Hallo! Ich sitze gerade vor meinem PC und werde nur so von Fund-Meldungen erschlagen. AntiVir Guard meldet nnnOIYPF.dll TR/Crypt.XPack.Gen, geBRIXRI.dll TR/Dldr.ConHook.PR.1, außerdem kam schon TR/Vundo.ELT und TR/PrivacySet.A !!! Ich bin schon am verzweifeln. Abgesicherter Modus und Antivir laufen lassen brachte auch keinen Erfolg. Kann mir bitte jemand helfen! Danke!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:03:49, on 17.05.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Avira\AntiVir PersonalEdition Classic\sched.exe
E:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\Explorer.EXE
D:\Avira\AntiVir PersonalEdition Classic\avgnt.exe
d:\avira\antivir personaledition classic\avcenter.exe
D:\Hijack This\hijackthis.exe
E:\Zone Labs\ZoneAlarm\zlclient.exe
D:\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
D:\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE
D:\Avira\AntiVir PersonalEdition Classic\GUARDGUI.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://alice.aol.de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: {733f741d-fae3-dbbb-9814-9b7751e44131} - {13144e15-77b9-4189-bbbd-3eafd147f337} - E:\WINDOWS\system32\xcupicau.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7B4F2D80-821F-4A7D-A2E7-DFD681E87594} - E:\WINDOWS\system32\nnnOIYPF.dll
O2 - BHO: (no name) - {E243A8E7-6244-49E0-A361-22DBF30FD46C} - E:\WINDOWS\system32\geBRIXRl.dll
O4 - HKLM\..\Run: [avgnt] "D:\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "E:\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programme\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - h**p://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Programme\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206725145859
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - h**p://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208041256796
O17 - HKLM\System\CCS\Services\Tcpip\..\{E0421668-795F-473B-877A-3BF5AB3B30CB}: NameServer = 192.168.0.1
O20 - Winlogon Notify: geBRIXRl - E:\WINDOWS\SYSTEM32\geBRIXRl.dll
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - D:\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ServiceLayer - Nokia. - E:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5200 bytes

Habe mal auf virustotal.com eine Datei untersuchen lassen. Andere Ergebnisse folgen..Datei geBRIXRl.dll empfangen 2008.05.17 19:44:08 (CET)
Status: Beendet
Ergebnis: 16/32 (50%)
Filter
Drucken der Ergebnisse
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.16.0 2008.05.16 -
AntiVir 7.8.0.19 2008.05.17 TR/Dldr.ConHook.PR.1
Authentium 5.1.0.4 2008.05.17 -
Avast 4.8.1195.0 2008.05.17 Win32:ConHook-DH
AVG 7.5.0.516 2008.05.16 Downloader.Generic7.MMV
BitDefender 7.2 2008.05.17 Trojan.Generic.241095
CAT-QuickHeal 9.50 2008.05.17 TrojanDownloader.ConHook.pr
ClamAV 0.92.1 2008.05.17 -
DrWeb 4.44.0.09170 2008.05.17 -
eSafe 7.0.15.0 2008.05.16 -
eTrust-Vet 31.4.5796 2008.05.16 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.17 Vundo.gen179
Fortinet 3.14.0.0 2008.05.17 W32/ConHook.PR!tr.dldr
GData 2.0.7306.1023 2008.05.17 Trojan-Downloader.Win32.ConHook.pr
Ikarus T3.1.1.26.0 2008.05.17 Trojan-Downloader.Win32.ConHook.pr
Kaspersky 7.0.0.125 2008.05.17 Trojan-Downloader.Win32.ConHook.pr
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3106 2008.05.16 -
Norman 5.80.02 2008.05.16 W32/ConHook.JM
Panda 9.0.0.4 2008.05.17 -
Prevx1 V2 2008.05.17 Cloaked Malware
Rising 20.44.52.00 2008.05.17 Trojan.DL.Win32.Small.ttr
Sophos 4.29.0 2008.05.17 Mal/Generic-A
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.17 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.17 Trojan-Downloader.Win32.ConHook.pr
VirusBuster 4.3.26:9 2008.05.17 -
Webwasher-Gateway 6.6.2 2008.05.17 Trojan.Dldr.ConHook.PR.1
weitere Informationen
File size: 57856 bytes
MD5...: 48177522cf7d50a935f52da1fce1d997
SHA1..: 6c017e4574d9a13945706f6b1cf718b6ee5cf5ed
SHA256: 4cd14dc14d80e9dc0bca6fb0bf4dded42bedc788e74d97d4ec03e588f968799e
SHA512: 420466a775fa3fa21fe3a1c4127568c9a78c9628cc6c490879a89f8c606f7bdb
f4922252b4d2ad036e555084ad4eabc35fb9085ecd2969fe98eb389bda7933bb
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10001038
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x84be 0x8600 7.22 fb70c6597422343335f5da44f968244c
.rdata 0xa000 0x176a 0x1800 7.64 1d2a30a7500ffc249dd82d4808d57344
.data 0xc000 0x4345 0x4000 7.83 ad772698882efab5c06fd4ca2a41d8aa

( 2 imports )
> user32.dll: EnableMenuItem, EmptyClipboard, DrawTextA, DrawStateA, DialogBoxParamA, DestroyMenu, DestroyCursor, CreateMDIWindowA, CreateIconFromResourceEx, CreateAcceleratorTableA, CopyRect, CopyImage, CharUpperBuffA, CharUpperA, CharToOemBuffA, ChangeMenuA, BeginPaint
> kernel32.dll: FlushFileBuffers, lstrcpynA, lstrcpyA, lstrcmpA, lstrcatA, VirtualAlloc, TlsSetValue, TlsGetValue, TlsFree, SetCurrentDirectoryA, RtlUnwind, MapViewOfFile, GetVersionExA, GetSystemTimeAsFileTime, GetDateFormatA, GetCommandLineA, FreeResource

( 0 exports )
Prevx info: 22776007.SVD - Prevx

Datei nnnOIYPF.dll empfangen 2008.05.17 19:51:34 (CET)
Status: Beendet
Ergebnis: 6/32 (18.75%)
Filter
Drucken der Ergebnisse
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.16.0 2008.05.16 -
AntiVir 7.8.0.19 2008.05.17 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.05.17 -
Avast 4.8.1195.0 2008.05.17 -
AVG 7.5.0.516 2008.05.16 Generic10.YWC
BitDefender 7.2 2008.05.17 -
CAT-QuickHeal 9.50 2008.05.17 -
ClamAV 0.92.1 2008.05.17 -
DrWeb 4.44.0.09170 2008.05.17 -
eSafe 7.0.15.0 2008.05.16 -
eTrust-Vet 31.4.5798 2008.05.16 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.17 Vundo.gen179
Fortinet 3.14.0.0 2008.05.17 -
GData 2.0.7306.1023 2008.05.17 -
Ikarus T3.1.1.26.0 2008.05.17 -
Kaspersky 7.0.0.125 2008.05.17 -
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 -
NOD32v2 3106 2008.05.16 -
Norman 5.80.02 2008.05.16 Vundo.gen179
Panda 9.0.0.4 2008.05.17 -
Prevx1 V2 2008.05.17 Cloaked Malware
Rising 20.44.52.00 2008.05.17 -
Sophos 4.29.0 2008.05.17 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.17 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.17 -
VirusBuster 4.3.26:9 2008.05.17 -
Webwasher-Gateway 6.6.2 2008.05.17 Trojan.Crypt.XPACK.Gen
weitere Informationen
File size: 373248 bytes
MD5...: 58de21c7eb262ca9a2afc39e9b6fd169
SHA1..: a882362ca0702d8729ff246fc5517384c8e1ac88
SHA256: c7db93f887f958ac764b3369ac7ffed0d49f2d4290b62c4e3e2ea315f0972f34
SHA512: dc571a7333eaca075bddafba8de99a62a6d29dd1a97c88008c3f4287f56737b1
d8f7fb43cd48f3b221711e7d077d500d4a9697340dc97b74e2054f2fdfe5abd6
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000119c
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8876 0x8a00 7.19 dea6eec1cc3a0b93eed65b4d77127fc2
.rdata 0xa000 0x23c5c 0x23e00 7.99 b073e086fd966112e5f3a8da4cd08810
.data 0x2e000 0x6f4ce 0x2e600 8.00 046c1ec0280ed4af2c7e122309458abe

( 2 imports )
> user32.dll: DrawMenuBar, DrawIcon, DestroyIcon, CreatePopupMenu, CreateMenu, CreateIconFromResource, CreateDesktopA, CharUpperBuffA, CharLowerA, ChangeMenuA
> kernel32.dll: FreeResource, lstrlenA, lstrcpyA, lstrcmpA, lstrcatA, WriteFile, VirtualAlloc, TlsSetValue, TlsAlloc, SetEndOfFile, RtlUnwind, CompareStringA, EnterCriticalSection, EnumResourceNamesA, GetSystemTimeAsFileTime, GetVersionExA, LocalAlloc

( 0 exports )
Prevx info: 02835426.DLL - Prevx

Datei xcupicau.dll empfangen 2008.05.17 19:54:47 (CET)
Status: Beendet
Ergebnis: 8/32 (25%)
Filter
Drucken der Ergebnisse
Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.5.16.0 2008.05.16 -
AntiVir 7.8.0.19 2008.05.17 -
Authentium 5.1.0.4 2008.05.17 -
Avast 4.8.1195.0 2008.05.17 -
AVG 7.5.0.516 2008.05.16 -
BitDefender 7.2 2008.05.17 -
CAT-QuickHeal 9.50 2008.05.17 -
ClamAV 0.92.1 2008.05.17 -
DrWeb 4.44.0.09170 2008.05.17 -
eSafe 7.0.15.0 2008.05.16 -
eTrust-Vet 31.4.5796 2008.05.16 -
Ewido 4.0 2008.05.14 -
F-Prot 4.4.2.54 2008.05.16 -
F-Secure 6.70.13260.0 2008.05.17 Vundo.gen179
Fortinet 3.14.0.0 2008.05.17 -
GData 2.0.7306.1023 2008.05.17 Trojan.Win32.Monder.gen
Ikarus T3.1.1.26.0 2008.05.17 -
Kaspersky 7.0.0.125 2008.05.17 Trojan.Win32.Monder.gen
McAfee 5297 2008.05.17 -
Microsoft 1.3408 2008.05.13 Trojan:Win32/Vundo.AF
NOD32v2 3106 2008.05.16 -
Norman 5.80.02 2008.05.16 Vundo.gen179
Panda 9.0.0.4 2008.05.17 Suspicious file
Prevx1 V2 2008.05.17 Cloaked Malware
Rising 20.44.52.00 2008.05.17 -
Sophos 4.29.0 2008.05.17 -
Sunbelt 3.0.1123.1 2008.05.17 -
Symantec 10 2008.05.17 -
TheHacker 6.2.92.311 2008.05.15 -
VBA32 3.12.6.6 2008.05.17 -
VirusBuster 4.3.26:9 2008.05.17 -
Webwasher-Gateway 6.6.2 2008.05.17 Win32.Malware.gen!80 (suspicious)
weitere Informationen
File size: 134144 bytes
MD5...: 4dbbb4a2907ec2cf4a5dce5c083f6543
SHA1..: 83cc7b3eae0a201fd7d9115e025f62a6cef2e43a
SHA256: 22d369847b49a8f587fede4754586c9566f09450aad5353e9076e94d2345e35d
SHA512: 19421a4c5c0c53b06c4cb3a69c1b161d7f0989c5832f955d47209f341b3c3f95
ab6c836166ea072e16a24ae442003574e48baf664ac5fc5737454053b938bc29
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100011d0
timedatestamp.....: 0x478a2fee (Sun Jan 13 15:36:14 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8816 0x8a00 7.15 84b7896c91f77090316bf03ab2ccf96c
.rdata 0xa000 0x13688 0x13800 7.99 37f641861d6395bcc1ae677af49586c0
.data 0x1e000 0x13e5b 0x4600 7.83 6afdf26e78ce8f6bcf6b05f84258a2a2

( 2 imports )
> user32.dll: DrawStateA, DrawMenuBar, DrawIcon, DrawCaption, DestroyCursor, CreateDialogParamA, CharNextA
> kernel32.dll: FreeResource, lstrlenA, lstrcpyA, lstrcatA, TlsGetValue, TlsAlloc, SetLastError, SetCurrentDirectoryA, CompareStringA, EnumResourceLanguagesA, EnumResourceTypesA, ExitProcess, ExitThread, FlushFileBuffers, GetDateFormatA, GetVersion, InitializeCriticalSection, LoadResource, LocalAlloc, RtlUnwind

( 0 exports )
Prevx info: SBEKJHKK.DLL - Prevx

Hi!

Also, ich glaube ich habe es nun auch durch lesen im Trojaner-Board selbst hinbekommen. Ist wirklich ein super Forum!!!