776C3020D.sys
2008-04-26 22:36 . 2008-04-26 22:37 <DIR> d-------- C:\Users\user\AppData\Roaming\Corel
2008-04-26 22:36 . 2008-04-26 22:36 <DIR> d-------- C:\Users\All Users\Corel
2008-04-26 22:36 . 2008-04-26 22:36 <DIR> d-------- C:\ProgramData\Corel
2008-04-26 22:31 . 2008-04-26 22:32 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-04-26 22:24 . 2008-04-26 22:42 2,828 --ahs---- C:\Windows\System32\KGyGaAvL.sys
2008-04-26 22:22 . 2008-04-26 22:31 <DIR> d-------- C:\Program Files\Corel
2008-04-26 22:20 . 2008-04-26 22:58 <DIR> d-------- C:\Users\user\AppData\Roaming\Ulead Systems
2008-04-26 21:52 . 2008-04-26 21:52 <DIR> d-------- C:\Users\All Users\InstallShield
2008-04-26 21:52 . 2008-04-26 21:52 <DIR> d-------- C:\ProgramData\InstallShield
2008-04-26 21:52 . 2008-04-26 21:52 <DIR> d-------- C:\Program Files\Windows Media-Komponenten
2008-04-26 21:51 . 2008-04-26 23:10 <DIR> d-------- C:\Users\All Users\Ulead Systems
2008-04-26 21:51 . 2008-04-26 23:10 <DIR> d-------- C:\ProgramData\Ulead Systems
2008-04-24 21:32 . 2008-04-29 21:43 <DIR> d-------- C:\Users\user\AppData\Roaming\Nokia Multimedia Player
2008-04-24 21:32 . 2008-05-05 19:46 152,554 --a------ C:\Users\user\AppData\Roaming\NMM-MetaData.db
2008-04-24 19:32 . 2008-04-24 19:32 <DIR> d-------- C:\Users\user\AppData\Roaming\DivX
2008-04-24 19:30 . 2008-04-24 19:33 <DIR> d-------- C:\Program Files\DivX
2008-04-24 15:58 . 2008-04-24 15:59 <DIR> d-------- C:\Users\All Users\Adobe
2008-04-24 15:57 . 2008-04-24 15:58 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-23 23:05 . 2008-04-27 11:01 <DIR> d-------- C:\Program Files\Google
2008-04-23 23:04 . 2008-04-23 23:05 <DIR> d-------- C:\Program Files\Java
2008-04-23 23:03 . 2008-04-23 23:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 19:07 . 2008-04-21 19:07 803,840 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-04-21 19:07 . 2008-04-21 19:07 217,272 --a------ C:\Windows\System32\drivers\netio.sys
2008-04-21 19:07 . 2008-04-21 19:07 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-04-21 19:07 . 2008-04-21 19:07 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-04-21 19:06 . 2008-04-21 19:06 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-04-21 19:06 . 2008-04-21 19:06 <DIR> d-------- C:\ProgramData\CheckPoint
2008-04-21 19:06 . 2008-04-21 19:06 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-21 19:05 . 2008-04-21 19:06 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-04-21 19:05 . 2008-05-17 12:11 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-04-21 19:05 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-04-21 18:44 . 2008-05-17 15:19 <DIR> d-------- C:\Windows\Internet Logs
2008-04-20 21:22 . 2008-04-20 21:22 <DIR> d-------- C:\Users\All Users\Avira
2008-04-20 21:22 . 2008-04-20 21:22 <DIR> d-------- C:\ProgramData\Avira
2008-04-20 21:22 . 2008-04-20 21:22 <DIR> d-------- C:\Program Files\Avira
2008-04-20 18:35 . 2008-04-26 23:21 <DIR> d-------- C:\Users\All Users\Google
2008-04-20 18:02 . 2008-05-02 18:14 <DIR> d-------- C:\Users\user\Phone Browser
2008-04-20 17:59 . 2008-04-20 18:02 <DIR> d-------- C:\Users\All Users\PC Suite
2008-04-20 17:59 . 2008-04-20 18:02 <DIR> d-------- C:\ProgramData\PC Suite
2008-04-20 17:58 . 2008-04-26 19:26 <DIR> d-------- C:\Users\user\AppData\Roaming\Nokia
2008-04-20 17:58 . 2008-04-20 17:58 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-20 17:58 . 2008-04-20 17:58 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-20 17:56 . 2008-04-20 18:00 <DIR> d-------- C:\Users\user\AppData\Roaming\PC Suite
2008-04-20 17:56 . 2008-04-20 17:56 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-20 17:54 . 2008-04-20 17:58 <DIR> d-------- C:\Program Files\Nokia
2008-04-20 17:54 . 2007-02-22 11:15 90,624 --a------ C:\Windows\System32\nmwcdcls.dll
2008-04-20 17:53 . 2008-04-20 17:53 <DIR> d-------- C:\Users\All Users\Installations
2008-04-20 17:53 . 2008-04-20 17:53 <DIR> d-------- C:\ProgramData\Installations
2008-04-19 16:18 . 2008-04-19 16:20 <DIR> d-------- C:\Users\user\AppData\Roaming\ICQLite
2008-04-19 16:17 . 2008-04-19 16:17 <DIR> d-------- C:\Windows\System32\Macromed
2008-04-19 16:17 . 2008-04-19 16:17 0 --a------ C:\Windows\nsreg.dat
2008-04-19 13:18 . 2008-04-19 13:18 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-04-19 12:41 . 2008-04-19 12:41 <DIR> d-------- C:\Users\user\AppData\Roaming\CyberLink
8 Datei(en), . 3,736,596 C:\ComboFix\Bytes
3 Datei(en), . 207,034 C:\ComboFix\Bytes
1 Datei(en), . 675,424 C:\ComboFix\Bytes
1 Datei(en), . 56 C:\ComboFix\Bytes
1 Datei(en), . 56 C:\ComboFix\Bytes

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 13:19 167,936 ----a-w C:\Windows\Internet Logs\xDB8D50.tmp
2008-05-10 11:33 532,992 ----a-w C:\Windows\Internet Logs\xDB8FD0.tmp
2008-05-03 14:04 --------- d-----w C:\ProgramData\CyberLink
2008-05-02 11:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 21:59 383,488 ----a-w C:\Windows\Internet Logs\xDB980A.tmp
2008-04-26 19:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 15:57 --------- d-----w C:\Program Files\DIFX
2008-04-16 19:40 --------- d-----w C:\ProgramData\NVIDIA
2008-04-16 19:26 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-16 19:23 77,824 ----a-w C:\Windows\System32\rascfg.dll
2008-04-16 19:22 0 --sha-r C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv9500 Notebook PC_Y5335KV_0U_QCNF7372B7T_E436786-242_4A_I30CB_SQuanta_V79.1D_F.22_T070817_WV3-0_L407_M1022_J160_7Intel_86FD_91.50_#071210_N10EC8168;80864222_(GX452EA#AKD)_XMOBILE_CN10_Z.MRK
2008-04-16 19:19 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2008-04-16 19:19 50,792 ----a-w C:\Windows\system32\drivers\termdd.sys
2008-04-16 19:19 50,280 ----a-w C:\Windows\system32\drivers\volmgr.sys
2008-04-16 19:19 29,184 ----a-w C:\Windows\system32\drivers\BTHUSB.SYS
2008-04-16 19:19 28,776 ----a-w C:\Windows\system32\drivers\mssmbios.sys
2008-04-16 19:19 220,160 ----a-w C:\Windows\system32\drivers\bthport.sys
2008-04-16 19:19 22,632 ----a-w C:\Windows\System32\streamci.dll
2008-04-16 19:19 19,456 ----a-w C:\Windows\system32\drivers\bthenum.sys
2008-04-16 19:19 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-16 19:19 140,392 ----a-w C:\Windows\system32\drivers\pci.sys
2008-04-16 19:19 13,928 ----a-w C:\Windows\system32\drivers\msisadrv.sys
2008-04-16 19:19 12,776 ----a-w C:\Windows\system32\drivers\swenum.sys
2008-04-16 19:12 --------- d-----w C:\Program Files\WIDCOMM
2008-04-16 18:35 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-04-16 18:35 315,392 ----a-w C:\Windows\HideWin.exe
2008-04-16 18:35 --------- d-----w C:\Program Files\Realtek
2008-04-16 18:32 --------- d-----w C:\Program Files\HP
2008-04-16 18:18 --------- d-----w C:\Program Files\Fingerprint Sensor
2008-04-16 18:17 --------- d-----w C:\Program Files\Motorola
2008-04-16 18:07 --------- d-----w C:\Users\user\AppData\Roaming\InstallShield
2008-04-16 18:04 27,240 ----a-w C:\Users\user\AppData\Roaming\nvModes.dat
2008-04-15 20:23 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-04-15 20:23 --------- d-----w C:\Program Files\Synaptics
2008-04-15 20:21 --------- d-----w C:\Program Files\HPQ
2008-04-15 20:15 --------- d-----w C:\Program Files\Intel
2008-04-15 20:12 --------- d-----w C:\Program Files\HP DVB-T TV Tuner
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Vorlagen
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Startmenü
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Favoriten
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Dokumente
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Anwendungsdaten
2008-04-15 20:00 --------- d-sh--w C:\Program Files\Gemeinsame Dateien
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-03 13:05 54,672 ----a-w C:\Windows\System32\vsutil_loc0407.dll
2008-03-03 13:05 1,086,952 ----a-w C:\Windows\System32\zpeng24.dll
2008-02-28 15:38 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
2008-02-26 14:14 972,072 ----a-w C:\Windows\UNRecode.exe
2008-02-18 14:04 95,600 ----a-w C:\Windows\System32\NeroCo.dll
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 14:35 1196032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 17:17 22058792]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]
"cmds"="C:\Users\user\AppData\Local\Temp\ssqRHYSm.dll" [2008-05-16 18:08 279040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 14:34 1004136]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 15:15 480560]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 19:29 102400]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-16 22:34 634880]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 14:13 202032]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-12-19 19:27 468264]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-14 19:26 4874240 C:\Windows\RtHDVCpl.exe]
"OnScreenDisplay"="C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 13:54 554320]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-19 04:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-19 04:05 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-19 04:05 81920]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 15:05 959976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 20:49 36352]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 12:27:40 719664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4259275919-304576964-3343751654-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{310E1880-C51D-4CDA-ADDE-29E0616AEFBD}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{48F2BB45-7BBF-40C1-831F-2FB3167213CD}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{7807DD95-906D-4DA5-A8C3-8A8C67F1CA24}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{73191B50-CACD-487C-8953-2862224D47A7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{888757E0-F824-48EA-A32D-3FD0A8E952F4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{180D2B53-CBAA-47B0-B866-6F9C5D4DBCC4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{359892E3-BDE4-46C7-9839-28924158E9A3}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-12-19 19:28]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-12-19 19:28]
R3 btwaudio;Bluetooth-Audiogerät;C:\Windows\system32\drivers\btwaudio.sys [2007-01-02 10:45]
R3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-01-02 10:45]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-01-02 10:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

*Newly Created Service* - CATCHME
.
Inhalt des "geplante Tasks" Ordners
"2008-05-16 17:52:14 C:\Windows\Tasks\User_Feed_Synchronization-{6A8B2EF6-9206-4009-AEAD-B1CF8EBB61ED}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 15:29:30
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Users\user\AppData\Local\Temp\ssqRHYSm.dll
.
Zeit der Fertigstellung: 2008-05-17 15:32:38
ComboFix-quarantined-files.txt 2008-05-17 13:32:32

13 Verzeichnis(se), 102,030,200,832 Bytes frei
23 Verzeichnis(se), 102,002,171,904 Bytes frei

283

Habe ich noch viel vor mir? oder wars das?

mfg Vickel

**Sunny** · 17.05.2008, 15:20

1. Deinstalliere den MessengerPLUS! und Messenger Plus! Live

Und zwar über diesen Weg -> http://www.trojaner-board.de/51579-a...tallieren.html

Dateien Online überprüfen lassen:

Suche die Seite Virtustotal auf, klicke auf den Button „Durchsuchen“ und suche folgende Datei/Dateien:

lass auch die versteckten Dateien anzeigen!

Code:

ATTFilter

C:\Windows\Internet Logs\xDB8D50.tmp
C:\Users\user\AppData\Local\Temp\ssqRHYSm.dll

Lade nun nacheinander jede/alle Datei/Dateien hoch, und warte bis der Scan vorbei ist. (kann bis zu 2 Minuten dauern.)

Poste im Anschluss das Ergebnis der Auswertung, alles abkopieren und in einen Beitrag einfügen.

(Wichtig: Auch die Größenangabe sowie den HASH mit kopieren!)

Vickel · 17.05.2008, 16:12

Ok danke nochmal.

Also das mit dem deinstallieren wusste ich ich, also wie es geht.
Ich hab wohl nur messengerplus! live gefunden nicht messengerplus. Trotzdem ok?

Und ich hab die Dateien auf Virustotal checken lassen...
War mir nicht ganz sicher was ich alles posten soll... ich hoffe das hier reicht.

1. Datei C:\Windows\Internet Logs\xDB8D50.tmp

Datei xDB8D50.tmp empfangen 2008.05.17 17:02:40 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 0/32 (0%)

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.16.0 2008.05.16 -
AntiVir 7.8.0.19 2008.05.17 -
Authentium 5.1.0.4 2008.05.17 -
Avast 4.8.1195.0 2008.05.17 -
AVG 7.5.0.516 2008.05.16 -
BitDefender 7.2 2008.05.17 -
CAT-QuickHeal 9.50 2008.05.17 -
ClamAV 0.92.1 2008.05.17 -
DrWeb 4.44.0.09170 2008.05.17 -
eSafe 7.0.15.0 2008.05.16 -
eTrust-Vet 31.4.5796 2008.05.16 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.14 -
F-Secure 6.70.13260.0 2008.05.17 -
Fortinet 3.14.0.0 2008.05.17 -
GData 2.0.7306.1023 2008.05.17 -
Ikarus T3.1.1.26.0 2008.05.17 -
Kaspersky 7.0.0.125 2008.05.17 -
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3106 2008.05.16 -
Norman 5.80.02 2008.05.16 -
Panda 9.0.0.4 2008.05.17 -
Prevx1 V2 2008.05.17 -
Rising 20.44.52.00 2008.05.17 -
Sophos 4.29.0 2008.05.17 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.17 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.17 -
VirusBuster 4.3.26:9 2008.05.17 -
Webwasher-Gateway 6.6.2 2008.05.17 -
weitere Informationen
File size: 167936 bytes
MD5...: 5f8b76459ea5dceb523c120c17e78f70
SHA1..: 6ca96e5569732247f376ab8425bac33f4dbe978a
SHA256: dc33cf719f99c00bff2113c9f3b9bcb9c2f436da58c581a063dbf61d724ad078
SHA512: a79cfeaba2b488b7b2331b371cf6e8c001975c6cc1890e84015150f1990aa29f
6198e60ecfd756a99afcb73213e64f04d130e084755634bd7e0a3ecb738c9c32
PEiD..: -
PEInfo: -

2. Datei C:\Users\user\AppData\Local\Temp\ssqRHYSm.dll

Datei ssqRHYSm.dll empfangen 2008.05.17 17:05:47 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 9/32 (28.13%)

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.16.0 2008.05.16 -
AntiVir 7.8.0.19 2008.05.17 -
Authentium 5.1.0.4 2008.05.17 -
Avast 4.8.1195.0 2008.05.17 Win32:Zapchast-FO
AVG 7.5.0.516 2008.05.16 -
BitDefender 7.2 2008.05.17 -
CAT-QuickHeal 9.50 2008.05.17 -
ClamAV None 2008.05.17 -
DrWeb 4.44.0.09170 2008.05.17 -
eSafe 7.0.15.0 2008.05.16 -
eTrust-Vet 31.4.5798 2008.05.16 Win32/Vundo!generic
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.17 Vundo.gen148
Fortinet 3.14.0.0 2008.05.17 -
GData 2.0.7306.1023 2008.05.17 Win32:Zapchast-FO
Ikarus T3.1.1.26.0 2008.05.17 Win32.Rigel.6468
Kaspersky 7.0.0.125 2008.05.17 -
McAfee 5297 2008.05.17 Vundo.gen.c
Microsoft 1.3408 2008.05.13 -
NOD32v2 3106 2008.05.16 -
Norman 5.80.02 2008.05.16 Vundo.gen148
Panda 9.0.0.4 2008.05.17 -
Prevx1 V2 2008.05.17 Cloaked Malware
Rising 20.44.52.00 2008.05.17 AdWare.Win32.Vundo.f
Sophos 4.29.0 2008.05.17 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.17 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.17 -
VirusBuster 4.3.26:9 2008.05.17 -
Webwasher-Gateway 6.6.2 2008.05.17 -
weitere Informationen
File size: 279040 bytes
MD5...: ec46a7867012bd06e8def5b12830a835
SHA1..: 45f26ef9ab7d77d9d9b1ad7724cacd2487df44c7
SHA256: bd88a4cffe10ad937192fe91f1e90a3e65eb1a1d459a873580b87da78fc62775
SHA512: 0069798438b9cff234cb6afd7beef42da51b33b3e411e2fc96c0f9ce4ab610b0
9627980038d71b2427a35b4d09769c969718891258a2e98b74c632d1700c1b0d
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10006d23
timedatestamp.....: 0xdc40e592L (invalid)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x65000 0x6200 7.78 52bb120203bfa36ef2d8b7ad235e30ab
.data 0x66000 0x3d000 0x3ce00 8.00 fe9e8a8f5f2a7a7797320dc35c21d67b
.rdata 0xa3000 0x1000 0xa00 7.15 db404d23eb6e0b901959c44a37320059
.idata 0xa4000 0x1000 0x400 1.88 c8e613b0413296b6a8fcfbcbfe5892f2

( 1 imports )
> kernel32.dll: GetCommandLineA, GetFileSize, TlsAlloc, lstrcmpA, lstrlenA, ExitProcess

( 0 exports )
Prevx info: 13566357.DLL - Prevx

Also wenn ich das jetzt mit meinen wenigen, bzw nicht vorhandenen kenntnissen angucke...Ist das richtig dass der "Virus" in der 2. Datei liegt?

mfg Vickel

**Sunny** · 17.05.2008, 16:20

Zitat:

Zitat von Vickel

Also wenn ich das jetzt mit meinen wenigen, bzw nicht vorhandenen kenntnissen angucke...Ist das richtig dass der "Virus" in der 2. Datei liegt?

Richtig.

daher folgendes:

Scripten mit Combofix

Öffne den Editor ( Start -> Zubehör -> Editor ) kopiere nun folgenden Text in das weiße Feld:

Code:

ATTFilter

FILE::
C:\Users\user\AppData\Local\Temp\ssqRHYSm.dll

Folder::
C:\Users\All Users\Messenger Plus!
C:\ProgramData\Messenger Plus!
C:\Program Files\Messenger Plus! Live

Speichere diese Datei nun auf dem Desktop unter -> cfscript.txt

Nun die Datei cfscript.txt mit der rechten Maustaste auf das Sysmbol von Combofix ziehen!

Danach das Combofix nochmal ausführen, das System neu starten und das Log von Combofix posten

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann

Vickel · 17.05.2008, 17:02

haha ich bin gut

nein scherz xD

hier der logfile:

ComboFix 08-05-15.3 - user 2008-05-17 17:30:33.2 - NTFSx86
ausgeführt von:: C:\Users\user\Desktop\ComboFix.exe
Command switches used :: C:\Users\user\Desktop\cfscript.txt
* Neuer Wiederherstellungspunkt wurde erstellt

FILE ::
C:\Users\user\AppData\Local\Temp\ssqRHYSm.dll
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\user\AppData\Local\Temp\ssqRHYSm.dll

.
((((((((((((((((((((((( Dateien erstellt von 2008-04-17 bis 2008-05-17 ))))))))))))))))))))))))))))))
.

2008-05-08 15:27 . 2008-05-08 15:27 <DIR> d-------- C:\Program Files\CCleaner
2008-05-06 21:29 . 2008-05-06 21:29 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-05-06 21:26 . 2008-05-06 21:26 <DIR> d-------- C:\Users\user\AppData\Roaming\Nero
2008-05-06 21:19 . 2008-05-06 21:19 <DIR> d-------- C:\Users\All Users\Nero
2008-05-06 21:19 . 2008-05-06 21:19 <DIR> d-------- C:\ProgramData\Nero
2008-05-06 21:19 . 2008-05-06 21:19 <DIR> d-------- C:\Program Files\Nero
2008-05-06 21:19 . 2008-05-06 21:23 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-05-05 18:07 . 2008-05-05 18:22 <DIR> d-------- C:\windows gadgets
2008-05-03 23:07 . 2008-05-17 10:19 <DIR> d-------- C:\Users\user\AppData\Roaming\skypePM
2008-05-03 23:07 . 2008-05-03 23:07 56 --ah----- C:\Users\All Users\ezsidmv.dat
2008-05-03 23:07 . 2008-05-03 23:07 56 --ah----- C:\ProgramData\ezsidmv.dat
2008-05-03 23:05 . 2008-05-17 17:39 <DIR> d-------- C:\Users\user\AppData\Roaming\Skype
2008-05-03 23:04 . 2008-05-03 23:04 <DIR> d-------- C:\Users\All Users\Skype
2008-05-03 23:04 . 2008-05-03 23:04 <DIR> d-------- C:\ProgramData\Skype
2008-05-03 23:04 . 2008-05-03 23:04 <DIR> d-------- C:\Program Files\Skype
2008-05-03 23:04 . 2008-05-03 23:04 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-03 21:23 . 2008-05-06 21:05 <DIR> d-a------ C:\Users\All Users\TEMP
2008-05-03 21:23 . 2008-05-06 21:05 <DIR> d-a------ C:\ProgramData\TEMP
2008-05-03 21:23 . 2008-05-03 21:23 <DIR> d-------- C:\Program Files\Magic AAC to MP3 Converter
2008-05-02 23:39 . 2008-05-02 23:47 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-02 23:38 . 2008-05-02 23:38 <DIR> d-------- C:\Users\All Users\WLInstaller
2008-05-02 23:38 . 2008-05-02 23:38 <DIR> d-------- C:\ProgramData\WLInstaller
2008-05-02 23:25 . 2008-05-02 23:25 <DIR> d-------- C:\Windows\PCHEALTH
2008-05-02 23:25 . 2008-05-02 23:39 <DIR> d-------- C:\Program Files\Windows Live
2008-05-02 22:15 . 2008-05-02 22:15 <DIR> d-------- C:\Users\All Users\LightScribe
2008-05-02 22:15 . 2008-05-02 22:15 <DIR> d-------- C:\ProgramData\LightScribe
2008-05-02 22:14 . 2008-05-02 22:14 <DIR> d-------- C:\Users\user\AppData\Roaming\Droppix
2008-05-02 22:14 . 2008-05-02 22:52 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-05-02 22:14 . 2005-11-09 09:00 1,012,736 --a------ C:\Windows\System32\vorbis.dll
2008-05-02 22:14 . 2004-06-05 19:33 139,264 --a------ C:\Windows\System32\RLAPEDec.ax
2008-05-02 22:14 . 2004-04-27 16:05 98,304 --a------ C:\Windows\System32\RLMPCDec.ax
2008-05-02 22:14 . 2005-11-09 09:00 12,800 --a------ C:\Windows\System32\ogg.dll
2008-05-02 22:08 . 2008-05-02 22:51 <DIR> d-------- C:\Users\All Users\Droppix
2008-05-02 22:08 . 2008-05-02 22:51 <DIR> d-------- C:\ProgramData\Droppix
2008-05-02 13:28 . 2008-05-11 19:31 <DIR> d-------- C:\Users\user\AppData\Roaming\ICQ
2008-05-02 13:27 . 2008-05-02 13:31 <DIR> d-------- C:\Program Files\ICQ6
2008-05-01 19:52 . 2008-05-05 21:32 <DIR> d-------- C:\Users\user\AppData\Roaming\Winamp
2008-05-01 19:52 . 2008-05-01 19:53 <DIR> d-------- C:\Program Files\Winamp
2008-05-01 19:52 . 2007-03-08 01:51 129,784 --------- C:\Windows\System32\pxafs.dll
2008-04-28 11:19 . 2008-04-28 11:20 <DIR> d-------- C:\DVDVideoSoft
2008-04-28 11:17 . 2008-04-28 11:17 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-04-28 11:17 . 2008-04-28 11:17 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-04-28 11:05 . 2008-04-28 11:14 <DIR> d-------- C:\Program Files\Free FLV Converter
2008-04-28 00:12 . 2008-04-28 00:12 <DIR> d-------- C:\Temp
2008-04-28 00:04 . 2008-04-28 00:04 <DIR> d-------- C:\Users\user\AppData\Roaming\AVS4YOU
2008-04-28 00:04 . 2008-04-28 00:04 <DIR> d-------- C:\Users\All Users\AVS4YOU
2008-04-28 00:04 . 2008-04-28 00:04 <DIR> d-------- C:\ProgramData\AVS4YOU
2008-04-28 00:02 . 2008-04-28 00:10 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-28 00:02 . 2008-04-28 00:10 <DIR> d-------- C:\Program Files\AVS4YOU
2008-04-26 22:37 . 2008-04-26 22:37 88 -r-hs---- C:\Windows\System32\C776C3020D.sys
2008-04-26 22:36 . 2008-04-26 22:37 <DIR> d-------- C:\Users\user\AppData\Roaming\Corel
2008-04-26 22:36 . 2008-04-26 22:36 <DIR> d-------- C:\Users\All Users\Corel
2008-04-26 22:36 . 2008-04-26 22:36 <DIR> d-------- C:\ProgramData\Corel
2008-04-26 22:31 . 2008-04-26 22:32 <DIR> d-------- C:\Program Files\Common Files\Corel
2008-04-26 22:24 . 2008-04-26 22:42 2,828 --ahs---- C:\Windows\System32\KGyGaAvL.sys
2008-04-26 22:22 . 2008-04-26 22:31 <DIR> d-------- C:\Program Files\Corel
2008-04-26 22:20 . 2008-04-26 22:58 <DIR> d-------- C:\Users\user\AppData\Roaming\Ulead Systems
2008-04-26 21:52 . 2008-04-26 21:52 <DIR> d-------- C:\Users\All Users\InstallShield
2008-04-26 21:52 . 2008-04-26 21:52 <DIR> d-------- C:\ProgramData\InstallShield
2008-04-26 21:52 . 2008-04-26 21:52 <DIR> d-------- C:\Program Files\Windows Media-Komponenten
2008-04-26 21:51 . 2008-04-26 23:10 <DIR> d-------- C:\Users\All Users\Ulead Systems
2008-04-26 21:51 . 2008-04-26 23:10 <DIR> d-------- C:\ProgramData\Ulead Systems
2008-04-24 21:32 . 2008-04-29 21:43 <DIR> d-------- C:\Users\user\AppData\Roaming\Nokia Multimedia Player
2008-04-24 21:32 . 2008-05-05 19:46 152,554 --a------ C:\Users\user\AppData\Roaming\NMM-MetaData.db
2008-04-24 19:32 . 2008-04-24 19:32 <DIR> d-------- C:\Users\user\AppData\Roaming\DivX
2008-04-24 19:30 . 2008-04-24 19:33 <DIR> d-------- C:\Program Files\DivX
2008-04-24 15:58 . 2008-04-24 15:59 <DIR> d-------- C:\Users\All Users\Adobe
2008-04-24 15:57 . 2008-04-24 15:58 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-23 23:05 . 2008-04-27 11:01 <DIR> d-------- C:\Program Files\Google
2008-04-23 23:04 . 2008-04-23 23:05 <DIR> d-------- C:\Program Files\Java
2008-04-23 23:03 . 2008-04-23 23:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-21 19:07 . 2008-04-21 19:07 803,840 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-04-21 19:07 . 2008-04-21 19:07 217,272 --a------ C:\Windows\System32\drivers\netio.sys
2008-04-21 19:07 . 2008-04-21 19:07 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-04-21 19:07 . 2008-04-21 19:07 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-04-21 19:06 . 2008-04-21 19:06 <DIR> d-------- C:\Users\All Users\CheckPoint
2008-04-21 19:06 . 2008-04-21 19:06 <DIR> d-------- C:\ProgramData\CheckPoint
2008-04-21 19:06 . 2008-04-21 19:06 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-21 19:05 . 2008-04-21 19:06 <DIR> d-------- C:\Windows\System32\ZoneLabs
2008-04-21 19:05 . 2008-05-17 17:36 352,615 --ah----- C:\Windows\System32\drivers\vsconfig.xml
2008-04-21 19:05 . 2008-03-03 15:06 279,440 --------- C:\Windows\System32\drivers\vsdatant.sys
2008-04-21 18:44 . 2008-05-17 17:41 <DIR> d-------- C:\Windows\Internet Logs
2008-04-20 21:22 . 2008-04-20 21:22 <DIR> d-------- C:\Users\All Users\Avira
2008-04-20 21:22 . 2008-04-20 21:22 <DIR> d-------- C:\ProgramData\Avira
2008-04-20 21:22 . 2008-04-20 21:22 <DIR> d-------- C:\Program Files\Avira
2008-04-20 18:35 . 2008-04-26 23:21 <DIR> d-------- C:\Users\All Users\Google
2008-04-20 18:02 . 2008-05-02 18:14 <DIR> d-------- C:\Users\user\Phone Browser
2008-04-20 17:59 . 2008-04-20 18:02 <DIR> d-------- C:\Users\All Users\PC Suite
2008-04-20 17:59 . 2008-04-20 18:02 <DIR> d-------- C:\ProgramData\PC Suite
2008-04-20 17:58 . 2008-04-26 19:26 <DIR> d-------- C:\Users\user\AppData\Roaming\Nokia
2008-04-20 17:58 . 2008-04-20 17:58 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-20 17:58 . 2008-04-20 17:58 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-20 17:56 . 2008-04-20 18:00 <DIR> d-------- C:\Users\user\AppData\Roaming\PC Suite
2008-04-20 17:56 . 2008-04-20 17:56 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-20 17:54 . 2008-04-20 17:58 <DIR> d-------- C:\Program Files\Nokia
2008-04-20 17:54 . 2007-02-22 11:15 90,624 --a------ C:\Windows\System32\nmwcdcls.dll
2008-04-20 17:53 . 2008-04-20 17:53 <DIR> d-------- C:\Users\All Users\Installations
2008-04-20 17:53 . 2008-04-20 17:53 <DIR> d-------- C:\ProgramData\Installations
2008-04-19 16:18 . 2008-04-19 16:20 <DIR> d-------- C:\Users\user\AppData\Roaming\ICQLite
2008-04-19 16:17 . 2008-04-19 16:17 <DIR> d-------- C:\Windows\System32\Macromed
2008-04-19 16:17 . 2008-04-19 16:17 0 --a------ C:\Windows\nsreg.dat
2008-04-19 13:18 . 2008-04-19 13:18 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-04-19 12:41 . 2008-04-19 12:41 <DIR> d-------- C:\Users\user\AppData\Roaming\CyberLink
8 Datei(en), . 3,736,596 C:\ComboFix\Bytes
3 Datei(en), . 207,034 C:\ComboFix\Bytes
1 Datei(en), . 675,424 C:\ComboFix\Bytes
1 Datei(en), . 56 C:\ComboFix\Bytes
1 Datei(en), . 56 C:\ComboFix\Bytes

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-15 13:19 167,936 ----a-w C:\Windows\Internet Logs\xDB8D50.tmp
2008-05-10 11:33 532,992 ----a-w C:\Windows\Internet Logs\xDB8FD0.tmp
2008-05-03 14:04 --------- d-----w C:\ProgramData\CyberLink
2008-05-02 11:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 21:59 383,488 ----a-w C:\Windows\Internet Logs\xDB980A.tmp
2008-04-26 19:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-20 15:57 --------- d-----w C:\Program Files\DIFX
2008-04-16 19:40 --------- d-----w C:\ProgramData\NVIDIA
2008-04-16 19:26 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-16 19:23 77,824 ----a-w C:\Windows\System32\rascfg.dll
2008-04-16 19:22 0 --sha-r C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv9500 Notebook PC_Y5335KV_0U_QCNF7372B7T_E436786-242_4A_I30CB_SQuanta_V79.1D_F.22_T070817_WV3-0_L407_M1022_J160_7Intel_86FD_91.50_#071210_N10EC8168;80864222_(GX452EA#AKD)_XMOBILE_CN10_Z.MRK
2008-04-16 19:19 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2008-04-16 19:19 50,792 ----a-w C:\Windows\system32\drivers\termdd.sys
2008-04-16 19:19 50,280 ----a-w C:\Windows\system32\drivers\volmgr.sys
2008-04-16 19:19 29,184 ----a-w C:\Windows\system32\drivers\BTHUSB.SYS
2008-04-16 19:19 28,776 ----a-w C:\Windows\system32\drivers\mssmbios.sys
2008-04-16 19:19 220,160 ----a-w C:\Windows\system32\drivers\bthport.sys
2008-04-16 19:19 22,632 ----a-w C:\Windows\System32\streamci.dll
2008-04-16 19:19 19,456 ----a-w C:\Windows\system32\drivers\bthenum.sys
2008-04-16 19:19 181,760 ----a-w C:\Windows\System32\fsquirt.exe
2008-04-16 19:19 140,392 ----a-w C:\Windows\system32\drivers\pci.sys
2008-04-16 19:19 13,928 ----a-w C:\Windows\system32\drivers\msisadrv.sys
2008-04-16 19:19 12,776 ----a-w C:\Windows\system32\drivers\swenum.sys
2008-04-16 19:12 --------- d-----w C:\Program Files\WIDCOMM
2008-04-16 18:35 319,456 ----a-w C:\Windows\DIFxAPI.dll
2008-04-16 18:35 315,392 ----a-w C:\Windows\HideWin.exe
2008-04-16 18:35 --------- d-----w C:\Program Files\Realtek
2008-04-16 18:32 --------- d-----w C:\Program Files\HP
2008-04-16 18:18 --------- d-----w C:\Program Files\Fingerprint Sensor
2008-04-16 18:17 --------- d-----w C:\Program Files\Motorola
2008-04-16 18:07 --------- d-----w C:\Users\user\AppData\Roaming\InstallShield
2008-04-16 18:04 27,240 ----a-w C:\Users\user\AppData\Roaming\nvModes.dat
2008-04-15 20:23 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2008-04-15 20:23 --------- d-----w C:\Program Files\Synaptics
2008-04-15 20:21 --------- d-----w C:\Program Files\HPQ
2008-04-15 20:15 --------- d-----w C:\Program Files\Intel
2008-04-15 20:12 --------- d-----w C:\Program Files\HP DVB-T TV Tuner
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Vorlagen
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Startmenü
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Favoriten
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Dokumente
2008-04-15 20:00 --------- d-sh--w C:\ProgramData\Anwendungsdaten
2008-04-15 20:00 --------- d-sh--w C:\Program Files\Gemeinsame Dateien
2008-03-31 21:25 831,488 ----a-w C:\Windows\System32\divx_xx0a.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx0c.dll
2008-03-31 21:25 823,296 ----a-w C:\Windows\System32\divx_xx07.dll
2008-03-31 21:25 802,816 ----a-w C:\Windows\System32\divx_xx11.dll
2008-03-31 21:25 682,496 ----a-w C:\Windows\System32\DivX.dll
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-21 20:30 524,288 ----a-w C:\Windows\System32\DivXsm.exe
2008-03-21 20:30 3,596,288 ----a-w C:\Windows\System32\qt-dx331.dll
2008-03-21 20:30 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-03-21 20:30 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-03-21 20:28 81,920 ----a-w C:\Windows\System32\dpl100.dll
2008-03-21 20:28 593,920 ----a-w C:\Windows\System32\dpuGUI11.dll
2008-03-21 20:28 57,344 ----a-w C:\Windows\System32\dpv11.dll
2008-03-21 20:28 53,248 ----a-w C:\Windows\System32\dpuGUI10.dll
2008-03-21 20:28 344,064 ----a-w C:\Windows\System32\dpus11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu11.dll
2008-03-21 20:28 294,912 ----a-w C:\Windows\System32\dpu10.dll
2008-03-21 20:28 196,608 ----a-w C:\Windows\System32\dtu100.dll
2008-03-21 20:28 12,288 ----a-w C:\Windows\System32\DivXWMPExtType.dll
2008-03-03 13:05 54,672 ----a-w C:\Windows\System32\vsutil_loc0407.dll
2008-03-03 13:05 1,086,952 ----a-w C:\Windows\System32\zpeng24.dll
2008-02-28 15:38 972,072 ----a-w C:\Windows\UNNeroMediaHome.exe
2008-02-26 14:14 972,072 ----a-w C:\Windows\UNRecode.exe
2008-02-18 14:04 95,600 ----a-w C:\Windows\System32\NeroCo.dll
2006-11-02 12:50 174 --sha-w C:\Program Files\desktop.ini
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-17_15.32.11,75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-17 10:11:45 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-17 15:35:49 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-17 10:48:15 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-17 15:37:02 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-17 15:37:02 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-05-17 10:14:10 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-17 15:37:02 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-17 15:37:02 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-05-17 10:11:57 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-17 15:36:01 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-17 10:11:57 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-17 15:36:01 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-17 10:11:57 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-17 15:36:01 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-17 10:14:44 6,546 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4259275919-304576964-3343751654-1000_UserData.bin
+ 2008-05-17 15:38:52 6,792 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4259275919-304576964-3343751654-1000_UserData.bin
- 2008-05-17 10:14:39 69,870 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-17 15:38:34 70,026 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-16 21:59:12 4,684 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-05-17 15:34:38 4,684 ----a-w C:\Windows\System32\WDI\ERCQueuedResolutions.dat
- 2008-05-17 10:14:26 34,586 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-17 15:38:19 34,984 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2006-11-02 14:35 1196032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 14:35 125440]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 17:17 22058792]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]
"ICQ"="C:\Program Files\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 14:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-02 14:34 1004136]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 15:15 480560]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 19:29 102400]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-16 22:34 634880]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 14:13 202032]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-12-19 19:27 468264]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-14 19:26 4874240 C:\Windows\RtHDVCpl.exe]
"OnScreenDisplay"="C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 13:54 554320]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-19 04:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-19 04:05 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-19 04:05 81920]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-03 15:05 959976]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 20:49 36352]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 12:27:40 719664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4259275919-304576964-3343751654-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{310E1880-C51D-4CDA-ADDE-29E0616AEFBD}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{48F2BB45-7BBF-40C1-831F-2FB3167213CD}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{7807DD95-906D-4DA5-A8C3-8A8C67F1CA24}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{73191B50-CACD-487C-8953-2862224D47A7}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{888757E0-F824-48EA-A32D-3FD0A8E952F4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{180D2B53-CBAA-47B0-B866-6F9C5D4DBCC4}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{359892E3-BDE4-46C7-9839-28924158E9A3}"= C:\Program Files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-12-19 19:28]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-12-19 19:28]
R3 btwaudio;Bluetooth-Audiogerät;C:\Windows\system32\drivers\btwaudio.sys [2007-01-02 10:45]
R3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-01-02 10:45]
R3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-01-02 10:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

.
Inhalt des "geplante Tasks" Ordners
"2008-05-16 17:52:14 C:\Windows\Tasks\User_Feed_Synchronization-{6A8B2EF6-9206-4009-AEAD-B1CF8EBB61ED}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 17:37:12
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\IoctlSvc.exe
C:\Windows\System32\PSIService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\System32\conime.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-05-17 17:45:05 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2008-05-17 15:44:53
ComboFix2.txt 2008-05-17 13:32:39

13 Verzeichnis(se), 101,471,121,408 Bytes frei
23 Verzeichnis(se), 101,341,458,432 Bytes frei

329

Und jetzt?
Wurde die sogenannte 2. Datei jetzt gelöscht?

mfg Vickel

**Sunny** · 17.05.2008, 17:04

Wenn weiterhin kein Probleme mehr auftauchen würde ich dich als geheilt entlassen...

Vickel · 17.05.2008, 17:12

ECHT?

Mega vielen Dank. War eine super Hilfe und total einfach erklärt.

Aber eine Frage noch, was mache ich denn mit den "sachen" bei antivir in quaratäne? löschen?

mfg Vickel

**Sunny** · 17.05.2008, 17:14

Alle Dateien im Ordner manuell löschen ...

Ciao,

Sunny

Vickel · 17.05.2008, 17:15

Ok

Danke nochmal, mir fällt ein echt großer Stein vom Herzen.

Schööö

17.05.2008, 17:04	#8
Sunny Administrator > Competence Manager	TR./Vundo.Gen Befall! Wenn weiterhin kein Probleme mehr auftauchen würde ich dich als geheilt entlassen... __________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Stulti est se ipsum sapientem putare.

17.05.2008, 17:14	#10
Sunny Administrator > Competence Manager	TR./Vundo.Gen Befall! Alle Dateien im Ordner manuell löschen ... Ciao, Sunny __________________ Anfragen per Email, Profil- oder privater Nachricht werden ignoriert! Hilfe gibts NUR im Forum! Stulti est se ipsum sapientem putare.

TR./Vundo.Gen Befall!

Plagegeister aller Art und deren Bekämpfung: TR./Vundo.Gen Befall!