AVast hat Win32:Trojan-gen{other} gefunden. Bitte um Hilfe

Diethelm35 · 26.06.2008, 13:05

Hallo,
gestern schlug AVast! und Spybot S&D Alarm. AVast fand Win32:Trojan-gen{other} und Spybot S&D stürzte nach kurzer Zeit wegen ständiger Änderungsanfragen in einem Run Schlüssel der Registry ab. Ich habe dann einen kompletten Virussearch mit AVast! gemacht und auch Spybot S&D mit update nochmal befragt. Alles was gefunden wurde (bei AVAst in der Sytemwiederherstellung, bei Spybot ein Registryeintrag), wurde entfernt. Heute wieder die Meldung von AVAst! und kurz darauf versuchte ein Programm die Run Schlüssel der registry ändern.

Hijackthis hat mir darauf folgendes gesagt:
Logfile of Trend Micro HijackThis v2.0.2

[edit]
Bitte editiere zukünftig deine Links, wie es dir u.a. hier angezeigt wird:
http://www.trojaner-board.de/22771-a...tml#post171958

Danke.
Sunny
[/edit]

Außerdem habe ich 4 verdächtige DLLs aus dem System32 Verzeichnis an Virustotal geschickt. Die Antwort war immer ähnlich folgender:

Complete scanning result of "ddcdASmn.dll", processed in VirusTotal at 06/26/2008 12:48:29 (CET).

[ file data ]
* name..: ddcdASmn.dll
* size..: 322560
* md5...: 188f0c47ae4c986590c0e4315095f758
* sha1..: b3ea55edceed98f181a28a2969cd59dfb6afd267
* peid..: -

[ scan result ]
AhnLab-V3 2008.6.26.0/20080626 found nothing
AntiVir 7.8.0.59/20080626 found nothing
Authentium 5.1.0.4/20080625 found nothing
Avast 4.8.1195.0/20080626 found nothing
AVG 7.5.0.516/20080625 found nothing
BitDefender 7.2/20080626 found nothing
CAT-QuickHeal 9.50/20080625 found nothing
ClamAV 0.93.1/20080626 found nothing
DrWeb 4.44.0.09170/20080626 found [Trojan.Virtumod.based.16]
eSafe 7.0.17.0/20080625 found nothing
eTrust-Vet 31.6.5907/20080626 found nothing
Ewido 4.0/20080626 found nothing
F-Prot 4.4.4.56/20080625 found nothing
F-Secure 7.60.13501.0/20080624 found nothing
Fortinet 3.14.0.0/20080626 found nothing
GData 2.0.7306.1023/20080626 found nothing
Ikarus T3.1.1.26.0/20080626 found nothing
Kaspersky 7.0.0.125/20080626 found nothing
McAfee 5325/20080625 found nothing
Microsoft 1.3704/20080626 found [Trojan:Win32/Vundo.gen!N]
NOD32v2 3220/20080626 found nothing
Norman 5.80.02/20080625 found [Vundo.gen188]
Panda 9.0.0.4/20080626 found nothing
Prevx1 V2/20080626 found nothing
Rising 20.50.32.00/20080626 found [Trojan.Win32.Monder.a]
Sophos 4.30.0/20080626 found [Troj/Virtum-Gen]
Sunbelt 3.0.1153.1/20080615 found nothing
Symantec 10/20080626 found nothing
TheHacker 6.2.92.362/20080626 found nothing
TrendMicro 8.700.0.1004/20080626 found nothing
VBA32 3.12.6.8/20080626 found nothing
VirusBuster 4.5.11.0/20080623 found nothing
Webwasher-Gateway 6.6.2/20080626 found nothing

Kann mir jemand weiterhelfen?

Diethelm35 · 26.06.2008, 13:30

Hier nochmal der HijackThis file mit den editierten Links:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:24:11, on 26.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ACLSymbols.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\Programme\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\Programme\Apache Group\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\PROGRA~1\Babylon\babylon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\USB Sharing\usbshare.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avast4\ashMaiSv.exe
C:\Programme\Avast4\ashWebSv.exe
C:\WINDOWS\regedit.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.hyrican.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://www.hyrican.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {32FA05F6-A7F0-4D3B-B8AD-73619B5C20FF} - C:\WINDOWS\system32\ddcdASmn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {695150A5-8DBF-4B06-AFCB-D9289F8F1842} - (no file)
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\wvUlLfCt.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\PROGRA~1\Babylon\babylon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USB Sharing.lnk = ?
O4 - Global Startup: windata 7 Zahlungserinnerung.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=h**p://www.hyrican.de
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194272146421
O17 - HKLM\System\CS1\Services\Tcpip\..\{351B8CCF-1AB7-4E2D-8D99-9395C4BA37B0}: NameServer = 194.25.2.129
O20 - Winlogon Notify: wvUlLfCt - wvUlLfCt.dll (file missing)
O23 - Service: ArchiCrypt Live Service (ACLSymbols) - Unknown owner - C:\WINDOWS\system32\ACLSymbols.exe
O23 - Service: Apache - Unknown owner - C:\Programme\Apache Group\Apache\Apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - C:/Programme/Apache Group/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7765 bytes

Diethelm35 · 27.06.2008, 15:20

Hallo,
da ich noch keine Antwort bekommen habe versuche ich es nochmal.

Mittlerweile hab ich den Rechner vom Netz genommen und kann nicht mehr arbeiten.

AVast! findet mittlerweile nichts mehr aber heut morgen wurden so oft wieder Registry Schlüssel geändert, bis Spybot S&D abstürzte. Es wurden dlls aus dem system32 Verzeichnis in die Run Schlüssel der Registry geschrieben außerdem tauchen immer wieder BHO auf. Löscht man diese Schlüssel, sind sie nach 2 sec wieder da. Es tauchen immer wieder neue dlls im system32 Verzeichnis auf.

Die Systemwiederherstellung habe ich ausgeschaltet, weil avast! da immer wieder Trojaner fand.

Der Rechner fährt im abgesicherten Modus nicht mehr hoch.

Ich habe wieder eine der neuen dlls aus system32 an VirusTotal geschickt und folgende Antwort erhalten:

Complete scanning result of "gtmekjuu.dll", processed in VirusTotal at 06/27/2008 11:58:16 (CET).

[ file data ]
* name..: gtmekjuu.dll
* size..: 91136
* md5...: 574f2c328ece86e4d285ae06d8a1dc79
* sha1..: 79a8829895a1cf9dad23216ed3c44710c211577d
* peid..: -

[ scan result ]
AhnLab-V3 2008.6.27.1/20080627 found nothing
AntiVir 7.8.0.59/20080627 found nothing
Authentium 5.1.0.4/20080627 found nothing
Avast 4.8.1195.0/20080626 found nothing
AVG 7.5.0.516/20080626 found nothing
BitDefender 7.2/20080627 found nothing
CAT-QuickHeal 9.50/20080626 found nothing
ClamAV 0.93.1/20080627 found nothing
DrWeb 4.44.0.09170/20080627 found [Trojan.Virtumod.based.16]
eSafe 7.0.17.0/20080626 found [Suspicious File]
eTrust-Vet 31.6.5911/20080627 found nothing
Ewido 4.0/20080626 found nothing
F-Prot 4.4.4.56/20080627 found nothing
F-Secure 7.60.13501.0/20080626 found nothing
Fortinet 3.14.0.0/20080627 found nothing
GData 2.0.7306.1023/20080627 found nothing
Ikarus T3.1.1.26.0/20080627 found nothing
Kaspersky 7.0.0.125/20080627 found nothing
McAfee 5326/20080626 found nothing
Microsoft 1.3704/20080627 found [Trojan:Win32/Vundo.gen!N]
NOD32v2 3223/20080627 found nothing
Norman 5.80.02/20080626 found [Vundo.gen192]
Panda 9.0.0.4/20080626 found nothing
Prevx1 V2/20080627 found [Malicious Software]
Rising 20.50.42.00/20080627 found nothing
Sophos 4.30.0/20080627 found [Troj/Virtum-Gen]
Sunbelt 3.0.1176.1/20080626 found nothing
Symantec 10/20080627 found nothing
TheHacker 6.2.96.362/20080627 found nothing
TrendMicro 8.700.0.1004/20080627 found nothing
VBA32 3.12.6.8/20080627 found nothing
VirusBuster 4.5.11.0/20080623 found nothing
Webwasher-Gateway 6.6.2/20080627 found nothing

[ notes ]
Prevx info: h**p://info.prevx.com/aboutprogramtext.asp?PX5=D54390F300329F1B64ED013B3C2E07007F28A4D1

Klickt man auf den Prevx Info Link findet man:
This dynamic link library has a file size of 91,136 bytes, it is most frequently called UUWPWQKY.DLL and is most frequently located in the %windir%\system32\ folder.
This file is considered unsafe. It was first seen on Friday, Jun 27 2008. It has been seen by 4 users in this section of the community. The file was first seen in NETHERLANDS but has been seen in other locations, including SPAIN.
UUWPWQKY.DLL has yet to be seen running in this section of the community.

Kann mir bitte jemand helfen, und sagen, was ich noch machen kann?

Diethelm35 · 27.06.2008, 15:27

Hier der aktuelle HijackThis Log File:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:07:18, on 27.06.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ACLSymbols.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\Programme\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\Programme\Apache Group\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Programme\FreePDF_XP\fpassist.exe
C:\WINDOWS\StartupMonitor.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Babylon\babylon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\USB Sharing\usbshare.exe
C:\Programme\Avast4\ashMaiSv.exe
C:\Programme\Avast4\ashWebSv.exe
C:\Programme\Malwarebytes' Anti-Malware\mbam.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://www.hyrican.de
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://www.hyrican.de/
O2 - BHO: {9971805c-af1e-70fb-8674-fc7350dbcf00} - {00fcbd05-37cf-4768-bf07-e1fac5081799} - C:\WINDOWS\system32\wfljtocj.dll
O2 - BHO: (no name) - {15DCE43B-E195-4BEE-9D38-719C2C0E329E} - (no file)
O2 - BHO: (no name) - {20E596C2-1EE3-485E-B8DB-A32DDBE70D69} - C:\WINDOWS\system32\ddcdASmn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar3.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Programme\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BMaad4efe2] Rundll32.exe "C:\WINDOWS\system32\gtmekjuu.dll",s
O4 - HKCU\..\Run: [Babylon Translator] C:\PROGRA~1\Babylon\babylon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USB Sharing.lnk = ?
O4 - Global Startup: windata 7 Zahlungserinnerung.lnk = ?
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Senden an &Bluetooth - C:\Programme\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Programme\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programme\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=h**p://www.hyrican.de
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194272146421
O17 - HKLM\System\CS1\Services\Tcpip\..\{351B8CCF-1AB7-4E2D-8D99-9395C4BA37B0}: NameServer = 194.25.2.129
O20 - Winlogon Notify: wvUlLfCt - wvUlLfCt.dll (file missing)
O23 - Service: ArchiCrypt Live Service (ACLSymbols) - Unknown owner - C:\WINDOWS\system32\ACLSymbols.exe
O23 - Service: Apache - Unknown owner - C:\Programme\Apache Group\Apache\Apache.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - C:/Programme/Apache Group/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programme\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 7357 bytes

undoreal · 27.06.2008, 15:59

Hallöle.

Da ist noch einiges im System..

Hast du die Trusted Zones erstellt?

Zitat:

O14 - IERESET.INF: START_PAGE_URL=h**p://www.hyrican.de
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)

1) Deaktiviere die Systemwiederherstellung auf allen Laufwerken. Nachdem die Bereinigung KOMPLETT beendet ist kann sie wieder aktiviert werden.

2) Deinstalliere Java über die Systemsteuerung.

3) Blacklight bitte laufen lassen und das log posten.. evtl. Funde bitte umbennen lassen!

4) Run Combofix. Poste den erscheinenden Text.

5) Überprüfe dein System mit SASW.

6) Mache einen letzten Maleware-Check mit Malewarebytes.

7) Checke dein System mit dem ESET Online Scanner. (Klicke nach dem Scan auf "Print this Page" oben rechts in der Ecke und kopiere das nachfolgende Fenster in deinen Post.)

8) Räume mit cCleaner auf. (Punkt 1 und 2)

9) Lasse Silentrunners laufen und poste das logFile

10) Führe einen escan durch und poste das mit Hilfe der find.bat ausgewertete log.

11) Poste ein frisches HijackThis log sowie einen iClean Bericht (Prog in eigenem Ordner öffnen->"Yes"->File->Report).
Hinweis zum iClean Bericht: Kürze im log bitte die 032 und 033 redirected Einträge. (Diese wurden von Spybot erstellt.)

Diethelm35 · 30.06.2008, 10:30

Hallo,
erstmal vielen Dank für die Antwort.

Die Trusted Zones sind nicht von mir. Ich benutze IExplorer nur für windows update. K.A. wie die dareingekommen sind. Ich hab sie jedenfalls gelöscht.

Ich bin jetzt bei Punkt 4 der Liste.
-Systemwiederherstellung war deaktiviert
-Java ist deinstalliert
-Blacklight hat nichts gefunden (Meldung: No hidden items were found)
-Der Combofix log file:

ComboFix 08-06-20.4 - ***** 2008-06-30 10:50:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1031.18.274 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\*****\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\*****\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere L”schungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMaad4efe2.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((( Dateien erstellt von 2008-05-28 bis 2008-06-30 ))))))))))))))))))))))))))))))
.

2008-06-27 15:46 . 2008-06-27 15:46 <DIR> d-------- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Malwarebytes
2008-06-27 15:45 . 2008-06-27 15:46 <DIR> d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-06-27 15:45 . 2008-06-27 15:45 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-06-27 15:45 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-27 15:45 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-27 12:00 . 2008-06-27 12:00 106,496 --a------ C:\WINDOWS\system32\wfljtocj.dll
2008-06-27 11:57 . 2008-06-27 16:30 91,136 --------- C:\WINDOWS\system32\gtmekjuu.dll
2008-06-26 12:18 . 2008-06-26 12:18 <DIR> d-------- C:\Programme\Trend Micro
2008-06-19 14:19 . 2008-06-19 14:19 <DIR> d-------- C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Nokia Multimedia Player
2008-06-19 14:13 . 2008-06-19 14:13 <DIR> d-------- C:\Programme\Gemeinsame Dateien\PCSuite
2008-06-19 14:13 . 2008-06-19 14:13 <DIR> d-------- C:\Programme\Gemeinsame Dateien\Nokia
2008-06-19 14:12 . 2008-06-19 14:12 <DIR> d-------- C:\Programme\PC Connectivity Solution
2008-06-19 14:12 . 2008-06-19 14:13 <DIR> d-------- C:\Programme\Nokia
2008-06-19 14:12 . 2007-11-29 10:32 48,128 --a------ C:\WINDOWS\system32\nmwcdcls.dll
2008-06-19 14:12 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-06-19 14:11 . 2008-06-19 14:11 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Installations
2008-06-02 15:59 . 2008-06-19 14:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-02 15:59 . 2008-06-02 15:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-19 12:19 . 2008-06-30 09:16 <DIR> d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 07:16 --------- d--h--w C:\Programme\InstallShield Installation Information
2008-06-25 15:03 --------- d-----w C:\Programme\Tobit InfoCenter
2008-06-25 06:34 --------- d-----w C:\Programme\Avast4
2008-06-19 12:18 --------- d-----w C:\Dokumente und Einstellungen\*****\Anwendungsdaten\PC Suite
2008-06-19 12:16 --------- d-----w C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Nokia
2008-06-19 12:15 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\PC Suite
2008-06-19 12:13 --------- d-----w C:\Programme\DIFX
2008-06-18 14:43 --------- d-----w C:\Programme\win-data 7
2008-06-17 10:25 --------- d-----w C:\Programme\eMule
2008-06-09 12:31 --------- d-----w C:\Programme\World of Warcraft
2008-06-05 10:35 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-05-29 11:47 --------- d-----w C:\Programme\wowmodelview
2008-05-29 07:24 --------- d-----w C:\Dokumente und Einstellungen\*****\Anwendungsdaten\teamspeak2
2008-05-19 10:22 --------- d-----w C:\Programme\Google
2008-03-10 16:38 691,545 ----a-w C:\WINDOWS\unins000.exe
2006-06-01 11:35 59,944 ----a-w C:\Dokumente und Einstellungen\*****\Anwendungsdaten\GDIPFONTCACHEV1.DAT
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Babylon Translator"="C:\PROGRA~1\Babylon\babylon.exe" [2000-01-27 14:12 913408]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2002-05-29 01:59 520192]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 15:19 4841472]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"FreePDF Assistant"="C:\Programme\FreePDF_XP\fpassist.exe" [2005-05-27 11:24 147456]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 18:23 86016 C:\WINDOWS\StartupMonitor.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:57 15360]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-07-28 15:19 49152]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]
"{9C28EAFB-FF50-4F42-8D39-A006129CC907}"= C:\WINDOWS\system32\wvUlLfCt.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUlLfCt]
wvUlLfCt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\eMule\\emule.exe"=
"C:\\Programme\\Real\\RealPlayer\\realplay.exe"=
"C:\\Programme\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"C:\\Programme\\MUSK Codec Pack v4\\MPC\\MPCFR.exe"=
"C:\\Programme\\BearShare\\BearShare.exe"=
"C:\\Programme\\BOINC\\boincmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 ACLive2;ACLive2;C:\WINDOWS\system32\Drivers\ACLive2.sys [2002-02-22 20:43]
R2 ACLSymbols;ArchiCrypt Live Service;C:\WINDOWS\system32\ACLSymbols.exe [2002-02-22 20:39]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 CVPNDRV;Merck Group 3.6.1 IPsec Driver;C:\WINDOWS\system32\Drivers\CVPNDRV.sys [2002-09-03 14:48]
S3 Volcrypt;Ultra-secure 512 bit PMC Volume Encryption Driver Service;C:\WINDOWS\system32\Drivers\Volcrypt.sys [2003-08-11 19:58]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2001-01-08 10:53]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, h**p://w*w.gmer.net
Rootkit scan 2008-06-30 10:59:45
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySql]
"ImagePath"="C:/Programme/Apache Group/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySql]
"ImagePath"="C:/Programme/Apache Group/mysql/bin/mysqld-nt.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\Programme\Avast4\aswUpdSv.exe
C:\Programme\Avast4\ashServ.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\Programme\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Apache Group\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Programme\Apache Group\Apache\Apache.exe
C:\Programme\Avast4\ashMaiSv.exe
C:\Programme\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\USB Sharing\usbshare.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-06-30 11:15:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 09:14:48

12 Verzeichnis(se), 17,545,240,576 Bytes frei
16 Verzeichnis(se), 17,462,263,808 Bytes frei

WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

141

Weiteres folgt..
Viele Grüße
Diet

Diethelm35 · 30.06.2008, 16:24

Hallo, weiter geht's:
Zu Punkt 5: Hier der SUPERAntiSpyware log file:

h**p://www.superantispyware.com

Generated 06/30/2008 at 02:08 PM

Application Version : 4.15.1000

Core Rules Database Version : 3493
Trace Rules Database Version: 1484

Scan type : Complete Scan
Total Scan Time : 01:32:09

Memory items scanned : 346
Memory threats detected : 0
Registry items scanned : 6037
Registry threats detected : 2
File items scanned : 114358
File threats detected : 10

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com#*

Adware.Tracking Cookie
C:\Dokumente und Einstellungen\*****\Cookies\*****@gomyhit[2].txt
C:\Dokumente und Einstellungen\*****\Cookies\*****@flixbanner.bearshare[1].txt
C:\Dokumente und Einstellungen\*****\Cookies\*****@ex=5_[2].txt
C:\Dokumente und Einstellungen\*****\Cookies\*****@adnetserver[1].txt
C:\Dokumente und Einstellungen\*****\Cookies\*****@288_[2].txt
C:\Dokumente und Einstellungen\*****\Cookies\*****@288_[3].txt

BearShare File Sharing Client
C:\PROGRAMME\BEARSHARE\BEARSHARE.EXE
C:\DOKUMENTE UND EINSTELLUNGEN\ALL USERS\STARTMENü\PROGRAMME\BEARSHARE.LNK
C:\DOKUMENTE UND EINSTELLUNGEN\*****\ANWENDUNGSDATEN\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\BEARSHARE.LNK
C:\WINDOWS\Prefetch\BEARSHARE.EXE-051086D4.pf

Zu Punkt 6: Malwarebytes hat nichts gefunden

Zu Punkt 7: Der Eset Online scanner hat außer dem EICAR Standard Test Virus nichts gefunden. Irgendwie hat's mit dem Drucken des Log Files nicht geklappt (Browser unterstützt irgendwas nichts)

Zu Punkt 8: Mit CCleaner aufgeräumt

Morgen geht's weiter.
Gruß
Diet

Diethelm35 · 01.07.2008, 08:43

Guten morgen,
hier der Silent Runners Log file:

"Silent Runners.vbs", revision 58, h**p://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Babylon Translator" = "C:\PROGRA~1\Babylon\babylon.exe" ["Babylon Ltd."]
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"SUPERAntiSpyware" = "C:\Programme\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"zBrowser Launcher" = "C:\Program Files\Logitech\iTouch\iTouch.exe" ["Logitech Inc. "]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"FreePDF Assistant" = "C:\Programme\FreePDF_XP\fpassist.exe" [null data]
"Run StartupMonitor" = "StartupMonitor.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
-> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop-Explorer"
-> {HKLM...CLSID} = "Desktop-Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Programme\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "CorelDRAW Shell-Erweiterungskomponente"
-> {HKLM...CLSID} = "CorelDRAW Shell-Erweiterungskomponente"
\InProcServer32\(Default) = "C:\Programme\Corel\Graphics10\Draw\CdrViewer\CrlShell100.dll" [null data]
"{D0FAC080-AE1A-11ce-8016-CE90976DC901}" = "Picture Publisher Schnellansicht"
-> {HKLM...CLSID} = "Picture Publisher File Viewer"
\InProcServer32\(Default) = "ppiv30.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Avast4\ashShell.dll" ["ALWIL Software"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "Bluetooth-Umgebung"
\InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["Broadcom Corporation."]
"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\phonebrowser.dll" ["Nokia"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = (no title provided)
-> {HKLM...CLSID} = "Internetverknüpfung"
\InProcServer32\(Default) = "shdocvw.dll" [MS]
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Programme\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> !SASWinLogon\DLLName = "C:\Programme\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<<!>> wvUlLfCt\DLLName = "wvUlLfCt.dll" [file not found]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Avast4\ashShell.dll" ["ALWIL Software"]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "C:\Programme\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1}"
-> {HKLM...CLSID} = "QuickFinder Shell Extension"
\InProcServer32\(Default) = "C:\Programme\WordPerfect Office 11\Programs\PFSE110.DLL" ["Novell, Inc., c/o Corel Corporation Limited"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Programme\Avast4\ashShell.dll" ["ALWIL Software"]
Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"
-> {HKLM...CLSID} = "Eraser Shell Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"
-> {HKLM...CLSID} = "PowerArchiver Shell Extensions"
\InProcServer32\(Default) = "C:\Programme\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
-> {HKLM...CLSID} = "MBAMShlExt Class"
\InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]

Default executables:
--------------------

HKLM\SOFTWARE\Classes\.cmd\(Default) = "cmdfile"
HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\(Default) = (value not set)

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<<!>> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]

Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Mozilla\Firefox\Desktop Background.bmp"

Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

HPUnloadAutoplay\
"Provider" = "HP Image Zone"
"InvokeProgID" = "HpqUnApl.Autoplay"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = "C:\Programme\HP\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"]

MSVideoCameraArrival\
"Provider" = "@C:\Programme\Movie Maker\1031\wmm2res.dll,-100"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""C:\Programme\Movie Maker\moviemk.exe" /RECORD"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

NeroAutoPlayAudioCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "AudioCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\AudioCD\command\(Default) = ""C:\Programme\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]

NeroAutoPlayEmptyCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "EmptyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\EmptyCD\command\(Default) = ""C:\Programme\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]

NeroAutoPlayMusicCD\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay"
"InvokeVerb" = "MusicCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay\shell\MusicCD\command\(Default) = ""C:\Programme\Ahead\nero startsmart\nerostartsmart.exe" /Drive:%L" ["Ahead Software AG"]

NMMPlayCDAudioOnArrival\
"Provider" = "Nokia Music Manager"
"InvokeProgID" = "NokiaMusicManager"
"InvokeVerb" = "NMMPlayCD"
HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD "%L"" ["Nokia"]

NMMRipCDAudioOnArrival\
"Provider" = "Nokia Music Manager"
"InvokeProgID" = "NokiaMusicManager"
"InvokeVerb" = "NMMRipCD"
HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "C:\Programme\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD "%L"" ["Nokia"]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Programme\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."]

Startup items in "*****" & "All Users" startup folders:
------------------------------------------------------

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
"USB Sharing" -> shortcut to: "C:\Programme\USB Sharing\usbshare.exe" [null data]
"windata 7 Zahlungserinnerung" -> shortcut to: "C:\Programme\win-data 7\win-data pro Zahlungserinnerung.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Programme\AIM\aim.exe" ["America Online, Inc."]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Programme\Bluetooth Software\btsendto_ie.htm" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
-> {HKLM...CLSID} = "Spybot-S&D IE Protection"
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=h**p://www.hyrican.de

Missing lines (compared with English-language version):
[Strings]: 1 line

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apache, Apache, ""C:\Programme\Apache Group\Apache\Apache.exe" --ntservice" [null data]
ArchiCrypt Live Service, ACLSymbols, "C:\WINDOWS\system32\ACLSymbols.exe" [null data]
avast! Antivirus, avast! Antivirus, ""C:\Programme\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Programme\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Programme\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Programme\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Bluetooth Service, btwdins, "C:\Programme\Bluetooth Software\bin\btwdins.exe" ["Broadcom Corporation."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
Google Updater Service, gusvc, ""C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
MySql, MySql, "C:/Programme/Apache Group/mysql/bin/mysqld-nt.exe" [null data]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
SmartLinkService, SLService, "slserv.exe" [" "]

Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
FaxWare Monitor\Driver = "faxwarmo.dll" ["Tobit Software"]
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
Redirected Port\Driver = "redmonnt.dll" [null data]
Tobit Color Monitor\Driver = "IMGMSGMO.dll" ["Tobit Software"]

---------- (launch time: 2008-07-01 09:33:24)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 86 seconds, including 18 seconds for message boxes)

AVast hat Win32:Trojan-gen{other} gefunden. Bitte um Hilfe

Log-Analyse und Auswertung: AVast hat Win32:Trojan-gen{other} gefunden. Bitte um Hilfe