Die Hijackthislogs sind aus dem normalen und nicht aus dem abgesicherten Modus. Bist du sicher, dass da alles glatt läuft?

Fahre wie von BataAlexander angegeben fort.

lg myrtille

Zitat:

Zitat von myrtille

Die Hijackthislogs sind aus dem normalen und nicht aus dem abgesicherten Modus. Bist du sicher, dass da alles glatt läuft?

Ja! Ein Posting weiter unten sind die aus dem abgesicherten Modus. Der Vollständigkeit halber hab ich noch zusätzlich die aus dem Normalen hinzugefügt.

Zitat:

Fahre wie von BataAlexander angegeben fort.
lg myrtille

Werde ich jetzt machen

ComboFix hat inkl. zwischenzeitlichem Reboot starke 20 Minuten benötigt.

Teil 1/2:

ComboFixLog:

Code: Alles auswählenAufklappen

ATTFilter

ComboFix 08-06-16.5 - *** 2008-06-18 20:54:00.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.641 [GMT 2:00]
Running from: C:\Documents and Settings\***\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\***\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\Wingl05.sys
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\WinCtrl32.dl_
C:\WINDOWS\system32\WinCtrl32.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINGL05
-------\Service_Wingl05


(((((((((((((((((((((((((   Files Created from 2008-05-18 to 2008-06-18  )))))))))))))))))))))))))))))))
.

2008-06-18 00:33 . 2008-06-18 00:33	<DIR>	d--------	C:\asdf
2008-06-17 01:58 . 2008-06-17 01:58	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-06-17 01:40 . 2008-06-18 20:41	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-06-16 23:44 . 2008-06-16 23:44	<DIR>	d--------	C:\Program Files\Trend Micro
2008-06-16 20:51 . 2008-06-16 20:51	<DIR>	d--------	C:\Documents and Settings\***\Application Data\Wireshark
2008-06-12 00:20 . 2008-06-12 00:20	0	--a------	C:\WINDOWS\system32\SBRC.dat
2008-06-12 00:20 . 2008-06-12 00:20	0	--a------	C:\WINDOWS\system32\SBFC.dat
2008-06-12 00:17 . 2008-06-12 00:17	<DIR>	d--------	C:\Documents and Settings\***\Application Data\Sunbelt Software
2008-06-11 08:50 . 2008-06-11 08:50	118	--a------	C:\WINDOWS\system32\MRT.INI
2008-06-11 08:41 . 2008-04-14 13:01	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:15 . 2008-06-11 08:18	<DIR>	d--------	C:\k6logs
2008-06-09 00:34 . 2008-06-09 00:42	8,424,758	--a------	C:\WINDOWS\system32\NETJLK
2008-06-09 00:30 . 2008-06-09 00:30	<DIR>	d--------	C:\Program Files\Avira
2008-06-09 00:30 . 2008-06-09 00:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avira
2008-06-09 00:28 . 2008-06-09 01:00	<DIR>	d--------	C:\WINDOWS\SxsCaPendDel
2008-06-08 22:14 . 2008-06-15 13:37	<DIR>	d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 22:06 . 2008-06-08 23:08	<DIR>	d--------	C:\Program Files\Norton Security Scan
2008-06-08 22:05 . 2008-06-17 23:18	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-07 23:05 . 2008-06-09 00:30	<DIR>	d--------	C:\Program Files\Windows Live Safety Center
2008-06-07 21:05 . 2008-06-09 00:27	<DIR>	d----c---	C:\WINDOWS\system32\DRVSTORE
2008-06-07 21:04 . 2007-03-29 14:56	409,600	-----c---	C:\WINDOWS\system32\dllcache\qmgr.dll
2008-06-07 21:04 . 2007-03-29 14:56	18,944	-----c---	C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-06-07 21:04 . 2007-03-29 14:56	8,192	-----c---	C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-06-07 21:04 . 2007-03-29 14:56	7,168	-----c---	C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-06-07 21:04 . 2007-03-29 14:56	7,168	-----c---	C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-06-07 21:04 . 2007-03-29 14:56	7,168	---------	C:\WINDOWS\system32\bitsprx4.dll
2008-06-07 19:04 . 2008-06-07 19:48	<DIR>	d--------	C:\WINDOWS\BDOSCAN8
2008-06-07 18:28 . 2008-06-07 18:28	<DIR>	d--------	C:\Documents and Settings\***\Application Data\F-Secure
2008-06-07 18:16 . 2008-06-15 13:36	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\F-Secure
2008-06-07 17:47 . 2008-06-12 01:41	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\fssg
2008-06-07 15:48 . 2008-06-07 16:00	160,256	--a------	C:\WINDOWS\system32\blackster.scr
2008-06-07 15:48 . 2008-06-07 15:48	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-06-07 15:48 . 2008-06-07 15:48	1,409	--a------	C:\WINDOWS\QTFont.for
2008-05-28 22:21 . 2008-06-07 18:51	<DIR>	d--------	C:\Documents and Settings\***\DoctorWeb
2008-05-28 21:53 . 2008-05-28 21:53	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\Ipswitch
2008-05-27 23:07 . 2008-06-07 21:12	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 21:48	---------	d-----w	C:\Documents and Settings\***\Application Data\Canon
2008-06-16 18:07	---------	d-----w	C:\Program Files\WinPcap
2008-06-15 22:55	---------	d-----w	C:\Program Files\My Ebook Library
2008-06-08 23:00	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-06-08 20:05	---------	d-----w	C:\Program Files\Google
2008-06-08 12:33	---------	d-----w	C:\Program Files\InterVideo
2008-06-08 12:32	---------	d-----w	C:\Program Files\Common Files\InterVideo
2008-06-07 19:13	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 14:06	---------	d-----w	C:\Documents and Settings\All Users\Application Data\RetroExp
2008-06-07 13:15	---------	d-----w	C:\Program Files\avmwlanstick
2008-05-27 23:11	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2008-05-27 17:38	---------	d-----w	C:\Program Files\Free Thumbnail Factory
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-21 18:16	---------	d-----w	C:\Program Files\7-Zip
2007-03-11 21:04	157	----a-w	C:\Program Files\adressen.txt
2003-03-22 01:06	135,392	----a-w	C:\Documents and Settings\***\Application Data\GDIPFONTCACHEV1.DAT
2000-01-07 09:53	696,320	----a-w	C:\Program Files\Common Files\XCMHook.dll
2000-01-06 13:57	24,576	----a-w	C:\Program Files\Common Files\XCPCMenu.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" [2003-03-12 13:57 140464]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:50 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 06:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 06:39 455168]
"Opware12"="C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2002-08-01 04:49 49152]
"AtiPTA"="atiptaxx.exe" [2002-07-25 11:04 290816 C:\WINDOWS\system32\atiptaxx.exe]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 04:50 155648]
"HI-SPEED USB DEVICE Coinstaller"="PL15Co2K.exe" [2003-04-16 11:24 86016 C:\WINDOWS\system32\PL15Co2K.exe]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2003-10-10 12:23 94208]
"AVMWlanClient"="C:\Program Files\avmwlanstick\wlangui.exe" [2008-01-28 01:06 1753088]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52 221184]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 01:20 278528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 06:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-12 00:23:03 110592]
FRITZ!DSL Startcenter.lnk - C:\Program Files\FRITZ!DSL\StCenter.exe [2005-08-10 21:02:52 651264]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-12-29 00:22:47 106560]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Free WebSite Tools.lnk - C:\Program Files\Free Thumbnail Factory\ThirtyDayTimer.exe [2004-01-14 16:32:23 372224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winaf15.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winaf73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winch38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winch73.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl83.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjo40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmq51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winns16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu72.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvb51.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc38.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\FreshDevices\\FreshDownload\\fdgo.exe"=
"C:\\Program Files\\FTP Explorer\\ftpx.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\FRITZ!DSL\\IGDCTRL.EXE"=
"C:\\Program Files\\FRITZ!DSL\\FBOXUPD.EXE"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-02 11:16]
R2 vcanv;Virtual CAN Bus Driver;C:\WINDOWS\system32\Drivers\vcanv.sys [2003-05-30 09:07]
R3 AT2500;Allied Telesyn AT-2500 Series PCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\A25v3m5.SYS [2001-09-28 10:21]
R3 viafilter;VIA USB Filter;C:\WINDOWS\system32\Drivers\viausb1.sys [2001-09-19 13:28]
S0 Winaf15;Winaf15;C:\WINDOWS\system32\Drivers\Winaf15.sys []
S0 Winaf73;Winaf73;C:\WINDOWS\system32\Drivers\Winaf73.sys []
S0 Winch38;Winch38;C:\WINDOWS\system32\Drivers\Winch38.sys []
S0 Winch73;Winch73;C:\WINDOWS\system32\Drivers\Winch73.sys []
S0 Winhl83;Winhl83;C:\WINDOWS\system32\Drivers\Winhl83.sys []
S0 Winjo40;Winjo40;C:\WINDOWS\system32\Drivers\Winjo40.sys []
S0 Winmq51;Winmq51;C:\WINDOWS\system32\Drivers\Winmq51.sys []
S0 Winns16;Winns16;C:\WINDOWS\system32\Drivers\Winns16.sys []
S0 Winot50;Winot50;C:\WINDOWS\system32\Drivers\Winot50.sys []
S0 Winpu72;Winpu72;C:\WINDOWS\system32\Drivers\Winpu72.sys []
S0 Winty51;Winty51;C:\WINDOWS\system32\Drivers\Winty51.sys []
S0 Winvb51;Winvb51;C:\WINDOWS\system32\Drivers\Winvb51.sys []
S0 Winwc38;Winwc38;C:\WINDOWS\system32\Drivers\Winwc38.sys []
S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys [2006-11-07 02:00]
S3 FWLANUSB;AVM FRITZ!WLAN;C:\WINDOWS\system32\DRIVERS\fwlanusb.sys [2008-01-28 01:06]
S3 mgau;mgau;C:\WINDOWS\system32\DRIVERS\mgaum.sys [2001-08-17 13:50]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 22:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-08 20:06:38 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 21:04:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\avmwlanstick\WLanNetService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-18 21:14:52 - machine was rebooted [***]
ComboFix-quarantined-files.txt  2008-06-18 19:14:48

Pre-Run: 955,006,976 bytes free
Post-Run: 1,055,760,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

260	--- E O F ---	2008-06-12 01:24:21
         

Teil 2/2:

ComboFix-quarantined-files.txt:

Code: Alles auswählenAufklappen

ATTFilter

1998-05-29 01:00      119400    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\MDM.EXE.vir
2001-08-23 14:00      30080    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\Wingl05.sys.vir
2008-06-18 20:24      15360    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\WinCtrl32.dll.vir
2008-06-18 20:27      15360    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\WinCtrl32.dl_.vir
2008-06-18 20:57      1088    --a------    C:\Qoobox\Quarantine\Registry_backups\Legacy_WINGL05.reg.dat
2008-06-18 20:57      2068    --a------    C:\Qoobox\Quarantine\Registry_backups\Service_Wingl05.reg.dat
2008-06-18 20:58      54    --a------    C:\Qoobox\Quarantine\catchme.log
         

hijackthis.log:

Code: Alles auswählenAufklappen

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:21:05, on 18.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\avmwlanstick\WlanNetService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\PL15Co2K.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\avmwlanstick\wlangui.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\FRITZ!DSL\StCenter.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {95188727-288F-4581-A48D-EAB3BD027314} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [AVMWlanClient] C:\Program Files\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Program Files\FRITZ!DSL\StCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,5/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/DE/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201045489050
O16 - DPF: {7E3E5294-350D-4DE2-93BC-635BF12FE39D} (WEEditor Class) - http://www.webedition.de/Control.CAB
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache - Unknown owner - c:\eZpublish\apache\apache.exe (file missing)
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Program Files\avmwlanstick\WlanNetService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 14115 bytes
         

Mit Wireshark konnte ich bis jetzt auch noch keine Emailkommunikation erkennen. Gefällt mir gut! Was meint ihr?

Hi,

da laufen noch ne Menge böse Sachen im Hintergrund.
Wie wiederstrebend würdest du denn ein Neuaufsetzen in Kauf nehmen?

lg myrtille

Myrtille hat recht, der richtige weg ist hier das Neuaufsetzen.

Der andere weg führt über das untenstehende.

Combofix - Scripten

1. Starte das Notepad (Start / Ausführen / notepad[Enter])

2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein.

Code: Alles auswählenAufklappen

ATTFilter

http://www.trojaner-board.de/54110-hilfe-bei-hijackthis-log-auswertung.html

Suspect::
C:\WINDOWS\system32\NETJLK

Collect::
C:\WINDOWS\system32\blackster.scr

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winaf15.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winaf73.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winch38.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winch73.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winhl83.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winjo40.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winmq51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winns16.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winot50.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winpu72.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winty51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winvb51.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winwc38.sys]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
"WinCtrl32.dll"=-

Driver::

Winaf15
Winaf73
Winch38
Winch73
Winhl83
Winjo40
Winmq51
Winns16
Winot50
Winpu72
Winty51
Winvb51
Winwc38
         

3. Speichere im Notepad als CFScript.txt auf dem Desktop.

4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
(Auch Guards von Ad-, Spyware Programmen und den Tea Timer!)

5. Dann ziehe die CFScript.txt auf die ComboFix.exe, so wie es im unteren Bild zu sehen ist. Damit wird Combofix neu gestartet.



6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien:
Combofix.txt

7. Nachdem das Log im Notepad aufgegenagen ist, erscheint ein Popup

Dies mit Ok wegklicken und es öffnet sich Dein Browser. In diesem Browser Fenster "Durchsuchen" auswählen und dann auf Deinem Desktop die neue .Zip Datei ([4]-Submit_Jahr-Monat-Tag_Uhrzeit.71.zip) auswählen. Dann mit Klick auf "Send" senden. So kann der Author die Erkennungsroutine des Programms verbessern.

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann

Zitat:

Zitat von myrtille

Hi,
da laufen noch ne Menge böse Sachen im Hintergrund.
Wie wiederstrebend würdest du denn ein Neuaufsetzen in Kauf nehmen?
lg myrtille

Hm, da hab ich mich zu früh gefreut...

Eine Neuinstallation ist natürlich nicht so toll. Deshalb hab ich ausgeführt was von BataAlexaner beschrieben wurde. Hier das Ergebnis:

ComboFix.txt:

Code: Alles auswählenAufklappen

ATTFilter

ComboFix 08-06-16.5 - *** 2008-06-18 23:49:20.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.655 [GMT 2:00]
Running from: C:\Documents and Settings\***\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\***\Desktop\CFScript.txt
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blackster.scr

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINCH38
-------\Legacy_WINHL83
-------\Legacy_WINPU72
-------\Legacy_WINTY51
-------\Legacy_WINWC38
-------\Service_Winaf15
-------\Service_Winaf73
-------\Service_Winch38
-------\Service_Winch73
-------\Service_Winhl83
-------\Service_Winjo40
-------\Service_Winmq51
-------\Service_Winns16
-------\Service_Winot50
-------\Service_Winpu72
-------\Service_Winty51
-------\Service_Winvb51
-------\Service_Winwc38


(((((((((((((((((((((((((   Files Created from 2008-05-18 to 2008-06-18  )))))))))))))))))))))))))))))))
.

2008-06-18 00:33 . 2008-06-18 00:33	<DIR>	d--------	C:\asdf
2008-06-17 01:58 . 2008-06-17 01:58	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-06-17 01:40 . 2008-06-18 20:41	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-06-16 23:44 . 2008-06-16 23:44	<DIR>	d--------	C:\Program Files\Trend Micro
2008-06-16 20:51 . 2008-06-16 20:51	<DIR>	d--------	C:\Documents and Settings\***\Application Data\Wireshark
2008-06-12 00:20 . 2008-06-12 00:20	0	--a------	C:\WINDOWS\system32\SBRC.dat
2008-06-12 00:20 . 2008-06-12 00:20	0	--a------	C:\WINDOWS\system32\SBFC.dat
2008-06-12 00:17 . 2008-06-12 00:17	<DIR>	d--------	C:\Documents and Settings\***\Application Data\Sunbelt Software
2008-06-11 08:50 . 2008-06-11 08:50	118	--a------	C:\WINDOWS\system32\MRT.INI
2008-06-11 08:41 . 2008-04-14 13:01	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 00:15 . 2008-06-11 08:18	<DIR>	d--------	C:\k6logs
2008-06-09 00:34 . 2008-06-09 00:42	8,424,758	--a------	C:\WINDOWS\system32\NETJLK
2008-06-09 00:30 . 2008-06-09 00:30	<DIR>	d--------	C:\Program Files\Avira
2008-06-09 00:30 . 2008-06-09 00:30	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Avira
2008-06-09 00:28 . 2008-06-09 01:00	<DIR>	d--------	C:\WINDOWS\SxsCaPendDel
2008-06-08 22:14 . 2008-06-15 13:37	<DIR>	d-a------	C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-08 22:06 . 2008-06-08 23:08	<DIR>	d--------	C:\Program Files\Norton Security Scan
2008-06-08 22:05 . 2008-06-17 23:18	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-07 23:05 . 2008-06-09 00:30	<DIR>	d--------	C:\Program Files\Windows Live Safety Center
2008-06-07 21:05 . 2008-06-09 00:27	<DIR>	d----c---	C:\WINDOWS\system32\DRVSTORE
2008-06-07 21:04 . 2007-03-29 14:56	409,600	-----c---	C:\WINDOWS\system32\dllcache\qmgr.dll
2008-06-07 21:04 . 2007-03-29 14:56	18,944	-----c---	C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-06-07 21:04 . 2007-03-29 14:56	8,192	-----c---	C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-06-07 21:04 . 2007-03-29 14:56	7,168	-----c---	C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-06-07 21:04 . 2007-03-29 14:56	7,168	-----c---	C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-06-07 21:04 . 2007-03-29 14:56	7,168	---------	C:\WINDOWS\system32\bitsprx4.dll
2008-06-07 19:04 . 2008-06-07 19:48	<DIR>	d--------	C:\WINDOWS\BDOSCAN8
2008-06-07 18:28 . 2008-06-07 18:28	<DIR>	d--------	C:\Documents and Settings\***\Application Data\F-Secure
2008-06-07 18:16 . 2008-06-15 13:36	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\F-Secure
2008-06-07 17:47 . 2008-06-12 01:41	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\fssg
2008-06-07 15:48 . 2008-06-07 15:48	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-06-07 15:48 . 2008-06-07 15:48	1,409	--a------	C:\WINDOWS\QTFont.for
2008-05-28 22:21 . 2008-06-07 18:51	<DIR>	d--------	C:\Documents and Settings\***\DoctorWeb
2008-05-28 21:53 . 2008-05-28 21:53	<DIR>	d--------	C:\Documents and Settings\LocalService\Application Data\Ipswitch
2008-05-27 23:07 . 2008-06-07 21:12	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Lavasoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 21:48	---------	d-----w	C:\Documents and Settings\***\Application Data\Canon
2008-06-16 18:07	---------	d-----w	C:\Program Files\WinPcap
2008-06-15 22:55	---------	d-----w	C:\Program Files\My Ebook Library
2008-06-08 23:00	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-06-08 20:05	---------	d-----w	C:\Program Files\Google
2008-06-08 12:33	---------	d-----w	C:\Program Files\InterVideo
2008-06-08 12:32	---------	d-----w	C:\Program Files\Common Files\InterVideo
2008-06-07 19:13	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 14:06	---------	d-----w	C:\Documents and Settings\All Users\Application Data\RetroExp
2008-06-07 13:15	---------	d-----w	C:\Program Files\avmwlanstick
2008-05-27 23:11	---------	d-----w	C:\Program Files\Microsoft ActiveSync
2008-05-27 17:38	---------	d-----w	C:\Program Files\Free Thumbnail Factory
2008-05-08 12:28	202,752	----a-w	C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-21 18:16	---------	d-----w	C:\Program Files\7-Zip
2007-03-11 21:04	157	----a-w	C:\Program Files\adressen.txt
2003-03-22 01:06	135,392	----a-w	C:\Documents and Settings\***\Application Data\GDIPFONTCACHEV1.DAT
2000-01-07 09:53	696,320	----a-w	C:\Program Files\Common Files\XCMHook.dll
2000-01-06 13:57	24,576	----a-w	C:\Program Files\Common Files\XCPCMenu.exe
.

(((((((((((((((((((((((((((((   snapshot@2008-06-18_21.14.33.88   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-18 19:02:35	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-06-18 21:55:48	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2006-04-05 17:17	442368	--a------	C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mozilla Quick Launch"="C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" [2003-03-12 13:57 140464]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:50 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:31 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 06:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-29 06:39 455168]
"Opware12"="C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2002-08-01 04:49 49152]
"AtiPTA"="atiptaxx.exe" [2002-07-25 11:04 290816 C:\WINDOWS\system32\atiptaxx.exe]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 04:50 155648]
"HI-SPEED USB DEVICE Coinstaller"="PL15Co2K.exe" [2003-04-16 11:24 86016 C:\WINDOWS\system32\PL15Co2K.exe]
"MXOBG"="C:\WINDOWS\MXOALDR.EXE" [2003-10-10 12:23 94208]
"AVMWlanClient"="C:\Program Files\avmwlanstick\wlangui.exe" [2008-01-28 01:06 1753088]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2004-10-08 12:52 221184]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 01:20 278528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 06:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-02-12 00:23:03 110592]
FRITZ!DSL Startcenter.lnk - C:\Program Files\FRITZ!DSL\StCenter.exe [2005-08-10 21:02:52 651264]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2002-12-29 00:22:47 106560]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Free WebSite Tools.lnk - C:\Program Files\Free Thumbnail Factory\ThirtyDayTimer.exe [2004-01-14 16:32:23 372224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Shareaza\\Shareaza.exe"=
"C:\\Program Files\\FreshDevices\\FreshDownload\\fdgo.exe"=
"C:\\Program Files\\FTP Explorer\\ftpx.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\FRITZ!DSL\\IGDCTRL.EXE"=
"C:\\Program Files\\FRITZ!DSL\\FBOXUPD.EXE"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 ppsio2;PPDevice;C:\WINDOWS\system32\drivers\ppsio2.sys [1999-04-02 11:16]
R2 vcanv;Virtual CAN Bus Driver;C:\WINDOWS\system32\Drivers\vcanv.sys [2003-05-30 09:07]
R3 AT2500;Allied Telesyn AT-2500 Series PCI Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\A25v3m5.SYS [2001-09-28 10:21]
R3 viafilter;VIA USB Filter;C:\WINDOWS\system32\Drivers\viausb1.sys [2001-09-19 13:28]
S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys [2006-11-07 02:00]
S3 FWLANUSB;AVM FRITZ!WLAN;C:\WINDOWS\system32\DRIVERS\fwlanusb.sys [2008-01-28 01:06]
S3 mgau;mgau;C:\WINDOWS\system32\DRIVERS\mgaum.sys [2001-08-17 13:50]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 22:22]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-08 20:06:38 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 23:57:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\BRSS01A.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\avmwlanstick\WLanNetService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-19  0:08:27 - machine was rebooted
ComboFix-quarantined-files.txt  2008-06-18 22:08:21
ComboFix2.txt  2008-06-18 19:14:53

Pre-Run: 1,026,490,368 bytes free
Post-Run: 1,012,654,080 bytes free

232	--- E O F ---	2008-06-12 01:24:21
         

Malware Submission an Bleeping Computer - Computer Help and Discussion habe ich durchgeführt.

Was sagt das Log diesmal?

und gleich nochmal ein hijackthis.log:

Code: Alles auswählenAufklappen

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:26:04, on 19.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\avmwlanstick\WlanNetService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\PL15Co2K.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\avmwlanstick\wlangui.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\FRITZ!DSL\StCenter.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {95188727-288F-4581-A48D-EAB3BD027314} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [AVMWlanClient] C:\Program Files\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Program Files\FRITZ!DSL\StCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,5/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/DE/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201045489050
O16 - DPF: {7E3E5294-350D-4DE2-93BC-635BF12FE39D} (WEEditor Class) - http://www.webedition.de/Control.CAB
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache - Unknown owner - c:\eZpublish\apache\apache.exe (file missing)
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Program Files\avmwlanstick\WlanNetService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 14128 bytes
         

ComboFix.txt befindet sich einen Betrag weiter unten

Hi,
ich lass Bata mal den Rest überprüfen, war ja sein Idee das ganze.

Der Eintrag hier ist auf jedenfall schädlichen Ursprungs, wenn auch inaktiv:

Zitat:

O4 - Global Startup: AutorunsDisabled
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

Die Einträge kannste auch fixen, die sind nicht mehr wirksam:

Zitat:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {95188727-288F-4581-A48D-EAB3BD027314} - (no file)

lg myrtille

Hallo myrtille,

dennoch vielen Dank! Ich hab die letzten drei Einträge mit den fehlenden Dateien gelöscht.

Zitat:

Der Eintrag hier ist auf jedenfall schädlichen Ursprungs, wenn auch inaktiv:
Zitat:
O4 - Global Startup: AutorunsDisabled
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\

Bedeutet das, dass ich diese Einträge auch fixen kann? Oder sollte ich lieber auf Bata warten?

Du bist der Meinung, dass mein Rechner immer noch nicht sauber ist?

Zitat:

Zitat von Masus

Oder sollte ich lieber auf Bata warten?

Musst Du nicht, Mytrille sagt ja das richtige. Fixe die Einträge wie beschrieben.

Um Combofix zu loeschen(den qoobox ordner) gebe unter Start /Ausführen "combofix /u" ein. Ohne die " natürlich.




Cureit Dr.Web

• Downloade Dr.Web CureIt!
• Speichere es auf deinem Desktop.
• Entpacke es in einen eigenen Ordner.
• Lies nun zuerst die deutsche Anleitung und drucke sie dir aus.

• Lass alle Malware in den Quarantaene Ordner verschieben.
• Ignoriere eventuelle Warnungen seitens deines AV Programms, du kannst auch offline gehen und -> dann dein AV Programm während des Scannens mit Dr. Web CureIt! abstellen.
• Vergiss bitte nicht, dein AV Programm nach dem Scan wieder anzustellen.

• Speichere das Logfile - siehe Anleitung - und poste es.

Hallo,

jetzt habe ich meinen Rechner mit Cureit Dr. Web gescannt. Sogar zweimal, denn beim ersten Durchlauf hat sich der Scanner aufgehängt (ärgerlich da schon über 8 Stunden gescannt). Bis zu diesem Punkt wurde bis auf Kopien von SDFix und ComboFix nichts gefunden. Beim zweiten fehlerfreien Durchgang wurde nichts gefunden.

-> Deshalb hab ich gleich nochmals ein HijackThis Logfile hinzugefügt.

Code: Alles auswählenAufklappen

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:17, on 20.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
C:\Program Files\avmwlanstick\WlanNetService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\PL15Co2K.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\avmwlanstick\wlangui.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\FRITZ!DSL\StCenter.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HI-SPEED USB DEVICE Coinstaller] PL15Co2K.exe
O4 - HKLM\..\Run: [MXOBG] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [AVMWlanClient] C:\Program Files\avmwlanstick\wlangui.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: FRITZ!DSL Startcenter.lnk = C:\Program Files\FRITZ!DSL\StCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download &All by FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx2.htm
O8 - Extra context menu item: Download with &FD - file://C:\Program Files\FreshDevices\FreshDownload\fdiectx.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/de/4,0,0,5/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.johannrain-softwareentwicklung.de/DE/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201045489050
O16 - DPF: {7E3E5294-350D-4DE2-93BC-635BF12FE39D} (WEEditor Class) - http://www.webedition.de/Control.CAB
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apache - Unknown owner - c:\eZpublish\apache\apache.exe (file missing)
O23 - Service: AVM IGD CTRL Service - AVM Berlin - C:\Program Files\FRITZ!DSL\IGDCTRL.EXE
O23 - Service: AVM WLAN Connection Service - AVM Berlin - C:\Program Files\avmwlanstick\WlanNetService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 13596 bytes
         

Ich hoffe das ist soweit alles OK (sowohl mein Rechner als auch das Vorgehen meinerseits)

Du hast alles richtig gemacht und ich finde in dem HijackThis Log keine Besonderheiten mehr.
Viel Spaß im Netz.

Hallo Bata und myrtille,

vielen Dank für eure Hilfe. Die Rund-Um-Die-Uhr-Betreuung war spitze.

Nochmals vielen vielen Dank !!! :aplaus: