XP Antivir 2008 eingefangen

dntknwmyname · 05.08.2008, 11:36

Hallo,
habe mir dummerweise die Malware XP Antivir 2008 eingefangen, die mit Popups und gefakten Systemscans nervt. Hab das Problem mit Malwarebytes Anti-Malware und Avast Antivir in Griff bekommen, so dass keine Popups mehr kommen und ich wieder Zugriff auf Taskmanager und Wallpaper/Screensaver habe. Trotzdem traue ich dem Frieden nicht, da mein Boot deutlich länger dauert. Es würde mich sehr freuen wenn sich jemand die logs anschauen könnte, damit ich den Schaden einschätzen kann.

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.24
Datenbank Version: 1015
Windows 5.1.2600 Service Pack 2

13:14:26 02.08.2008
mbam-log-8-2-2008 (13-14-26).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 41281
Laufzeit: 5 minute(s), 0 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 22
Infizierte Registrierungswerte: 7
Infizierte Dateiobjekte der Registrierung: 4
Infizierte Verzeichnisse: 16
Infizierte Dateien: 83

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhccttj0eefl (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhccttj0eefl (Rogue.Multiple) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\dpcproxy (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\HOL5_VXIEWER.FULL.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\hol5_vxiewer.full.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Classes\applications\accessdiver.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\fwbd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HolLol (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Inet Delivery (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mslagent (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Invictus (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Golden Palace Casino NEW (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhccttj0eefl (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SystemCheck2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphc9ttj0eefl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\rhccttj0eefl\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\Programme\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\database.dat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\license.txt (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\MFC71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\MFC71ENU.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\msvcp71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\msvcr71.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\rhccttj0eefl.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\rhccttj0eefl.exe.local (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Programme\rhccttj0eefl\Uninstall.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\All Users\Desktop\Antivirus XP 2008.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emesx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup012.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\medup020.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vbsys2.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphc9ttj0eefl.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphc9ttj0eefl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phc9ttj0eefl.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pphc9ttj0eefl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Temp\.tt3.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\*****\Lokale Einstellungen\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:40:20, on 04.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sicherheit\AdAware2007\aawservice.exe
C:\Programme\Sicherheit\Avast 4Home\aswUpdSv.exe
C:\Programme\Sicherheit\Avast 4Home\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Programme\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Programme\Sicherheit\Avast 4Home\ashMaiSv.exe
C:\Programme\Sicherheit\Avast 4Home\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta\nifuhchq.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lexmark 1300 Series\lxdcamon.exe
C:\WINDOWS\vsnpstd3.exe
C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ICQ6\ICQ.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Opera\opera.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\DOKUME~1\****~1\LOKALE~1\Temp\Temporäres Verzeichnis 2 für HiJackThis.zip\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://www.avast.com/go.php?verb=register-home&lang=ger
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Programme\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKLM\..\Policies\Explorer\Run: [A0WwqFdR7S] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta\nifuhchq.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - h**p://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - h**p://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1210240211
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O21 - SSODL: setapp - {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Sicherheit\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8543 bytes

Chris4You · 05.08.2008, 11:55

Hi,

das HJ-Log genügt nicht den Boardregeln (Links nicht direkt aufrufbar, pers. Pfade unkenntlich);

Hmmm, die Kiste war/ist über beide Ohren verseucht, neu aufsetzen wäre vernünftiger!

Bitte folgende Files prüfen:

Zitat:

C:\Programme\rlysmce\setapp.dll
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta\nifuhchq.exe

http://www.virustotal.com/flash/index_en.html
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen
Poste die Ergebnisse mit Filename..

Combofix
Lade ComboFix von http://download.bleepingcomputer.com/sUBs/ComboFix.exe und speichert es auf den Desktop.
Alle Fenster schliessen und combofix.exe starten und bestätige die folgende Abfrage mit 1 und drücke Enter.

Der Scan mit Combofix kann einige Zeit in Anspruch nehmen, also habe etwas Geduld. Während des Scans bitte nichts am Rechner unternehmen
Es kann möglich sein, dass der Rechner zwischendurch neu gestartet wird.
Nach Scanende wird ein Report angezeigt, den bitte kopieren und in deinem Thread einfuegen.
Weitere Anleitung unter:http://www.bleepingcomputer.com/combofix/de/wie-combofix-benutzt-wird

Poste das Log von Combofix;

Gff. müssen wir die Dateien per Combfix script entfernen...

chris

dntknwmyname · 05.08.2008, 12:24

Danke für die schnelle Antwort und sorry wegen des Regelverstoßes.. ich hoffe die Logs sind jetzt ok.
Hier die Scans der beiden Dateien und das Combofix Logfile:

setap.dll

Code:

ATTFilter

AhnLab-V3	2008.8.5.0	2008.08.05	-
AntiVir	7.8.1.15	2008.08.05	-
Authentium	5.1.0.4	2008.08.04	-
Avast	4.8.1195.0	2008.08.05	-
AVG	8.0.0.156	2008.08.05	Win32/Heur
BitDefender	7.2	2008.08.05	-
CAT-QuickHeal	9.50	2008.08.04	-
ClamAV	0.93.1	2008.08.05	-
DrWeb	4.44.0.09170	2008.08.05	-
eSafe	7.0.17.0	2008.08.05	-
eTrust-Vet	31.6.6009	2008.08.05	-
Ewido	4.0	2008.08.05	-
F-Prot	4.4.4.56	2008.08.04	-
F-Secure	7.60.13501.0	2008.08.05	-
Fortinet	3.14.0.0	2008.08.04	-
GData	2.0.7306.1023	2008.08.05	-
Ikarus	T3.1.1.34.0	2008.08.05	-
K7AntiVirus	7.10.403	2008.08.04	-
Kaspersky	7.0.0.125	2008.08.05	-
McAfee	5353	2008.08.04	-
Microsoft	1.3807	2008.08.05	-
NOD32v2	3327	2008.08.05	-
Norman	5.80.02	2008.08.05	-
Panda	9.0.0.4	2008.08.04	-
PCTools	4.4.2.0	2008.08.04	-
Prevx1	V2	2008.08.05	-
Rising	20.56.12.00	2008.08.05	-
Sophos	4.31.0	2008.08.05	Mal/EncPk-DG
Sunbelt	3.1.1537.1	2008.08.01	-
Symantec	10	2008.08.05	-
TheHacker	6.2.96.393	2008.08.04	-
TrendMicro	8.700.0.1004	2008.08.05	-
VBA32	3.12.8.2	2008.08.04	-
ViRobot	2008.8.5.1324	2008.08.05	-
VirusBuster	4.5.11.0	2008.08.04	-
Webwasher-Gateway	6.6.2	2008.08.05	-
weitere Informationen
File size: 106496 bytes
MD5...: 31457517b2a0ceb8402a331d4c2674e6
SHA1..: 1d6d91607a0008bc2ee7e1725a9a3d8e3a9404cd
SHA256: 7ecb29fc6823bc5f72507e5a3d1a17d231943ed371ebc1a44b19483b40e5c96d
SHA512: 8dedac23384ab24bba92f9e7658d70aafc7a37b659d428b991950ab15aa4a48a
97277303ccbe64bb4b0ccb1e9632698e68774b627c963d206a50a939c3a57b3f
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000128c
timedatestamp.....: 0x48939624 (Fri Aug 01 23:03:00 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.uwgb 0x1000 0x14888 0x15000 6.80 03f45d1b51f9d66b6c636833245002f3
.bdolg 0x16000 0x8c1 0x1000 3.45 34b087254038ce75859f73fb5f4f0f81
.apyoa 0x17000 0x1f54 0x1000 0.53 3ddddf7dd192eba00eac5064563ef2bb
.reloc 0x19000 0x1962 0x2000 6.02 7c4cc956d76c92732f3f2e26e4e45365

( 4 imports ) 
> KERNEL32.dll: FindClose, MulDiv, FindNextChangeNotification, GetModuleHandleW, GetVersion, GetLastError, WaitForSingleObject, LoadResource, GetFileAttributesW, CreateProcessW, CreateFileW, TerminateThread, VirtualAlloc, GlobalFree, CloseHandle, CancelWaitableTimer, WideCharToMultiByte, FindFirstFileW, ReadProcessMemory, FindResourceExW, SetEvent, SetLastError, WriteFile, GetTickCount, FileTimeToSystemTime, GetModuleFileNameW, LoadLibraryA, CreateWaitableTimerW, SetFilePointer, GetProcAddress, GetLogicalDrives, GlobalDeleteAtom
> USER32.dll: LoadImageW, SetCursorPos, RegisterWindowMessageW, TrackPopupMenu, GetWindowTextW, GetKeyState, AppendMenuW, DrawTextW, FillRect, DestroyMenu, LoadBitmapW, ReleaseDC, wsprintfW, RegisterHotKey, GetWindowThreadProcessId, TranslateMessage, RedrawWindow, DestroyIcon, EnableWindow, GetParent, IsDlgButtonChecked, OffsetRect, LoadCursorW, SystemParametersInfoW
> GDI32.dll: SetDIBits, DeleteDC, Rectangle, GetObjectW, LineTo, CreateBitmap, SelectObject, CreateDCW, CreateCompatibleBitmap, GetMapMode, SetBkMode, CreateICW, DPtoLP
> ADVAPI32.dll: RegDeleteValueW, LookupPrivilegeValueW, RegSetValueExW, LookupAccountSidW, RegCloseKey, RegCreateKeyExW, InitializeSecurityDescriptor

( 4 exports ) 
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer

nifuhchq.exe

Code:

ATTFilter

AhnLab-V3	2008.8.5.0	2008.08.05	-
AntiVir	7.8.1.15	2008.08.05	-
Authentium	5.1.0.4	2008.08.04	-
Avast	4.8.1195.0	2008.08.05	-
AVG	8.0.0.156	2008.08.05	Downloader.Swizzor
BitDefender	7.2	2008.08.05	-
CAT-QuickHeal	9.50	2008.08.04	-
ClamAV	0.93.1	2008.08.05	-
DrWeb	4.44.0.09170	2008.08.05	-
eSafe	7.0.17.0	2008.08.05	-
eTrust-Vet	31.6.6009	2008.08.05	-
Ewido	4.0	2008.08.05	-
F-Prot	4.4.4.56	2008.08.04	-
F-Secure	7.60.13501.0	2008.08.05	-
Fortinet	3.14.0.0	2008.08.04	W32/PolySmall.BP!tr
GData	2.0.7306.1023	2008.08.05	-
Ikarus	T3.1.1.34.0	2008.08.05	-
K7AntiVirus	7.10.403	2008.08.04	-
Kaspersky	7.0.0.125	2008.08.05	-
McAfee	5353	2008.08.04	-
Microsoft	1.3807	2008.08.05	Trojan:Win32/Busky.EI
NOD32v2	3327	2008.08.05	probably a variant of Win32/TrojanDownloader.FakeAlert.BP
Norman	5.80.02	2008.08.05	-
Panda	9.0.0.4	2008.08.04	-
PCTools	4.4.2.0	2008.08.04	-
Prevx1	V2	2008.08.05	-
Rising	20.56.12.00	2008.08.05	-
Sophos	4.31.0	2008.08.05	-
Sunbelt	3.1.1537.1	2008.08.01	-
Symantec	10	2008.08.05	-
TheHacker	6.2.96.393	2008.08.04	-
TrendMicro	8.700.0.1004	2008.08.05	-
VBA32	3.12.8.2	2008.08.04	-
ViRobot	2008.8.5.1324	2008.08.05	-
VirusBuster	4.5.11.0	2008.08.04	-
Webwasher-Gateway	6.6.2	2008.08.05	-
weitere Informationen
File size: 57344 bytes
MD5...: b19a65a69bd34a7d6efba8f9a9f77cf5
SHA1..: 1f35e918478968f8de9227d8f55f7c938a7b2960
SHA256: 61a5162d97f5a53fcaa5cbbd3277080a95e737f0996f57d8e42e87dd87fca2d0
SHA512: 38075ab0549c05355376777167dadd0976e5de8575f878eb8470e65b5e05719b
5e38aa0921984142e1a200375fccddc03d7900c41f925a3db0c3ba4a5205d440
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401131
timedatestamp.....: 0x48939851 (Fri Aug 01 23:12:17 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa222 0xb000 6.49 6beb6fafb6fc532b51d7e8d414c05ae8
.rdata 0xc000 0x6aa 0x1000 2.65 f80399c96b89f15bc67ee5132eb4a1c4
.data 0xd000 0x438 0x1000 0.34 e9ea99f6b409e1f347fef569666c63e2

( 4 imports ) 
> KERNEL32.dll: GetDriveTypeW, GetFileSize, VirtualAlloc, WriteFile, SetEvent, SetLastError, ResetEvent, GlobalAddAtomW, SetFilePointer, WaitForSingleObject, SetThreadPriority, FreeResource, LoadLibraryA, MoveFileW, LockResource, SizeofResource, CreateThread, DuplicateHandle, TerminateThread, GetProcAddress, GetCurrentProcess, GlobalFree, GetFileAttributesW, FindNextFileW, InterlockedIncrement, FindResourceExW, CreateProcessW, GetCurrentThread, LoadLibraryW, GetLogicalDrives
> USER32.dll: GetSystemMetrics, GetWindowThreadProcessId, DestroyIcon, SetLayeredWindowAttributes, DispatchMessageW, OffsetRect, RegisterWindowMessageW, SendDlgItemMessageW, RegisterHotKey, InvalidateRect, AppendMenuW, SetDlgItemTextW, LoadBitmapW, GetMessageW, FillRect, SystemParametersInfoW, ReleaseCapture, EndDialog, SetForegroundWindow
> GDI32.dll: CreateSolidBrush, SelectObject, SetBkMode, GetStockObject, SetDIBits, GetDeviceCaps
> ADVAPI32.dll: InitializeSecurityDescriptor, RegCreateKeyExW, LookupAccountSidW, StartServiceW

( 0 exports )

Combofix Log

Code:

ATTFilter

ComboFix 08-08-04.01 - **** 2008-08-05 13:31:32.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.1556 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\****\Desktop\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

((((((((((((((((((((((((((((((((((((   Weitere Löschungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\WINDOWS\system32\lphc9ttj0eefl.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\phc9ttj0eefl.bmp

.
(((((((((((((((((((((((   Dateien erstellt von 2008-07-05 bis 2008-08-05  ))))))))))))))))))))))))))))))
.

2008-08-03 03:41 . 2008-08-03 03:41	94,208	--a------	C:\WINDOWS\system32\cvunylqj.exe
2008-08-02 12:49 . 2008-08-02 12:49	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Programme\Malwarebytes' Anti-Malware
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Dokumente und Einstellungen\****\Anwendungsdaten\Malwarebytes
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-02 03:10 . 2008-07-30 20:14	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 03:10 . 2008-07-30 20:14	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 02:52 . 2008-08-02 02:52	<DIR>	d--------	C:\Programme\rlysmce
2008-08-02 02:52 . 2008-08-02 02:52	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta
2008-08-02 02:52 . 2008-08-02 02:52	86,016	--a------	C:\WINDOWS\system32\pehshexg.exe
2008-07-28 15:00 . 2008-07-28 15:01	<DIR>	d--------	C:\Programme\Metronom
2008-07-25 18:48 . 2008-07-25 18:50	<DIR>	d--------	C:\OgreCommandLineTools
2008-07-25 18:06 . 2008-07-25 18:14	<DIR>	d--------	C:\test2
2008-07-25 17:57 . 2008-07-25 18:44	<DIR>	d--------	C:\OgreSDK
2008-07-23 23:05 . 2008-07-23 23:13	<DIR>	d--------	C:\Programme\VirtualDub
2008-07-23 23:00 . 2008-07-23 23:01	<DIR>	d--------	C:\Programme\VLCPortable
2008-07-21 22:18 . 2008-07-21 22:19	<DIR>	d--------	C:\mingw
2008-07-21 22:15 . 2008-07-21 22:15	<DIR>	d--------	C:\Programme\CodeBlocks
2008-07-21 21:13 . 2008-07-21 21:13	<DIR>	d--------	C:\Programme\Free Fire Screensaver
2008-07-21 21:13 . 2008-07-21 21:13	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software
2008-07-18 22:16 . 2008-07-18 22:16	0	--a------	C:\WINDOWS\musiceditor.INI
2008-07-14 22:06 . 2008-07-14 22:06	103,424	--a------	C:\WINDOWS\system32\nUI_nat.dll
2008-07-11 14:36 . 2008-08-05 13:35	348,192	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-11 14:36 . 2008-08-04 14:07	4,808	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-11 14:19 . 2008-07-11 14:19	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier
2008-07-06 14:16 . 2005-10-21 03:47	30,592	---------	C:\WINDOWS\system32\drivers\rndismpx.sys
2008-07-06 14:16 . 2005-10-21 03:47	12,800	---------	C:\WINDOWS\system32\drivers\usb8023x.sys
2008-07-06 14:15 . 2008-07-06 14:16	<DIR>	d--------	C:\Programme\Microsoft ActiveSync

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 11:26	---------	d-----w	C:\Programme\TuneUp Utilities 2006
2008-08-05 09:58	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\Skype
2008-08-02 14:01	---------	d-----w	C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-02 13:58	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-07-25 17:01	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\codeblocks
2008-07-22 09:39	---------	d--h--w	C:\Programme\InstallShield Installation Information
2008-07-22 09:37	---------	d-----w	C:\Programme\Fahrenheit
2008-07-19 12:11	---------	d-----w	C:\Programme\blender-2.45-windows
2008-07-16 20:32	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\uTorrent
2008-07-02 15:51	---------	d-----w	C:\Programme\ICQ6
2008-07-02 15:51	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\ICQ
2008-06-26 19:44	48,928	----a-w	C:\WINDOWS\system32\drivers\Tetris.sys
2008-06-26 19:42	162,432	----a-w	C:\WINDOWS\system32\drivers\ithsgt.sys
2008-06-26 19:42	12,032	----a-w	C:\WINDOWS\system32\drivers\lilsgt.sys
2008-06-20 17:39	247,296	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:57	273,024	----a-w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 17:44	---------	d-----w	C:\Programme\Opera
2008-06-06 09:09	2,189,824	----a-w	C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-20 16:35	4,930,680	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-16 09:58	12,632	----a-w	C:\WINDOWS\system32\lsdelete.exe
2008-05-12 10:12	16,869,320	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_11_19_40_47_full.dmp.zip
2008-05-12 10:12	111,335	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_11_19_40_11_small.dmp.zip
2008-05-07 04:55	1,293,824	----a-w	C:\WINDOWS\system32\quartz.dll
2006-05-03 10:06	163,328	--sh--r	C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47	31,232	--sh--r	C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43	27,648	--sh--w	C:\WINDOWS\system32\Smab0.dll
2008-02-04 19:26	151,040	--sh--w	C:\WINDOWS\system32\VistaUltm.dll
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-01-12 13:57 25367592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-21 01:00 1211176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 20:03 7557120]
"IntelZeroConfig"="C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"avast!"="C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe" [2008-07-19 16:38 78008]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 12:56 761947]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"lxdcamon"="C:\Programme\Lexmark 1300 Series\lxdcamon.exe" [2007-02-06 01:32 20480]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-23 00:05 102400]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392]
"ZoneAlarm Client"="C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe" [2007-12-13 19:27 919016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"NVHotkey"="nvHotkey.dll" [2006-03-21 20:03 73728 C:\WINDOWS\system32\nvhotkey.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"A0WwqFdR7S"="C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta\nifuhchq.exe" [2008-08-02 02:52 57344]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Bluetooth Manager.lnk - C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 17:46:00 1724416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"setapp"= {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll [2008-08-02 02:52 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Dokumente und Einstellungen\\All Users\\Anwendungsdaten\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"PhonostarTimer"=C:\Programme\phonostar\ps_timer.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"SunJavaUpdateSched"=C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
"Norton Ghost 12.0"="C:\Programme\Norton Ghost\Agent\VProTray.exe"
"snpstd3"=C:\WINDOWS\vsnpstd3.exe
"Profiler"=C:\Programme\Saitek\Software\Profiler.exe
"SaiMfd"=C:\Programme\Saitek\Software\SaiMfd.exe
"nwiz"=nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Programme\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Programme\\Lexmark 1300 Series\\App4R.exe"=
"C:\\Programme\\uTorrent\\uTorrent.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\Programme\Microsoft ActiveSync\rapimgr.exe"= C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Programme\Microsoft ActiveSync\wcescomm.exe"= C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Programme\Microsoft ActiveSync\WCESMgr.exe"= C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2008-06-26 21:42]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2008-06-26 21:42]
R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-02-13 01:56]
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys [2008-06-26 21:44]
S3 SaiHFF0D;SaiHFF0D;C:\WINDOWS\system32\DRIVERS\SaiHFF0D.sys [2005-07-22 11:38]
S3 SaiUFF0D;SaiUFF0D;C:\WINDOWS\system32\DRIVERS\SaiUFF0D.sys [2005-07-22 11:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38083d7e-41cd-11dc-8c59-001422f8c02c}]
\Shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43765cff-3ea2-11dd-abff-001422f8c02c}]
\Shell\AutoRun\command - h6o0re.cmd
\Shell\explore\Command - h6o0re.cmd
\Shell\open\Command - h6o0re.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b566ffa9-d358-11dc-8dd3-001422f8c02c}]
\Shell\AutoRun\command - G:\Autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners

2008-08-01 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-21 22:35]
.
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\****\Anwendungsdaten\Mozilla\Firefox\Profiles\1jh0733m.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 13:35:46
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXDCCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

Prozess: C:\WINDOWS\system32\winlogon.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll

Prozess: C:\WINDOWS\system32\lsass.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll

Prozess: C:\WINDOWS\system32\csrss.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll
.
Zeit der Fertigstellung: 2008-08-05 13:36:52
ComboFix-quarantined-files.txt  2008-08-05 11:36:44

Pre-Run: 2,593,021,952 Bytes frei
Post-Run: 2,698,625,024 Bytes frei

202	--- E O F ---	2008-07-09 17:46:23

Chris4You · 05.08.2008, 13:27

Hi,

jetzt geht es ans eingemachte;
Die setapi.dll wird nicht zuverlässig erkannt, daher lasse ich sie mal außen vor,
das gleiche gilt erstmal für die VistaUltm.dll.

Bitte folgende Files prüfen:

Zitat:

C:\WINDOWS\system32\cvunylqj.exe
C:\WINDOWS\system32\pehshexg.exe
C:\WINDOWS\system32\VistaUltm.dll
h6o0re.cmd <- das bitte suchen, kein Pfad angegeben.... Ist aber sicher von einem Trojaner

http://www.virustotal.com/flash/index_en.html
Oben auf der Seite --> auf Durchsuchen klicken --> Datei aussuchen (oder gleich die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf "Send"... jetzt abwarten - dann mit der rechten Maustaste den Text markieren -> kopieren - einfügen

Poste wie immer mit Filename!
Combofix - Scripten

1. Starte das Notepad (Start / Ausführen / notepad[Enter])

2. Jetzt füge mit copy/paste den ganzen Inhalt der untenstehenden Codebox in das Notepad Fenster ein.

Code:

ATTFilter

File:: 
C:\WINDOWS\system32\cvunylqj.exe
C:\WINDOWS\system32\pehshexg.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta\nifuhchq.exe

Registry:: 
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43765cff-3ea2-11dd-abff-001422f8c02c}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"A0WwqFdR7S"=-

3. Speichere im Notepad als CFScript.txt auf dem Desktop.

4. Deaktivere den Guard Deines Antivirenprogramms und eine eventuell vorhandene Software Firewall.
(Auch Guards von Ad-, Spyware Programmen und den Tea Timer!)

5. Dann ziehe die CFScript.txt auf die ComboFix.exe, (drag an ddrop). Damit wird Combofix neu gestartet.

6. Nach dem Neustart (es wird gefragt ob Du neustarten willst), poste bitte die folgenden Log Dateien:

Combofix.txt

chris

dntknwmyname · 05.08.2008, 13:47

cvunylqj.exe

Code:

ATTFilter

Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2008.8.5.0	2008.08.05	-
AntiVir	7.8.1.15	2008.08.05	-
Authentium	5.1.0.4	2008.08.04	-
Avast	4.8.1195.0	2008.08.05	-
AVG	8.0.0.156	2008.08.05	Downloader.Swizzor
BitDefender	7.2	2008.08.05	-
CAT-QuickHeal	9.50	2008.08.04	-
ClamAV	0.93.1	2008.08.05	-
DrWeb	4.44.0.09170	2008.08.05	-
eSafe	7.0.17.0	2008.08.05	-
eTrust-Vet	31.6.6009	2008.08.05	-
Ewido	4.0	2008.08.05	-
F-Prot	4.4.4.56	2008.08.04	-
F-Secure	7.60.13501.0	2008.08.05	-
Fortinet	3.14.0.0	2008.08.05	-
GData	2.0.7306.1023	2008.08.05	-
Ikarus	T3.1.1.34.0	2008.08.05	-
K7AntiVirus	7.10.403	2008.08.04	-
Kaspersky	7.0.0.125	2008.08.05	-
McAfee	5353	2008.08.04	-
Microsoft	1.3807	2008.08.05	Trojan:Win32/Busky.EC
NOD32v2	3328	2008.08.05	a variant of Win32/TrojanDownloader.FakeAlert.BP
Norman	5.80.02	2008.08.05	-
Panda	9.0.0.4	2008.08.04	-
PCTools	4.4.2.0	2008.08.04	-
Prevx1	V2	2008.08.05	-
Rising	20.56.12.00	2008.08.05	-
Sophos	4.31.0	2008.08.05	Mal/EncPk-DG
Sunbelt	3.1.1537.1	2008.08.01	-
Symantec	10	2008.08.05	-
TheHacker	6.2.96.393	2008.08.04	-
TrendMicro	8.700.0.1004	2008.08.05	-
VBA32	3.12.8.2	2008.08.04	-
ViRobot	2008.8.5.1324	2008.08.05	-
VirusBuster	4.5.11.0	2008.08.04	-
Webwasher-Gateway	6.6.2	2008.08.05	-
weitere Informationen
File size: 94208 bytes
MD5...: 0b557d202ab2137289411428f14787f2
SHA1..: e48acecf15f8f7dc8d7ff61153ef26941eabf29f
SHA256: 855dc81f991480a28dfe67e6de1059c474bd165c97492728ed3c7946d6f4d9f3
SHA512: 4ce0358c32445775713de8213f7a46b02618550c37e0d788a66c7b7569064e83
1a0ed2af8b482459c4b4b3689180aa013982e5966c7eb7a8c9db182943057a72
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40203a
timedatestamp.....: 0x4894e789 (Sat Aug 02 23:02:33 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.gtzyti 0x1000 0x13384 0x14000 6.80 0a89f83b0840ba4de2754455879f26b2
.zzty 0x15000 0x680 0x1000 2.74 0dcfb4de1f0db9ded35c6e4eb4196907
.lygd 0x16000 0x59d0 0x1000 0.58 da7faad3312c547a623ce4faa7e55cb1

( 4 imports ) 
> KERNEL32.dll: FileTimeToSystemTime, GetLocalTime, CloseHandle, WideCharToMultiByte, VirtualFree, GetUserDefaultLangID, lstrlenW, LoadLibraryA, GetProcAddress, GetPrivateProfileStringW, GetModuleHandleW, FreeLibrary, GlobalAlloc, WriteFile, GetFileAttributesExW, WaitForSingleObject, CreateWaitableTimerW, ReadFile, CreateProcessW, FindNextFileW, InterlockedDecrement, GetSystemTime, FindNextChangeNotification, InterlockedIncrement, CreateThread, MoveFileW, DeleteFileW, SetLastError, GetLastError
> USER32.dll: DialogBoxParamW, TrackPopupMenu, GetWindowRect, AppendMenuW, VkKeyScanW, RedrawWindow, ReleaseDC, LoadBitmapW, UpdateWindow, DestroyMenu, RegisterClassExW, GetSysColor, SystemParametersInfoW, wsprintfW, SendDlgItemMessageW, PostThreadMessageW, IsWindow, GetParent, EnableWindow, EndDialog, InvalidateRect
> GDI32.dll: GetObjectW, MoveToEx, CreateRoundRectRgn, GetClipBox, Rectangle, StretchBlt
> ADVAPI32.dll: RegSetValueExW, GetUserNameW, LookupAccountSidW

( 0 exports )

pehshexg.exe

Code:

ATTFilter

Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2008.8.5.0	2008.08.05	-
AntiVir	7.8.1.15	2008.08.05	-
Authentium	5.1.0.4	2008.08.04	-
Avast	4.8.1195.0	2008.08.05	-
AVG	8.0.0.156	2008.08.05	Downloader.Swizzor
BitDefender	7.2	2008.08.05	-
CAT-QuickHeal	9.50	2008.08.04	-
ClamAV	0.93.1	2008.08.05	-
DrWeb	4.44.0.09170	2008.08.05	-
eSafe	7.0.17.0	2008.08.05	-
eTrust-Vet	31.6.6009	2008.08.05	-
Ewido	4.0	2008.08.05	-
F-Prot	4.4.4.56	2008.08.04	-
F-Secure	7.60.13501.0	2008.08.05	-
Fortinet	3.14.0.0	2008.08.05	W32/PolySmall.BP!tr
GData	2.0.7306.1023	2008.08.05	-
Ikarus	T3.1.1.34.0	2008.08.05	-
K7AntiVirus	7.10.403	2008.08.04	-
Kaspersky	7.0.0.125	2008.08.05	-
McAfee	5353	2008.08.04	-
Microsoft	1.3807	2008.08.05	Trojan:Win32/Busky.EC
NOD32v2	3328	2008.08.05	a variant of Win32/TrojanDownloader.FakeAlert.BP
Norman	5.80.02	2008.08.05	-
Panda	9.0.0.4	2008.08.04	-
PCTools	4.4.2.0	2008.08.04	-
Prevx1	V2	2008.08.05	Malware Downloader
Rising	20.56.12.00	2008.08.05	-
Sophos	4.31.0	2008.08.05	Mal/EncPk-DG
Sunbelt	3.1.1537.1	2008.08.01	-
Symantec	10	2008.08.05	-
TheHacker	6.2.96.393	2008.08.04	-
TrendMicro	8.700.0.1004	2008.08.05	-
VBA32	3.12.8.2	2008.08.04	-
ViRobot	2008.8.5.1324	2008.08.05	-
VirusBuster	4.5.11.0	2008.08.04	-
Webwasher-Gateway	6.6.2	2008.08.05	-
weitere Informationen
File size: 86016 bytes
MD5...: ec7337b6a06169cd3ab54e15e35ad390
SHA1..: d1a7d79490108b9e2418c5bd2a8a399d08cf25ee
SHA256: ed55f2f75c9018e521e816542fc34cc4c8d15010798762b087751e37a341b6e0
SHA512: 9b2f3d89d3434ecefbcaa7a06ad9291034ab56ea73cdf4a2a5e4d295995e4bec
df52f65654ef22388f17f140351fb4fc5968dbc4282ec1f1ebc658fe45d370e7
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401efe
timedatestamp.....: 0x4893961f (Fri Aug 01 23:02:55 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.pbjih 0x1000 0x1118e 0x12000 6.71 7a49229de937e3793ddaf3fe38d8e948
.jnhc 0x13000 0x5dc 0x1000 2.52 91e4cf23ba766ec9e9baa821f7794aa2
.hzvq 0x14000 0x59d8 0x1000 0.46 1cf98e882c273deb621e961737d76cb8

( 4 imports ) 
> KERNEL32.dll: MultiByteToWideChar, WritePrivateProfileStringW, SuspendThread, LoadLibraryA, FindNextFileW, MulDiv, GetCurrentProcessId, GetLocalTime, WideCharToMultiByte, SetCurrentDirectoryW, SetWaitableTimer, LockResource, GetProcAddress, GetCurrentProcess, InterlockedIncrement, GetCurrentThreadId, GetVersion, GetTickCount, CreateEventW, FindFirstChangeNotificationW, SetEndOfFile
> USER32.dll: GetMessageW, CreateWindowExW, SetCursor, GetKeyState, SendDlgItemMessageW, AppendMenuW, RegisterClassExW, DispatchMessageW, SetForegroundWindow, MessageBoxW, LoadCursorW, GetParent, GetDlgItem, SystemParametersInfoW, TranslateMessage, GetWindowDC, RegisterWindowMessageW, WindowFromPoint, EndDialog, InvalidateRect
> GDI32.dll: DeleteObject, SetBkColor, Rectangle, MoveToEx, SetBkMode, StretchBlt, CreateFontIndirectW
> ADVAPI32.dll: StartServiceW, RegOpenKeyExW, RegNotifyChangeKeyValue

( 0 exports )

VistaUltm.dll

Code:

ATTFilter

Antivirus	Version	letzte aktualisierung	Ergebnis
AhnLab-V3	2008.8.5.0	2008.08.05	-
AntiVir	7.8.1.15	2008.08.05	-
Authentium	5.1.0.4	2008.08.04	-
Avast	4.8.1195.0	2008.08.05	-
AVG	8.0.0.156	2008.08.05	-
BitDefender	7.2	2008.08.05	-
CAT-QuickHeal	9.50	2008.08.04	-
ClamAV	0.93.1	2008.08.05	Trojan.Spy.Banker-6225
DrWeb	4.44.0.09170	2008.08.05	-
eSafe	7.0.17.0	2008.08.05	Suspicious File
eTrust-Vet	31.6.6009	2008.08.05	-
Ewido	4.0	2008.08.05	-
F-Prot	4.4.4.56	2008.08.04	-
F-Secure	7.60.13501.0	2008.08.05	-
Fortinet	3.14.0.0	2008.08.05	-
GData	2.0.7306.1023	2008.08.05	-
Ikarus	T3.1.1.34.0	2008.08.05	Trojan-Downloader.Win32.Banload.F
K7AntiVirus	7.10.403	2008.08.04	-
Kaspersky	7.0.0.125	2008.08.05	-
McAfee	5353	2008.08.04	-
Microsoft	1.3807	2008.08.05	-
NOD32v2	3328	2008.08.05	-
Norman	5.80.02	2008.08.05	-
Panda	9.0.0.4	2008.08.04	Suspicious file
PCTools	4.4.2.0	2008.08.04	-
Prevx1	V2	2008.08.05	-
Rising	20.56.12.00	2008.08.05	-
Sophos	4.31.0	2008.08.05	-
Sunbelt	3.1.1537.1	2008.08.01	-
Symantec	10	2008.08.05	-
TheHacker	6.2.96.393	2008.08.04	-
TrendMicro	8.700.0.1004	2008.08.05	-
VBA32	3.12.8.2	2008.08.05	-
ViRobot	2008.8.5.1324	2008.08.05	-
VirusBuster	4.5.11.0	2008.08.04	-
Webwasher-Gateway	6.6.2	2008.08.05	Virus.Win32.FileInfector.gen!90 (suspicious)
weitere Informationen
File size: 151040 bytes
MD5...: c93ef86755e9953c07b74401d09df1b6
SHA1..: 2ee8ead17e8969d8409a144d7c211b1932be5c39
SHA256: 87f87804767a255f95873b59f5a841e47dc749d84679b018328eb86109b85715
SHA512: 600c2181c9ff0c622005de23b193bc6c24a94484fe183802354685c428a1dc94
2d78ac291fef7878bdeaa71fb994079491303f443440bb170b5e11df64acf7b5
PEiD..: PECompact 2.xx --> BitSum Technologies
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x45fcb9
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x5e000 0x22a00 8.00 c3011949407920de88eeecb6ae692a4f
.rsrc 0x5f000 0x2000 0x1e00 6.45 2a9078da7560752c733d99ff5e4491e1
.reloc 0x61000 0x200 0x200 0.21 85244630fa1d849ea0d37b24ca5559f7

( 7 imports ) 
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> version.dll: VerQueryValueA
> gdi32.dll: UnrealizeObject
> comctl32.dll: ImageList_SetIconSize

( 1 exports ) 
DllCanUnloadNow
packers (Kaspersky): PE_Patch.PECompact, PecBundle, PECompact
packers (F-Prot): PecBundle, PECompact

h6o0re.cmd habe ich gesucht und nicht gefunden.

Combofix Log

Code:

ATTFilter

ComboFix 08-08-04.01 - **** 2008-08-05 14:48:19.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.1496 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\****\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\****\Desktop\CFScript.txt
 * Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((   Dateien erstellt von 2008-07-05 bis 2008-08-05  ))))))))))))))))))))))))))))))
.

2008-08-03 03:41 . 2008-08-03 03:41	94,208	--a------	C:\WINDOWS\system32\cvunylqj.exe
2008-08-02 12:49 . 2008-08-02 12:49	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Programme\Malwarebytes' Anti-Malware
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Dokumente und Einstellungen\S i m o n\Anwendungsdaten\Malwarebytes
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-02 03:10 . 2008-07-30 20:14	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 03:10 . 2008-07-30 20:14	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 02:52 . 2008-08-02 02:52	<DIR>	d--------	C:\Programme\rlysmce
2008-08-02 02:52 . 2008-08-02 02:52	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta
2008-08-02 02:52 . 2008-08-02 02:52	86,016	--a------	C:\WINDOWS\system32\pehshexg.exe
2008-07-28 15:00 . 2008-07-28 15:01	<DIR>	d--------	C:\Programme\Metronom
2008-07-25 18:48 . 2008-07-25 18:50	<DIR>	d--------	C:\OgreCommandLineTools
2008-07-25 18:06 . 2008-07-25 18:14	<DIR>	d--------	C:\test2
2008-07-25 17:57 . 2008-07-25 18:44	<DIR>	d--------	C:\OgreSDK
2008-07-23 23:05 . 2008-07-23 23:13	<DIR>	d--------	C:\Programme\VirtualDub
2008-07-23 23:00 . 2008-07-23 23:01	<DIR>	d--------	C:\Programme\VLCPortable
2008-07-21 22:18 . 2008-07-21 22:19	<DIR>	d--------	C:\mingw
2008-07-21 22:15 . 2008-07-21 22:15	<DIR>	d--------	C:\Programme\CodeBlocks
2008-07-21 21:13 . 2008-07-21 21:13	<DIR>	d--------	C:\Programme\Free Fire Screensaver
2008-07-21 21:13 . 2008-07-21 21:13	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software
2008-07-18 22:16 . 2008-07-18 22:16	0	--a------	C:\WINDOWS\musiceditor.INI
2008-07-14 22:06 . 2008-07-14 22:06	103,424	--a------	C:\WINDOWS\system32\nUI_nat.dll
2008-07-11 14:36 . 2008-08-05 14:49	423,968	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-11 14:36 . 2008-08-04 14:07	4,808	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-11 14:19 . 2008-07-11 14:19	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier
2008-07-06 14:16 . 2005-10-21 03:47	30,592	---------	C:\WINDOWS\system32\drivers\rndismpx.sys
2008-07-06 14:16 . 2005-10-21 03:47	12,800	---------	C:\WINDOWS\system32\drivers\usb8023x.sys
2008-07-06 14:15 . 2008-07-06 14:16	<DIR>	d--------	C:\Programme\Microsoft ActiveSync

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 11:26	---------	d-----w	C:\Programme\TuneUp Utilities 2006
2008-08-05 09:58	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\Skype
2008-08-02 14:01	---------	d-----w	C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-02 13:58	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-07-25 17:01	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\codeblocks
2008-07-22 09:39	---------	d--h--w	C:\Programme\InstallShield Installation Information
2008-07-22 09:37	---------	d-----w	C:\Programme\Fahrenheit
2008-07-19 12:11	---------	d-----w	C:\Programme\blender-2.45-windows
2008-07-16 20:32	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\uTorrent
2008-07-02 15:51	---------	d-----w	C:\Programme\ICQ6
2008-07-02 15:51	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\ICQ
2008-06-26 19:44	48,928	----a-w	C:\WINDOWS\system32\drivers\Tetris.sys
2008-06-26 19:42	162,432	----a-w	C:\WINDOWS\system32\drivers\ithsgt.sys
2008-06-26 19:42	12,032	----a-w	C:\WINDOWS\system32\drivers\lilsgt.sys
2008-06-20 17:39	247,296	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:57	273,024	----a-w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 17:44	---------	d-----w	C:\Programme\Opera
2008-06-06 09:09	2,189,824	----a-w	C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-20 16:35	4,930,680	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-16 09:58	12,632	----a-w	C:\WINDOWS\system32\lsdelete.exe
2008-05-12 10:12	16,869,320	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_11_19_40_47_full.dmp.zip
2008-05-12 10:12	111,335	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_11_19_40_11_small.dmp.zip
2008-05-07 04:55	1,293,824	----a-w	C:\WINDOWS\system32\quartz.dll
2006-05-03 10:06	163,328	--sh--r	C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47	31,232	--sh--r	C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43	27,648	--sh--w	C:\WINDOWS\system32\Smab0.dll
2008-02-04 19:26	151,040	--sh--w	C:\WINDOWS\system32\VistaUltm.dll
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-01-12 13:57 25367592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-21 01:00 1211176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 20:03 7557120]
"IntelZeroConfig"="C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"avast!"="C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe" [2008-07-19 16:38 78008]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 12:56 761947]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"lxdcamon"="C:\Programme\Lexmark 1300 Series\lxdcamon.exe" [2007-02-06 01:32 20480]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-23 00:05 102400]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392]
"ZoneAlarm Client"="C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe" [2007-12-13 19:27 919016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"NVHotkey"="nvHotkey.dll" [2006-03-21 20:03 73728 C:\WINDOWS\system32\nvhotkey.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 14:00 15360]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Bluetooth Manager.lnk - C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 17:46:00 1724416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"setapp"= {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll [2008-08-02 02:52 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Dokumente und Einstellungen\\All Users\\Anwendungsdaten\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"PhonostarTimer"=C:\Programme\phonostar\ps_timer.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"SunJavaUpdateSched"=C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
"Norton Ghost 12.0"="C:\Programme\Norton Ghost\Agent\VProTray.exe"
"snpstd3"=C:\WINDOWS\vsnpstd3.exe
"Profiler"=C:\Programme\Saitek\Software\Profiler.exe
"SaiMfd"=C:\Programme\Saitek\Software\SaiMfd.exe
"nwiz"=nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Programme\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Programme\\Lexmark 1300 Series\\App4R.exe"=
"C:\\Programme\\uTorrent\\uTorrent.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\Programme\Microsoft ActiveSync\rapimgr.exe"= C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Programme\Microsoft ActiveSync\wcescomm.exe"= C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Programme\Microsoft ActiveSync\WCESMgr.exe"= C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2008-06-26 21:42]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2008-06-26 21:42]
R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-02-13 01:56]
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys [2008-06-26 21:44]
S3 SaiHFF0D;SaiHFF0D;C:\WINDOWS\system32\DRIVERS\SaiHFF0D.sys [2005-07-22 11:38]
S3 SaiUFF0D;SaiUFF0D;C:\WINDOWS\system32\DRIVERS\SaiUFF0D.sys [2005-07-22 11:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38083d7e-41cd-11dc-8c59-001422f8c02c}]
\Shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b566ffa9-d358-11dc-8dd3-001422f8c02c}]
\Shell\AutoRun\command - G:\Autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners

2008-08-01 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-21 22:35]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 14:49:33
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXDCCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

Prozess: C:\WINDOWS\system32\winlogon.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll

Prozess: C:\WINDOWS\system32\lsass.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll

Prozess: C:\WINDOWS\system32\csrss.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll
.
Zeit der Fertigstellung: 2008-08-05 14:50:28
ComboFix-quarantined-files.txt  2008-08-05 12:50:13

Pre-Run: 2,673,729,536 Bytes frei
Post-Run: 2,661,163,008 Bytes frei

185	--- E O F ---	2008-07-09 17:46:23

Chris4You · 05.08.2008, 13:58

Hi,

wir sollten die "VistaUltm.dll" ebenfalls über den Jordan schicken...
Das CMD-File ist eventuell versteckt, Systemeinstellungen prüfen (anzeige aller Dateien, versteckter und Sysemdateien!). Ist aber nicht ganz so wichtig, ComboFix entfernt den Mountpoint wo es gestartet wird/wurde.

Achtung, die Files sind immer noch da, bitte noch mal probieren (oder hast
Du die alte Log-Datei erwischt)?
Probiere das mal im abgesicherten Modus...

Code:

ATTFilter

File::
C:\WINDOWS\system32\VistaUltm.dll
C:\WINDOWS\system32\cvunylqj.exe
C:\WINDOWS\system32\pehshexg.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta\nifuhchq.exe

Gleiches Prozedere mit Combofix wie vorher.

Sonst müssen wir Avenger oder die Killbox aufsetzten...

Danach neues HJ-Log und noch einen DSS-Scan:
DSS
Download dss zum Desktop (http://www.techsupportforum.com/sectools/Deckard/dss.exe)
Schliesse alle Anwendungen und Doppelklicke dss.exe
Während DSS läuft, keine anderen Aktionen ausführen!
Kopiere den Inhalt des Berichts C:\main.txt und extra.txt in Deinen Thread

Achtung:
Bin nur noch kurz da und dann zwei Tage unterwegs, bitte ein anderer Übernehmen!

chris

Ps.: Falls es wieder nicht klappt:
KILLBOX - Pocket KillBox
http://virus-protect.org/killbox.html
oder
http://www.wintotal.de/Software/index.php?id=4101

Options: Delete on Reboot --> anhaken
reinkopieren:

Code:

ATTFilter

C:\WINDOWS\system32\VistaUltm.dll
C:\WINDOWS\system32\cvunylqj.exe
C:\WINDOWS\system32\pehshexg.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta\nifuhchq.exe

und klicke auf das rote Kreuz, wenn gefragt wird, ob "Do you want to reboot? "---- klicke auf "no",und kopiere das nächste rein, erst beim letzten auf "yes"

PC neustarten

dntknwmyname · 05.08.2008, 14:14

@Chris.. solltest du dich nicht mehr weiter um mich kümmern können vielen, vielen Dank für deine schnelle Hilfe bis hierher

Combofix Log

Code:

ATTFilter

ComboFix 08-08-04.01 - S i m o n 2008-08-05 15:07:33.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.1507 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\****\Desktop\ComboFix.exe
Command switches used :: C:\Dokumente und Einstellungen\****\Desktop\CFScript.txt
 * Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

(((((((((((((((((((((((   Dateien erstellt von 2008-07-05 bis 2008-08-05  ))))))))))))))))))))))))))))))
.

2008-08-03 03:41 . 2008-08-03 03:41	94,208	--a------	C:\WINDOWS\system32\cvunylqj.exe
2008-08-02 12:49 . 2008-08-02 12:49	<DIR>	d--h-----	C:\WINDOWS\system32\GroupPolicy
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Programme\Malwarebytes' Anti-Malware
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Dokumente und Einstellungen\****\Anwendungsdaten\Malwarebytes
2008-08-02 03:10 . 2008-08-02 03:10	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-02 03:10 . 2008-07-30 20:14	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 03:10 . 2008-07-30 20:14	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 02:52 . 2008-08-02 02:52	<DIR>	d--------	C:\Programme\rlysmce
2008-08-02 02:52 . 2008-08-02 02:52	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta
2008-08-02 02:52 . 2008-08-02 02:52	86,016	--a------	C:\WINDOWS\system32\pehshexg.exe
2008-07-28 15:00 . 2008-07-28 15:01	<DIR>	d--------	C:\Programme\Metronom
2008-07-25 18:48 . 2008-07-25 18:50	<DIR>	d--------	C:\OgreCommandLineTools
2008-07-25 18:06 . 2008-07-25 18:14	<DIR>	d--------	C:\test2
2008-07-25 17:57 . 2008-07-25 18:44	<DIR>	d--------	C:\OgreSDK
2008-07-23 23:05 . 2008-07-23 23:13	<DIR>	d--------	C:\Programme\VirtualDub
2008-07-23 23:00 . 2008-07-23 23:01	<DIR>	d--------	C:\Programme\VLCPortable
2008-07-21 22:18 . 2008-07-21 22:19	<DIR>	d--------	C:\mingw
2008-07-21 22:15 . 2008-07-21 22:15	<DIR>	d--------	C:\Programme\CodeBlocks
2008-07-21 21:13 . 2008-07-21 21:13	<DIR>	d--------	C:\Programme\Free Fire Screensaver
2008-07-21 21:13 . 2008-07-21 21:13	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Laconic Software
2008-07-18 22:16 . 2008-07-18 22:16	0	--a------	C:\WINDOWS\musiceditor.INI
2008-07-14 22:06 . 2008-07-14 22:06	103,424	--a------	C:\WINDOWS\system32\nUI_nat.dll
2008-07-11 14:36 . 2008-08-05 15:08	448,544	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-11 14:36 . 2008-08-04 14:07	4,808	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-11 14:19 . 2008-07-11 14:19	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier
2008-07-06 14:16 . 2005-10-21 03:47	30,592	---------	C:\WINDOWS\system32\drivers\rndismpx.sys
2008-07-06 14:16 . 2005-10-21 03:47	12,800	---------	C:\WINDOWS\system32\drivers\usb8023x.sys
2008-07-06 14:15 . 2008-07-06 14:16	<DIR>	d--------	C:\Programme\Microsoft ActiveSync

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 11:26	---------	d-----w	C:\Programme\TuneUp Utilities 2006
2008-08-05 09:58	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\Skype
2008-08-02 14:01	---------	d-----w	C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-02 13:58	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-07-25 17:01	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\codeblocks
2008-07-22 09:39	---------	d--h--w	C:\Programme\InstallShield Installation Information
2008-07-22 09:37	---------	d-----w	C:\Programme\Fahrenheit
2008-07-19 12:11	---------	d-----w	C:\Programme\blender-2.45-windows
2008-07-16 20:32	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\uTorrent
2008-07-02 15:51	---------	d-----w	C:\Programme\ICQ6
2008-07-02 15:51	---------	d-----w	C:\Dokumente und Einstellungen\****\Anwendungsdaten\ICQ
2008-06-26 19:44	48,928	----a-w	C:\WINDOWS\system32\drivers\Tetris.sys
2008-06-26 19:42	162,432	----a-w	C:\WINDOWS\system32\drivers\ithsgt.sys
2008-06-26 19:42	12,032	----a-w	C:\WINDOWS\system32\drivers\lilsgt.sys
2008-06-20 17:39	247,296	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:57	273,024	----a-w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 17:44	---------	d-----w	C:\Programme\Opera
2008-06-06 09:09	2,189,824	----a-w	C:\WINDOWS\Internet Logs\xDB2.tmp
2008-05-20 16:35	4,930,680	----a-w	C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-16 09:58	12,632	----a-w	C:\WINDOWS\system32\lsdelete.exe
2008-05-12 10:12	16,869,320	----a-w	C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_05_11_19_40_47_full.dmp.zip
2008-05-12 10:12	111,335	----a-w	C:\WINDOWS\Internet Logs\vsmon_2nd_2008_05_11_19_40_11_small.dmp.zip
2008-05-07 04:55	1,293,824	----a-w	C:\WINDOWS\system32\quartz.dll
2006-05-03 10:06	163,328	--sh--r	C:\WINDOWS\system32\flvDX.dll
2007-02-21 11:47	31,232	--sh--r	C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43	27,648	--sh--w	C:\WINDOWS\system32\Smab0.dll
2008-02-04 19:26	151,040	--sh--w	C:\WINDOWS\system32\VistaUltm.dll
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-01-12 13:57 25367592]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00 15360]
"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [2008-04-01 12:40 172280]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-21 01:00 1211176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-21 20:03 7557120]
"IntelZeroConfig"="C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
"avast!"="C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe" [2008-07-19 16:38 78008]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 12:56 761947]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"lxdcamon"="C:\Programme\Lexmark 1300 Series\lxdcamon.exe" [2007-02-06 01:32 20480]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-23 00:05 102400]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07 827392]
"ZoneAlarm Client"="C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe" [2007-12-13 19:27 919016]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-10 14:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"NVHotkey"="nvHotkey.dll" [2006-03-21 20:03 73728 C:\WINDOWS\system32\nvhotkey.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 14:00 15360]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Bluetooth Manager.lnk - C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 17:46:00 1724416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"setapp"= {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll [2008-08-02 02:52 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Dokumente und Einstellungen\\All Users\\Anwendungsdaten\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.YV12"= yv12vfw.dll
"msacm.ac3filter"= ac3filter.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"PhonostarTimer"=C:\Programme\phonostar\ps_timer.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"SunJavaUpdateSched"=C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
"Norton Ghost 12.0"="C:\Programme\Norton Ghost\Agent\VProTray.exe"
"snpstd3"=C:\WINDOWS\vsnpstd3.exe
"Profiler"=C:\Programme\Saitek\Software\Profiler.exe
"SaiMfd"=C:\Programme\Saitek\Software\SaiMfd.exe
"nwiz"=nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\lxdccoms.exe"=
"C:\\Programme\\Lexmark 1300 Series\\lxdcamon.exe"=
"C:\\Programme\\Lexmark 1300 Series\\App4R.exe"=
"C:\\Programme\\uTorrent\\uTorrent.exe"=
"C:\\Programme\\ICQ6\\ICQ.exe"=
"C:\Programme\Microsoft ActiveSync\rapimgr.exe"= C:\Programme\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Programme\Microsoft ActiveSync\wcescomm.exe"= C:\Programme\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Programme\Microsoft ActiveSync\WCESMgr.exe"= C:\Programme\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Programme\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2008-06-26 21:42]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2008-06-26 21:42]
R2 lxdc_device;lxdc_device;C:\WINDOWS\system32\lxdccoms.exe [2007-02-13 01:56]
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys [2008-06-26 21:44]
S3 SaiHFF0D;SaiHFF0D;C:\WINDOWS\system32\DRIVERS\SaiHFF0D.sys [2005-07-22 11:38]
S3 SaiUFF0D;SaiUFF0D;C:\WINDOWS\system32\DRIVERS\SaiUFF0D.sys [2005-07-22 11:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38083d7e-41cd-11dc-8c59-001422f8c02c}]
\Shell\AutoRun\command - F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b566ffa9-d358-11dc-8dd3-001422f8c02c}]
\Shell\AutoRun\command - G:\Autorun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners

2008-08-01 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Programme\TuneUp Utilities 2006\SystemOptimizer.exe [2005-09-21 22:35]
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 15:08:48
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXDCCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? 

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------

Prozess: C:\WINDOWS\system32\winlogon.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll

Prozess: C:\WINDOWS\system32\lsass.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll

Prozess: C:\WINDOWS\system32\csrss.exe
-> C:\Programme\TuneUp Utilities 2006\WinStylerThemeHelper.dll
.
Zeit der Fertigstellung: 2008-08-05 15:09:45
ComboFix-quarantined-files.txt  2008-08-05 13:09:27
ComboFix2.txt  2008-08-05 12:50:29

Pre-Run: 2,645,921,792 Bytes frei
Post-Run: 2,633,269,248 Bytes frei

186	--- E O F ---	2008-07-09 17:46:23

Hijackthis Log

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16:53, on 05.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\Programme\Sicherheit\AdAware2007\aawservice.exe
C:\Programme\Sicherheit\Avast 4Home\aswUpdSv.exe
C:\Programme\Sicherheit\Avast 4Home\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Programme\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\hexqnsta\nifuhchq.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\Programme\Lexmark 1300 Series\lxdcamon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programme\Opera\opera.exe
C:\DOKUME~1\****~1\LOKALE~1\Temp\Temporäres Verzeichnis 1 für HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://www.avast.com/go.php?verb=register-home&lang=ger
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Programme\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - h**p://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - h**p://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1210240211
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O21 - SSODL: setapp - {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Sicherheit\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7546 bytes

Chris4You · 05.08.2008, 14:23

Hi,

ich werde hier noch zum Elch, die Teile sind immer noch da.
Bitte unbeding die Killbox wie im vorangegangen Post beschrieben einsetzten...

chris

dntknwmyname · 05.08.2008, 14:37

so ich glaub die Killbox hats getan...
hier der HijackThis log:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35:07, on 05.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sicherheit\AdAware2007\aawservice.exe
C:\Programme\Sicherheit\Avast 4Home\aswUpdSv.exe
C:\Programme\Sicherheit\Avast 4Home\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Programme\Norton Ghost\Agent\VProSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Programme\Sicherheit\Avast 4Home\ashMaiSv.exe
C:\Programme\Sicherheit\Avast 4Home\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lexmark 1300 Series\lxdcamon.exe
C:\WINDOWS\vsnpstd3.exe
C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOKUME~1\****~1\LOKALE~1\Temp\Temporäres Verzeichnis 1 für HiJackThis.zip\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://www.avast.com/go.php?verb=register-home&lang=ger
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Programme\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - h**p://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - h**p://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1210240211
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O21 - SSODL: setapp - {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Sicherheit\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8070 bytes

DSS log folgt...

DSS main.txt

Code:

ATTFilter

Deckard's System Scanner v20071014.68
Run by **** on 2008-08-05 15:38:13
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 2.41 GiB (less than 15%) free.


-- HijackThis (run as ****.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:39:13, on 05.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Intel\Wireless\Bin\EvtEng.exe
C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
C:\Programme\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Sicherheit\AdAware2007\aawservice.exe
C:\Programme\Sicherheit\Avast 4Home\aswUpdSv.exe
C:\Programme\Sicherheit\Avast 4Home\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Programme\Norton Ghost\Agent\VProSvc.exe
C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Programme\Sicherheit\Avast 4Home\ashMaiSv.exe
C:\Programme\Sicherheit\Avast 4Home\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe
C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe
C:\Programme\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programme\Lexmark 1300 Series\lxdcamon.exe
C:\WINDOWS\vsnpstd3.exe
C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Dokumente und Einstellungen\****\Desktop\dss.exe
C:\Programme\Opera\opera.exe
C:\DOKUME~1\****~1\Desktop\****.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = h**p://www.avast.com/go.php?verb=register-home&lang=ger
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programme\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [lxdcamon] "C:\Programme\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ICQ] "C:\PROGRA~1\ICQ6\ICQ.exe" silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe (file missing)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - h**p://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - h**p://static.pe.studivz.net/photouploader/ImageUploader5.cab?nocache=1210240211
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O21 - SSODL: setapp - {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Sicherheit\AdAware2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Sicherheit\Avast 4Home\ashWebSv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxdc_device -   - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programme\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Programme\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Programme\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Programme\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8074 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 15:26:54         0 d-------- C:\!KillBox
2008-08-05 13:31:03     68096 --a------ C:\WINDOWS\zip.exe
2008-08-05 13:31:03     49152 --a------ C:\WINDOWS\VFind.exe
2008-08-05 13:31:03    212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-05 13:31:03    136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-05 13:31:03    161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-05 13:31:03     98816 --a------ C:\WINDOWS\sed.exe
2008-08-05 13:31:03     80412 --a------ C:\WINDOWS\grep.exe
2008-08-05 13:31:03     89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-02 12:49:10         0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-02 03:10:39         0 d-------- C:\Programme\Malwarebytes' Anti-Malware
2008-08-02 02:52:16         0 d-------- C:\Programme\rlysmce
2008-07-28 15:00:51         0 d-------- C:\Programme\Metronom
2008-07-25 18:48:40         0 d-------- C:\OgreCommandLineTools
2008-07-25 18:06:33         0 d-------- C:\test2
2008-07-25 17:57:16         0 d-------- C:\OgreSDK
2008-07-23 23:05:04         0 d-------- C:\Programme\VirtualDub
2008-07-23 23:00:59         0 d-------- C:\Programme\VLCPortable
2008-07-21 22:18:36         0 d-------- C:\mingw
2008-07-21 22:15:18         0 d-------- C:\Programme\CodeBlocks
2008-07-21 21:13:52         0 d-------- C:\Programme\Free Fire Screensaver
2008-07-14 22:06:34    103424 --a------ C:\WINDOWS\system32\nUI_nat.dll <Not Verified; *; nUI>
2008-07-11 14:36:05    507936 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-06 14:15:59         0 d-------- C:\Programme\Microsoft ActiveSync


-- Find3M Report ---------------------------------------------------------------

2008-08-05 15:32:38         0 d-------- C:\Dokumente und Einstellungen\****\Anwendungsdaten\Skype
2008-08-05 15:29:37         0 d-------- C:\Programme\TuneUp Utilities 2006
2008-08-05 15:08:12         0 d-------- C:\Programme\Gemeinsame Dateien
2008-08-04 12:12:16     35870 --a------ C:\WINDOWS\system32\nvModes.dat
2008-08-04 11:16:14      4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-08-02 16:01:41         0 d-------- C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-02 03:10:43         0 d-------- C:\Dokumente und Einstellungen\****\Anwendungsdaten\Malwarebytes
2008-07-25 19:01:00         0 d-------- C:\Dokumente und Einstellungen\****\Anwendungsdaten\codeblocks
2008-07-22 11:39:03         0 d--h----- C:\Programme\InstallShield Installation Information
2008-07-22 11:37:35         0 d-------- C:\Programme\Fahrenheit
2008-07-19 14:11:15         0 d-------- C:\Programme\blender-2.45-windows
2008-07-16 22:32:06         0 d-------- C:\Dokumente und Einstellungen\****\Anwendungsdaten\uTorrent
2008-07-06 14:24:00    422136 --a------ C:\WINDOWS\system32\perfh007.dat
2008-07-06 14:24:00     77256 --a------ C:\WINDOWS\system32\perfc007.dat
2008-07-06 14:17:55      2508 --a------ C:\Dokumente und Einstellungen\****\Anwendungsdaten\$_hpcst$.hpc
2008-07-02 17:51:24         0 d-------- C:\Programme\ICQ6
2008-07-02 17:51:12         0 d-------- C:\Dokumente und Einstellungen\****\Anwendungsdaten\ICQ
2008-06-13 19:44:11         0 d-------- C:\Programme\Opera
2008-05-28 20:54:21       554 --a------ C:\Dokumente und Einstellungen\****\Anwendungsdaten\TheLastRipper.xml


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [10.08.2004 14:00 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [21.03.2006 20:03]
"IntelZeroConfig"="C:\Programme\Intel\Wireless\bin\ZCfgSvc.exe" [28.12.2005 11:55]
"IntelWireless"="C:\Programme\Intel\Wireless\Bin\ifrmewrk.exe" [28.12.2005 11:56]
"avast!"="C:\PROGRA~1\SICHER~1\AVAST4~1\ashDisp.exe" [19.07.2008 16:38]
"SynTPEnh"="C:\Programme\Synaptics\SynTP\SynTPEnh.exe" [29.11.2005 12:56]
"NVHotkey"="nvHotkey.dll" [21.03.2006 20:03 C:\WINDOWS\system32\nvhotkey.dll]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09.07.2001 11:50]
"lxdcamon"="C:\Programme\Lexmark 1300 Series\lxdcamon.exe" [06.02.2007 01:32]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [23.01.2007 00:05]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [19.09.2006 09:07]
"ZoneAlarm Client"="C:\Programme\Sicherheit\ZoneAlarm\zlclient.exe" [13.12.2007 19:27]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [12.01.2007 13:57]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10.08.2004 14:00]
"ICQ"="C:\PROGRA~1\ICQ6\ICQ.exe" [01.04.2008 12:40]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [21.06.2006 01:00]

C:\Dokumente und Einstellungen\All Users\Startmen�\Programme\Autostart\
Bluetooth Manager.lnk - C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [18.11.2005 17:46:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"setapp"= {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll [02.08.2008 02:52 106496]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"PhonostarTimer"=C:\Programme\phonostar\ps_timer.exe
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Programme\Gemeinsame Dateien\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"ehTray"=C:\WINDOWS\ehome\ehtray.exe
"SunJavaUpdateSched"=C:\Programme\Java\j2re1.4.2_03\bin\jusched.exe
"Norton Ghost 12.0"="C:\Programme\Norton Ghost\Agent\VProTray.exe"
"snpstd3"=C:\WINDOWS\vsnpstd3.exe
"Profiler"=C:\Programme\Saitek\Software\Profiler.exe
"SaiMfd"=C:\Programme\Saitek\Software\SaiMfd.exe
"nwiz"=nwiz.exe /installquiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs	BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{38083d7e-41cd-11dc-8c59-001422f8c02c}]
AutoRun\command- F:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b566ffa9-d358-11dc-8dd3-001422f8c02c}]
AutoRun\command- G:\Autorun.exe




-- End of Deckard's System Scanner: finished at 2008-08-05 15:39:48 ------------

die extra.txt ist leider zu groß (auch als Anhang). Falls sie sehr wichtig ist bitte nochmal Bescheid geben.

Chris4You · 05.08.2008, 18:54

Hi,

sieht gut aus, bitte nur noch Java updaten, ist total veraltet!
http://www.trojaner-board.de/105213-...tellungen.html
Dort dann diese Version:
http://www.trojaner-board.de/105213-...tellungen.html
Nach der Installation die alter Version deinstallieren (Systemsteuerung, Software)...

Was mir immer noch nicht gefällt und ich ein schlechtes Gefühl habe ist das
hier:
O21 - SSODL: setapp - {36998628-E8C1-7FD3-F0A8-0342CDFB8DCC} - C:\Programme\rlysmce\setapp.dll...

Da ich jetzt die nächsten zwei Tage unterwegs bin, werde ich versuchen einen anderen Anzusprechen der das ggf. noch mal prüft...

chris

**Sunny** · 05.08.2008, 19:34

@dntknwmyname

Versuche mal die folgende Datei auf unsere Server zu laden:

Code:

ATTFilter

C:\Programme\rlysmce\setapp.dll

Uploadchannel-TrojanerBoard

Ich melde mich dann was mit der Datei ist..

Gruß
Sunny

dntknwmyname · 06.08.2008, 10:36

Hallo,
@Sunny: erstmal danke für die Übernahme des Threads..
Die setap.dll hab ich hochgeladen.

XP Antivir 2008 eingefangen

Log-Analyse und Auswertung: XP Antivir 2008 eingefangen