hallo zusammen,
hab nen kleines problem, bekomme seit gestern auf dem desktop die nachricht, das Win32/Adware.Virtumonde und Win32/PrivacyRemover.M64 auf meinem rechner sind, kann die nachricht nicht löschen und nix, ausserdem ist der desktop weiss.

hier das HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 22:27:53, on 27.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\A4Tech\Mouse\Amoumain.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\lphcncgj0e155.exe
C:\WINDOWS\system32\mtqrqncz.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
C:\Programme\Miranda IM\miranda32.exe
C:\Dokumente und Einstellungen\xxxx\Desktop\mousometer.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Malwarebytes' Anti-Malware\mbam.exe
C:\downloads\virenschutz\HijackThis.exe
C:\WINDOWS\system32\mtqrqncz.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://htw.www.pherrex.com/pub.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=134.106.148.1:3128
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programme\Crawler\ctbr.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programme\Crawler\ctbr.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [lphcncgj0e155] C:\WINDOWS\system32\lphcncgj0e155.exe
O4 - HKCU\..\Run: [actdb] C:\WINDOWS\system32\mtqrqncz.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DscSmartCom] C:\WINDOWS\system32\edahahix.exe
O4 - Startup: .security
O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe
O4 - Startup: Mousometer.lnk = C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: .security
O4 - Global Startup: Arcor Wlan-Monitor 1.0.lnk = C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Winamp Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0AA0BE9-B014-4039-BCB5-718334205073}: NameServer = 134.106.148.205,134.106.168.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programme\Crawler\ctbr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: dbstr - {40A5A3F3-51D4-A2C2-6999-0BDD7FE78860} - C:\Programme\ghgyctc\dbstr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programme\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



und hinten dran noch das malwatebytes log:

Malwarebytes' Anti-Malware 1.25
Datenbank Version: 1087
Windows 5.1.2600 Service Pack 2

22:31:31 27.08.2008
mbam-log-08-27-2008 (22-31-31).txt

Scan-Methode: Quick-Scan
Durchsuchte Objekte: 44737
Laufzeit: 11 minute(s), 37 second(s)

Infizierte Speicherprozesse: 1
Infizierte Speichermodule: 1
Infizierte Registrierungsschlüssel: 3
Infizierte Registrierungswerte: 5
Infizierte Dateiobjekte der Registrierung: 2
Infizierte Verzeichnisse: 0
Infizierte Dateien: 6

Infizierte Speicherprozesse:
C:\WINDOWS\system32\lphcncgj0e155.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Infizierte Speichermodule:
C:\WINDOWS\system32\blphcncgj0e155.scr (Trojan.FakeAlert) -> Delete on reboot.

Infizierte Registrierungsschlüssel:
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcncgj0e155 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
C:\WINDOWS\system32\blphcncgj0e155.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcncgj0e155.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcncgj0e155.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\.tt9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Dokumente und Einstellungen\Frank\Lokale Einstellungen\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

vielen dank schon mal für eure mühe und hilfe,
gruss
frank

Hallo und

Acker diese Punkte für weitere Analysen ab:

1.) Poste ein Hijackthis Logfile, nimm dazu diese umbenannte hijackthis.exe (aktuelle Version!)

2.) Deaktiviere die Systemwiederherstellung, im Verlauf der Infektion wurden auch Malwaredateien in Wiederherstellungspunkten mitgesichert - die sind alle nun unbrauchbar, da ein Zurücksetzen des System durch einen Wiederherstellungspunkt das System wahrscheinlich wieder infizieren würde.

3.) Stell sicher, daß Dir auch alle Dateien angezeigt werden, danach folgende Dateien bei Virustotal.com auswerten lassen und alle Ergebnisse posten, und zwar so, daß man die der einzelnen Virenscanner sehen kann. Bitte mit Dateigrößen und Prüfsummen:

Code: Alles auswählenAufklappen

ATTFilter

C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe
C:\WINDOWS\system32\lphcncgj0e155.exe
C:\WINDOWS\system32\mtqrqncz.exe
C:\WINDOWS\system32\lphcncgj0e155.exe
C:\WINDOWS\system32\edahahix.exe
C:\Programme\ghgyctc\dbstr.dll
         

4.) Führe dieses MBR-Tool aus und poste die Ausgabe

5.) Blacklight ausführen und Logfile posten

6.) ComboFix

Ein Leitfaden und Tutorium zur Nutzung von ComboFix

• Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

• Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser.
  Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

• Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

• Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

• Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat!
Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

Poste alle Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:

[code] Hier das Logfile rein! [/code]

7.) Mach auch ein Filelisting mit diesem script:

• Script abspeichern per Rechtsklick, speichern unter auf dem Desktop
• Doppelklick auf listing8.cmd auf dem Desktop
• nach kurzer Zeit erscheint eine listing.txt auf dem Desktop

Diese listing.txt z.B. bei File-Upload.net hochladen und hier verlinken, da dieses Logfile zu groß fürs Board ist.

1.) hier das hijackfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:55:28, on 28.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\A4Tech\Mouse\Amoumain.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\mtqrqncz.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
C:\Programme\Miranda IM\miranda32.exe
C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\system32\retojajo.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Frank\Desktop\qlketzd.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://htw.www.pherrex.com/pub.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=134.106.148.1:3128
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programme\Crawler\ctbr.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programme\Crawler\ctbr.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [actdb] C:\WINDOWS\system32\mtqrqncz.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DscSmartCom] C:\WINDOWS\system32\edahahix.exe
O4 - HKCU\..\Run: [mondsc] C:\WINDOWS\system32\pqnolorg.exe
O4 - HKCU\..\Run: [SetCfg] C:\WINDOWS\system32\toxcvgzi.exe
O4 - HKCU\..\Run: [infowinstr] C:\WINDOWS\system32\xgjqrgtc.exe
O4 - HKLM\..\Policies\Explorer\Run: [s2jhJy1dxR] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe
O4 - Startup: .security
O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe
O4 - Startup: Mousometer.lnk = C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: .security
O4 - Global Startup: Arcor Wlan-Monitor 1.0.lnk = C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Winamp Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0AA0BE9-B014-4039-BCB5-718334205073}: NameServer = 134.106.148.205,134.106.168.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programme\Crawler\ctbr.dll
O21 - SSODL: dbstr - {40A5A3F3-51D4-A2C2-6999-0BDD7FE78860} - C:\Programme\ghgyctc\dbstr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programme\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8713 bytes

2.) systemwiederherstellung ist aus

3.) Datei wtyrepkz.exe empfangen 2008.08.28 18:08:01 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 2/36 (5.56%)



Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.29.0 2008.08.28 -
AntiVir 7.8.1.23 2008.08.28 -
Authentium 5.1.0.4 2008.08.28 -
Avast 4.8.1195.0 2008.08.28 -
AVG 8.0.0.161 2008.08.28 -
BitDefender 7.2 2008.08.28 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.28 -
DrWeb 4.44.0.09170 2008.08.28 -
eSafe 7.0.17.0 2008.08.27 -
eTrust-Vet 31.6.6054 2008.08.28 -
Ewido 4.0 2008.08.28 -
F-Prot 4.4.4.56 2008.08.28 -
F-Secure 7.60.13501.0 2008.08.28 -
Fortinet 3.14.0.0 2008.08.28 W32/PolySmall.BP!tr
GData 19 2008.08.28 -
Ikarus T3.1.1.34.0 2008.08.28 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.28 -
McAfee 5371 2008.08.27 -
Microsoft 1.3807 2008.08.25 Trojan:Win32/Busky.EH
NOD32v2 3396 2008.08.28 -
Norman 5.80.02 2008.08.28 -
Panda 9.0.0.4 2008.08.27 -
PCTools 4.4.2.0 2008.08.28 -
Prevx1 V2 2008.08.28 -
Rising 20.59.31.00 2008.08.28 -
Sophos 4.33.0 2008.08.28 -
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.28 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.28 -
VBA32 3.12.8.4 2008.08.28 -
ViRobot 2008.8.28.1353 2008.08.28 -
VirusBuster 4.5.11.0 2008.08.28 -
Webwasher-Gateway 6.6.2 2008.08.28 -
weitere Informationen
File size: 61440 bytes
MD5...: 2c41c4b2fa88e4845987b7ee50630c64
SHA1..: 96c2a0364d8bc68befad3823475cee36d3af3c53
SHA256: ef3f64a7068d2afe70332db5cca14ea3b757c195229214571d9f917eedbd4998
SHA512: 710ea9263c21e1643b2b016b249e89d82865f571ccfa7a8bec1d0fd87f92ba28
8cfb9cdbc0484c5274b5921c52da8e921c3db84c58011a522f8393b6c7e6d3f3
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40114b
timedatestamp.....: 0x48ae906f (Fri Aug 22 10:09:51 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb778 0xc000 6.66 a3eff97bd4c92cb152ef0fcf8e035bb5
.rdata 0xd000 0x60a 0x1000 2.42 1a1e3ec6a625ac52c21b6ba603e5272c
.data 0xe000 0x3e4 0x1000 0.21 b377bba690485b15bfb8a5e040caedc3

( 4 imports )
> KERNEL32.dll: LoadLibraryA, FindResourceW, GlobalAlloc, LoadResource, SetThreadPriority, CreateWaitableTimerW, GetLogicalDrives, GetCurrentThread, SuspendThread, DeleteFileW, FindFirstFileW, InterlockedIncrement, MoveFileW, GetFileAttributesW, SizeofResource, MulDiv, GetModuleFileNameW, WritePrivateProfileStringW, FileTimeToSystemTime, GetCurrentProcess, GetProcAddress
> USER32.dll: LoadStringW, GetCursorPos, GetSysColor, SetDlgItemTextW, SetForegroundWindow, EnableWindow, GetWindowRect, ReleaseDC, UpdateWindow, DispatchMessageW, GetMessageW, SetCursor, IsWindow, TranslateMessage, SetLayeredWindowAttributes, RegisterHotKey, SendMessageW, PostQuitMessage
> GDI32.dll: CreatePen, GetObjectW, SetBkColor, GetMapMode, BitBlt, CreateRoundRectRgn, CreateDCW, CreateFontIndirectW
> ADVAPI32.dll: RegQueryValueExW, LookupAccountSidW, RegSetValueExW, RegCreateKeyExW, InitializeSecurityDescriptor, RegCloseKey

( 0 exports )




Datei lphcncgj0e155.exe empfangen 2008.08.28 18:12:55 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 10/36 (27.78%)


Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.29.0 2008.08.28 -
AntiVir 7.8.1.23 2008.08.28 -
Authentium 5.1.0.4 2008.08.28 -
Avast 4.8.1195.0 2008.08.28 -
AVG 8.0.0.161 2008.08.28 Downloader.FraudLoad.N
BitDefender 7.2 2008.08.28 -
CAT-QuickHeal 9.50 2008.08.26 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.28 -
DrWeb 4.44.0.09170 2008.08.28 Trojan.Packed.619
eSafe 7.0.17.0 2008.08.27 Suspicious File
eTrust-Vet 31.6.6054 2008.08.28 Win32/BugnrawCryptorB!generic
Ewido 4.0 2008.08.28 -
F-Prot 4.4.4.56 2008.08.28 -
F-Secure 7.60.13501.0 2008.08.28 -
Fortinet 3.14.0.0 2008.08.28 -
GData 19 2008.08.28 -
Ikarus T3.1.1.34.0 2008.08.28 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.28 -
McAfee 5371 2008.08.27 Downloader-ASH.gen.b
Microsoft 1.3807 2008.08.25 -
NOD32v2 3396 2008.08.28 a variant of Win32/Kryptik.E
Norman 5.80.02 2008.08.28 W32/Tibs.gen225
Panda 9.0.0.4 2008.08.27 -
PCTools 4.4.2.0 2008.08.28 -
Prevx1 V2 2008.08.28 Malicious Software
Rising 20.59.31.00 2008.08.28 -
Sophos 4.33.0 2008.08.28 Mal/EncPk-EU
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.28 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.28 -
VBA32 3.12.8.4 2008.08.28 -
ViRobot 2008.8.28.1353 2008.08.28 -
VirusBuster 4.5.11.0 2008.08.28 -
Webwasher-Gateway 6.6.2 2008.08.28 -
weitere Informationen
File size: 203776 bytes
MD5...: 03092083082983d49d9762aa53eefa7d
SHA1..: 648d48ee066ea7c69bbe3faeb3c2608b25f7ab21
SHA256: baba4e8c4fb2d0bda562ca3bcadbea2d75a3bd2ffce9a6286aae14f99765c113
SHA512: 27366a530a0b3a9dde22432c33268d39592ee0f550932c796b9f602133fef703
a891ac90c3041d0cd84328d4eb4ff8af5dc368a505c0d090d910f5b109a3b7c3
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404118
timedatestamp.....: 0x48a5befd (Fri Aug 15 17:38:05 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xef3e 0x9800 7.99 8c2b97206f9fb076cc35f41ba98edc1e
.rdata 0x10000 0x3d47 0x1a00 7.98 41a025ebdc58a79cc3a3038f62be18fc
.data 0x14000 0xb69f2 0x23600 8.00 ff73e5f5eac06974f257113f0212da61
.rsrc 0xcb000 0xf000 0x3000 6.62 88f9b9e77403d6902430290a51088d5a

( 4 imports )
> wsock32.dll: bind, WSAStartup, listen
> kernel32.dll: CreatePipe, TerminateProcess, VirtualProtect
> gdi32.dll: SetRelAbs, StretchBlt, SetICMMode, ResetDCW, UpdateColors, SaveDC, TextOutW, SetDIBColorTable
> shell32.dll: SHAppBarMessage, StrRChrIA, StrStrIA

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=9480E766003456281CD803E2EED45A009E68E9DC


Datei mtqrqncz.exe empfangen 2008.08.28 18:15:10 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 4/34 (11.77%)


Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.29.0 2008.08.28 -
AntiVir 7.8.1.23 2008.08.28 -
Authentium 5.1.0.4 2008.08.28 -
Avast 4.8.1195.0 2008.08.28 -
AVG 8.0.0.161 2008.08.28 -
BitDefender 7.2 2008.08.28 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.28 -
DrWeb 4.44.0.09170 2008.08.28 -
eSafe 7.0.17.0 2008.08.27 -
eTrust-Vet 31.6.6054 2008.08.28 -
Ewido 4.0 2008.08.28 -
F-Prot 4.4.4.56 2008.08.28 -
Fortinet 3.14.0.0 2008.08.28 W32/PolySmall.BP!tr
GData 19 2008.08.28 -
Ikarus T3.1.1.34.0 2008.08.28 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.28 -
McAfee 5371 2008.08.27 -
Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C
NOD32v2 3396 2008.08.28 -
Panda 9.0.0.4 2008.08.27 -
PCTools 4.4.2.0 2008.08.28 -
Prevx1 V2 2008.08.28 -
Rising 20.59.31.00 2008.08.28 -
Sophos 4.33.0 2008.08.28 Mal/EncPk-DG
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.28 Packed.Generic.182
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.28 -
VBA32 3.12.8.4 2008.08.28 -
ViRobot 2008.8.28.1353 2008.08.28 -
VirusBuster 4.5.11.0 2008.08.28 -
Webwasher-Gateway 6.6.2 2008.08.28 -
weitere Informationen
File size: 77824 bytes
MD5...: d627f30fb31d49a5405fca70a8f90b03
SHA1..: 2f70a062b6d26b927f1c90aefac88ea4b0e8d01a
SHA256: 0a75de40efc5ae08c046443d5198bbc51e73f3d3270a4766c8216743eb333c0f
SHA512: 9fe8844001ab6eb6c8e6005522be605a7e3800cd32c61561fb3d8544ee2590ab
8a0435c1899ed3b3568429c3e5d4c20af9e92d4bd5b9d89b307a6d192c40f7f6
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x401cd1
timedatestamp.....: 0x48ae808d (Fri Aug 22 09:02:05 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.qnud 0x1000 0xf774 0x10000 6.71 6a8e6016017a8d8e8a53ebbcfb91b065
.pvrqyc 0x11000 0x7a0 0x1000 3.15 8befbd001d991f1d817d920a348fdf6e
.rlzkl 0x12000 0x59e4 0x1000 0.65 c4cc802085412877e3fcb4ec1d5bbaca

( 4 imports )
> KERNEL32.dll: FindClose, SetThreadPriority, GlobalAddAtomW, CreateProcessW, SetEvent, GetSystemTime, GetCurrentThreadId, GetProcAddress, FreeResource, GetModuleFileNameW, FindResourceW, VirtualFree, TerminateThread, GlobalLock, CreateThread, GetTickCount, GetFileAttributesExW, FindFirstFileW, DeleteFileW, SizeofResource, GetPrivateProfileStringW, GlobalFree, ReadFile, GlobalDeleteAtom, MultiByteToWideChar, LoadLibraryA, LoadResource, GetVersion, FileTimeToSystemTime
> USER32.dll: SetLayeredWindowAttributes, PostQuitMessage, TranslateMessage, SetCursor, SetDlgItemTextW, GetParent, GetWindowThreadProcessId, RegisterWindowMessageW, IsDlgButtonChecked, SendMessageW, GetSysColor, SetWindowPos, LoadCursorW, LoadBitmapW, RegisterClassExW, GetMessageW, FillRect, SystemParametersInfoW, DrawTextW, EnableWindow, LoadStringW, GetDlgItem
> GDI32.dll: BitBlt, CreateICW, StretchBlt, CreateFontIndirectW, CreateCompatibleDC, SetTextColor, GetObjectW, GetStockObject, CreateSolidBrush, LineTo, SetMapMode, GetMapMode, SetBkColor, SelectObject
> ADVAPI32.dll: GetUserNameW, RegNotifyChangeKeyValue, LookupPrivilegeValueW, RegCloseKey, LookupAccountSidW

( 0 exports )



Datei edahahix.exe empfangen 2008.08.28 18:19:12 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 4/36 (11.12%)


Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.29.0 2008.08.28 -
AntiVir 7.8.1.23 2008.08.28 -
Authentium 5.1.0.4 2008.08.28 -
Avast 4.8.1195.0 2008.08.28 -
AVG 8.0.0.161 2008.08.28 -
BitDefender 7.2 2008.08.28 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.28 -
DrWeb 4.44.0.09170 2008.08.28 -
eSafe 7.0.17.0 2008.08.27 -
eTrust-Vet 31.6.6054 2008.08.28 -
Ewido 4.0 2008.08.28 -
F-Prot 4.4.4.56 2008.08.28 -
F-Secure 7.60.13501.0 2008.08.28 -
Fortinet 3.14.0.0 2008.08.28 W32/PolySmall.BP!tr
GData 19 2008.08.28 -
Ikarus T3.1.1.34.0 2008.08.28 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.28 -
McAfee 5371 2008.08.27 -
Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C
NOD32v2 3396 2008.08.28 -
Norman 5.80.02 2008.08.28 -
Panda 9.0.0.4 2008.08.27 -
PCTools 4.4.2.0 2008.08.28 -
Prevx1 V2 2008.08.28 Suspicious
Rising 20.59.31.00 2008.08.28 -
Sophos 4.33.0 2008.08.28 Mal/EncPk-DG
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.28 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.28 -
VBA32 3.12.8.4 2008.08.28 -
ViRobot 2008.8.28.1353 2008.08.28 -
VirusBuster 4.5.11.0 2008.08.28 -
Webwasher-Gateway 6.6.2 2008.08.28 -
weitere Informationen
File size: 90112 bytes
MD5...: bdfaf529506950fd777917223a5f92f7
SHA1..: 6c445fb8048d372534a4148490dcbbb3c7028afb
SHA256: 3a64935f9fbba66ae6778b18810a2b5a13ab4d240b24be8ec8aff0a7ff594e90
SHA512: 69b93e7ed801f3008364c0b7871c443fb1d6bef98064bb07ef004f3ab9dc33a3
118ea0ffd980e1f4569f2f987df858dbf5a7f0487c8e175aa41f5a6fb6871f46
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x403a91
timedatestamp.....: 0x48b2bb5e (Mon Aug 25 14:02:06 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.vhaztq 0x1000 0x12c4c 0x13000 6.85 84f1c493474eb320988274f81ab65411
.ajgfb 0x14000 0x67e 0x1000 2.72 97d6113c1b32686f25280d96cfbc9709
.viebqq 0x15000 0x5a44 0x1000 0.62 cd3d3c21f0dca890e7c180de41673b99

( 4 imports )
> KERNEL32.dll: VirtualFree, SetWaitableTimer, GetCurrentThreadId, GetDriveTypeW, GetLastError, LockResource, WaitForSingleObject, GlobalDeleteAtom, MoveFileW, GetCurrentProcess, ResumeThread, MulDiv, WaitForMultipleObjects, ResetEvent, GetUserDefaultLangID, lstrlenW, GetFileSize, SetCurrentDirectoryW, FindResourceW, WritePrivateProfileStringW, LoadLibraryA, GlobalAlloc, GetLocalTime, GetProcAddress, GlobalFree
> USER32.dll: DispatchMessageW, MessageBoxW, SendDlgItemMessageW, GetMessageW, SystemParametersInfoW, IsDlgButtonChecked, WindowFromPoint, OffsetRect, VkKeyScanW, GetSysColor, SendMessageW, PostMessageW, TrackPopupMenu, FillRect, GetWindowRect, SetDlgItemTextW, DestroyMenu, DestroyIcon, CreatePopupMenu, wsprintfW, LoadIconW, GetKeyState, SetCursor, CreateWindowExW, SetCursorPos, AppendMenuW
> GDI32.dll: SetBkMode, DeleteDC, GetObjectW, GetStockObject, GetClipBox, CreateICW, CreatePen
> ADVAPI32.dll: InitializeSecurityDescriptor, GetUserNameW

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=2AE3FCA700897BA7604F01292BD53600520528FF

Datei dbstr.dll empfangen 2008.08.28 18:21:32 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 1/36 (2.78%)


Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.29.0 2008.08.28 -
AntiVir 7.8.1.23 2008.08.28 -
Authentium 5.1.0.4 2008.08.28 -
Avast 4.8.1195.0 2008.08.28 -
AVG 8.0.0.161 2008.08.28 -
BitDefender 7.2 2008.08.28 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.28 -
DrWeb 4.44.0.09170 2008.08.28 -
eSafe 7.0.17.0 2008.08.27 -
eTrust-Vet 31.6.6054 2008.08.28 -
Ewido 4.0 2008.08.28 -
F-Prot 4.4.4.56 2008.08.28 -
F-Secure 7.60.13501.0 2008.08.28 -
Fortinet 3.14.0.0 2008.08.28 -
GData 19 2008.08.28 -
Ikarus T3.1.1.34.0 2008.08.28 -
K7AntiVirus 7.10.428 2008.08.25 -
Kaspersky 7.0.0.125 2008.08.28 -
McAfee 5371 2008.08.27 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3396 2008.08.28 -
Norman 5.80.02 2008.08.28 -
Panda 9.0.0.4 2008.08.27 -
PCTools 4.4.2.0 2008.08.28 -
Prevx1 V2 2008.08.28 -
Rising 20.59.31.00 2008.08.28 -
Sophos 4.33.0 2008.08.28 Mal/EncPk-DG
Sunbelt 3.1.1582.1 2008.08.26 -
Symantec 10 2008.08.28 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.28 -
VBA32 3.12.8.4 2008.08.28 -
ViRobot 2008.8.28.1353 2008.08.28 -
VirusBuster 4.5.11.0 2008.08.28 -
Webwasher-Gateway 6.6.2 2008.08.28 -
weitere Informationen
File size: 114688 bytes
MD5...: 3eaa8a327acc1e5fe4a67b66382f6ea0
SHA1..: 70718e6e61248881416cb7f619e5db396837c9e3
SHA256: d74721eaa90ca4f31fc272f3a1a7219d8c813b31e85ca7bae650e646d0d4cc1f
SHA512: cfafac4967b84df4ec2b4e0735546cc8ac309c351f488d82bafa674ee9af7972
66731ab4fae24eb1b405c584f862b0e8bf84645ee55822805860a34e86ffebca
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10006f57
timedatestamp.....: 0x48b2bb70 (Mon Aug 25 14:02:24 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.dilnho 0x1000 0x16d54 0x17000 6.84 78271f903fd03f0794c0da025eacdf9b
.kycauh 0x18000 0x802 0x1000 3.26 7b8fa1007d9fa74fe40c1faf4ed5982e
.grrgu 0x19000 0x1fc4 0x1000 0.57 03142cd0ef5eb8e8921734fc5e2f7d55
.reloc 0x1b000 0x196a 0x2000 6.02 ba874b3d7fd00ee1a810fd158b8dc3d0

( 4 imports )
> KERNEL32.dll: SetThreadPriority, GetLogicalDrives, DuplicateHandle, LockResource, GetCurrentProcessId, CloseHandle, DeleteFileW, GlobalAddAtomW, ReadProcessMemory, GetSystemTime, GetVersion, GlobalDeleteAtom, SetLastError, LoadLibraryA, lstrcpyW, GlobalFree, WritePrivateProfileStringW, GetFileSize, InterlockedDecrement, MoveFileW, GetModuleHandleW, ReadFile, GetLastError, GetDriveTypeW, Sleep, QueryDosDeviceW, GetProcAddress, CreateProcessW, FreeResource, SizeofResource, LoadResource
> USER32.dll: TrackPopupMenu, GetKeyState, GetClassNameW, SendDlgItemMessageW, SetCursor, GetParent, LoadIconW, RegisterClassExW, OffsetRect, WindowFromPoint, SystemParametersInfoW, MessageBoxW, FillRect, IsWindow, SetCapture, GetWindowTextW, RegisterWindowMessageW, SetCursorPos, LoadCursorW, GetWindowDC, GetSysColor, SetForegroundWindow, DestroyMenu
> GDI32.dll: Rectangle, SetMapMode, GetStockObject, LineTo, SetBkMode, CreatePen, DeleteObject, SetBkColor, CreateICW, SetTextColor, DeleteDC
> ADVAPI32.dll: StartServiceW, LookupAccountSidW, RegCloseKey, InitializeSecurityDescriptor, RegCreateKeyExW

( 4 exports )
DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer


4.)Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


5.) blacklight ausgeführt aber keine funde und auch kein log

Nachschlag.

Code: Alles auswählenAufklappen

ATTFilter

C:\WINDOWS\system32\retojajo.exe
C:\WINDOWS\system32\pqnolorg.exe
C:\WINDOWS\system32\toxcvgzi.exe
C:\WINDOWS\system32\xgjqrgtc.exe
         

Die bitte auch bei Virustotal auswerten. Die wurden erst durch das neue Logfile von HijackThis aufgedeckt.

6.)

Code: Alles auswählenAufklappen

ATTFilter

ComboFix 08-08-27.06 - Frank 2008-08-28 19:22:03.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1031.18.598 [GMT 2:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Frank\Desktop\ComboFix.exe
 * Neuer Wiederherstellungspunkt wurde erstellt

Achtung - Auf diesem PC ist keine Wiederherstellungskonsole installiert !!
.

((((((((((((((((((((((((((((((((((((   Weitere L”schungen   ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Dokumente und Einstellungen\All Users\Desktop\Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Dokumente\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Bilder\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Bilder\Beispielbilder\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Musik\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Musik\Beispielmusik\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Musik\My Playlists\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Musik\Sample Playlists\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Musik\Sample Playlists\000E4BBA\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Dokumente\Eigene Videos\_desktop.ini
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\License Agreement.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Register Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Antivirus XP 2008\Uninstall.lnk
C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\rhcjcgj0e155
C:\Programme\rhcjcgj0e155
C:\Programme\UUSee
C:\Programme\uusee\AD\1\000\index_new.html
C:\Programme\uusee\AD\1\000\uue_new.jpg
C:\Programme\uusee\AD\1\001\index_new.html
C:\Programme\uusee\AD\1\001\uue_new.jpg
C:\Programme\uusee\AD\1\cy\cy.html
C:\Programme\uusee\AD\1\dm\dm.html
C:\Programme\uusee\AD\1\dst\dst.html
C:\Programme\uusee\AD\1\ty\ty.html
C:\Programme\uusee\AD\1\uu\uu.html
C:\Programme\uusee\AD\2\100\index.html
C:\Programme\uusee\AD\2\200\index.html
C:\Programme\uusee\AD\2\300\index.html
C:\WINDOWS\system32\blphcncgj0e155.scr
C:\WINDOWS\system32\lphcncgj0e155.exe
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\phcncgj0e155.bmp
C:\WINDOWS\system32\pphcncgj0e155.exe
C:\WINDOWS\system32\vsdatant.sys

.
(((((((((((((((((((((((((((((((((((((((   Treiber/Dienste   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VSDATANT
-------\Service_vsdatant


(((((((((((((((((((((((   Dateien erstellt von 2008-07-28 bis 2008-08-28  ))))))))))))))))))))))))))))))
.

2008-09-10 10:05 . 2008-09-10 10:05	<DIR>	d--------	C:\Programme\Winamp Toolbar
2008-08-28 19:13 . 2008-08-28 19:13	106,496	--a------	C:\WINDOWS\system32\4F.tmp
2008-08-28 18:42 . 2008-08-28 18:42	<DIR>	d--------	C:\Programme\CCleaner
2008-08-28 16:14 . 2008-08-28 16:14	94,208	--a------	C:\WINDOWS\system32\xgjqrgtc.exe
2008-08-28 16:14 . 2008-08-28 19:34	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-08-28 16:14 . 2008-08-28 16:14	1,409	--a------	C:\WINDOWS\QTFont.for
2008-08-28 09:53 . 2008-08-28 09:53	203,776	--a------	C:\WINDOWS\system32\zstcjqzg.exe
2008-08-28 09:53 . 2008-08-28 09:53	98,304	--a------	C:\WINDOWS\system32\toxcvgzi.exe
2008-08-28 09:08 . 2008-08-28 09:08	98,304	--a------	C:\WINDOWS\system32\pqnolorg.exe
2008-08-27 16:59 . 2008-08-27 16:59	<DIR>	d--------	C:\Dokumente und Einstellungen\LocalService\Eigene Dateien
2008-08-25 18:43 . 2008-08-25 18:43	<DIR>	d--------	C:\Programme\ghgyctc
2008-08-25 18:42 . 2008-08-25 18:42	90,112	--a------	C:\WINDOWS\system32\edahahix.exe
2008-08-25 15:52 . 2008-08-25 15:52	<DIR>	d--------	C:\Programme\Malwarebytes' Anti-Malware
2008-08-25 15:52 . 2008-08-25 15:52	<DIR>	d--------	C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Malwarebytes
2008-08-25 15:52 . 2008-08-25 15:52	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Malwarebytes
2008-08-25 15:52 . 2008-08-17 15:01	38,472	--a------	C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-25 15:52 . 2008-08-17 15:01	17,144	--a------	C:\WINDOWS\system32\drivers\mbam.sys
2008-08-25 15:30 . 2008-08-25 15:30	<DIR>	dr-------	C:\Dokumente und Einstellungen\Administrator\Eigene Dateien
2008-08-25 11:20 . 2008-08-28 19:15	<DIR>	d--------	C:\Programme\Crawler
2008-08-24 21:47 . 2008-08-28 19:36	1,218,592	--ahs----	C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-24 21:47 . 2008-08-28 19:27	16,376	--ahs----	C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-24 21:40 . 2008-08-28 19:36	<DIR>	d--------	C:\Programme\WinClamAVShield
2008-08-24 20:45 . 2008-08-24 20:45	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\MailFrontier
2008-08-24 20:45 . 2008-08-24 21:02	4,212	---h-----	C:\WINDOWS\system32\zllictbl.dat
2008-08-24 20:44 . 2008-07-09 09:05	54,672	--a------	C:\WINDOWS\system32\vsutil_loc0407.dll
2008-08-24 20:44 . 2008-07-09 09:05	42,384	--a------	C:\WINDOWS\zllsputility_loc0407.dll
2008-08-24 20:44 . 2008-07-09 09:05	21,904	--a------	C:\WINDOWS\system32\imsinstall_loc0407.dll
2008-08-24 20:44 . 2008-07-09 09:05	17,808	--a------	C:\WINDOWS\system32\imslsp_install_loc0407.dll
2008-08-24 20:43 . 2008-07-09 09:05	75,248	--a------	C:\WINDOWS\zllsputility.exe
2008-08-24 20:43 . 2004-04-27 04:40	11,264	--a------	C:\WINDOWS\system32\SpOrder.dll
2008-08-24 20:39 . 2008-08-24 20:44	<DIR>	d--------	C:\WINDOWS\system32\ZoneLabs
2008-08-24 20:39 . 2008-08-24 20:39	<DIR>	d--------	C:\Programme\Zone Labs
2008-08-24 20:39 . 2008-07-09 09:05	1,086,952	--a------	C:\WINDOWS\system32\zpeng24.dll
2008-08-24 20:39 . 2008-08-28 16:13	358,382	--a------	C:\WINDOWS\system32\vsconfig.xml
2008-08-24 20:36 . 2008-08-28 19:06	<DIR>	d--------	C:\WINDOWS\Internet Logs
2008-08-24 20:12 . 2008-08-24 20:19	<DIR>	d--------	C:\Programme\Spybot - Search & Destroy
2008-08-24 20:12 . 2008-08-28 19:06	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2008-08-24 19:58 . 2008-08-24 19:58	<DIR>	d--------	C:\Programme\Lavasoft
2008-08-24 19:58 . 2008-08-24 20:01	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Lavasoft
2008-08-24 19:45 . 2008-08-25 13:00	<DIR>	d--------	C:\Programme\Spyware Terminator
2008-08-24 19:45 . 2008-08-28 13:05	<DIR>	d--------	C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Spyware Terminator
2008-08-24 19:45 . 2008-08-28 09:19	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Spyware Terminator
2008-08-24 19:45 . 2008-08-24 19:45	141,312	--a------	C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-08-22 12:59 . 2008-08-22 12:59	<DIR>	d--------	C:\Programme\vgmwddf
2008-08-22 12:59 . 2008-08-22 12:59	<DIR>	d--------	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep
2008-08-22 12:59 . 2008-08-22 12:59	77,824	--a------	C:\WINDOWS\system32\mtqrqncz.exe

.
((((((((((((((((((((((((((((((((((((   Find3M Bericht   ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-13 17:17	---------	d-----w	C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\dvdcss
2008-09-11 08:55	---------	d-----w	C:\Programme\PokerOffice
2008-09-10 08:09	---------	d-----w	C:\Programme\Winamp Remote
2008-09-10 08:09	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\OrbNetworks
2008-09-10 08:06	---------	d-----w	C:\Programme\Winamp
2008-09-04 14:21	---------	d-----w	C:\Programme\PartyGaming
2008-08-28 15:15	---------	d-----w	C:\Programme\Mozilla Thunderbird
2008-08-28 09:35	---------	d-----w	C:\Programme\PokerStars
2008-08-27 19:42	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Google Updater
2008-08-25 09:45	---------	d-----w	C:\Programme\Google
2008-08-25 09:43	---------	d-----w	C:\Programme\Gamers.IRC
2008-08-25 09:42	---------	d-----w	C:\Programme\mIRC
2008-08-24 17:56	---------	d-----w	C:\Programme\Gemeinsame Dateien\Wise Installation Wizard
2008-08-24 17:41	---------	d-----w	C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Lavasoft
2008-07-20 16:18	---------	d-----w	C:\Programme\Java
2008-07-20 12:02	---------	d-----w	C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar
2008-07-20 12:00	---------	d-----w	C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Winamp
2008-07-18 20:10	94,920	----a-w	C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10	53,448	----a-w	C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10	45,768	----a-w	C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10	36,552	----a-w	C:\WINDOWS\system32\wups.dll
2008-07-18 20:09	563,912	----a-w	C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09	325,832	----a-w	C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09	205,000	----a-w	C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09	1,811,656	----a-w	C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:30	253,952	----a-w	C:\WINDOWS\system32\es.dll
2008-06-24 16:22	74,240	----a-w	C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38	665,088	----a-w	C:\WINDOWS\system32\wininet.dll
2008-06-20 17:39	247,296	----a-w	C:\WINDOWS\system32\mswsock.dll
2006-05-06 16:42	7,260,160	----a-w	C:\Programme\mozilla firefox\plugins\libvlc.dll
.

((((((((((((((((((((((((((((   Autostart Punkte der Registrierung   ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"actdb"="C:\WINDOWS\system32\mtqrqncz.exe" [2008-08-22 12:59 77824]
"SpybotSD TeaTimer"="C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 18:41 1832272]
"DscSmartCom"="C:\WINDOWS\system32\edahahix.exe" [2008-08-25 18:42 90112]
"mondsc"="C:\WINDOWS\system32\pqnolorg.exe" [2008-08-28 09:08 98304]
"SetCfg"="C:\WINDOWS\system32\toxcvgzi.exe" [2008-08-28 09:53 98304]
"infowinstr"="C:\WINDOWS\system32\xgjqrgtc.exe" [2008-08-28 16:14 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-01-19 21:40 339968]
"WheelMouse"="C:\Programme\A4Tech\Mouse\Amoumain.exe" [2007-02-10 23:33 188416]
"SunJavaUpdateSched"="C:\Programme\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"avgnt"="C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-16 13:05 262401]
"QuickTime Task"="C:\Programme\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Programme\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"WinampAgent"="C:\Programme\Winamp\winampa.exe" [2008-08-04 01:02 36352]
"SpywareTerminator"="C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe" [2008-08-24 19:45 1783808]
"ZoneAlarm Client"="C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"nwiz"="nwiz.exe" [2003-07-28 15:19 323584 C:\WINDOWS\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"s2jhJy1dxR"="C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe" [2008-08-22 12:59 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"dbstr"= {40A5A3F3-51D4-A2C2-6999-0BDD7FE78860} - C:\Programme\ghgyctc\dbstr.dll [2008-08-25 18:43 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"vidc.VSSH"= vssh264.dll
"vidc.VSPX"= vspxvfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programme\\Miranda IM\\miranda32.exe"=
"C:\\Programme\\mIRC\\mirc.exe"=
"C:\\Programme\\InterVideo\\DVD7\\WinDVD.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Programme\\PokerOffice\\bin\\javaw.exe"=
"C:\\Programme\\MySQL\\MySQL Server 4.1\\bin\\mysqld.exe"=
"C:\\Programme\\Mozilla Firefox\\firefox.exe"=
"C:\\Programme\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"C:\\Programme\\myTunes Redux\\mDNSResponder.exe"=
"C:\\Spiele\\Anno1701\\Anno1701.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Programme\\uTorrent\\uTorrent.exe"=
"C:\\Programme\\Gamers.IRC\\mirc.exe"=
"D:\\Spiele\\CIV4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"D:\\Spiele\\CIV4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Programme\\FileZilla\\FileZilla.exe"=
"C:\\Programme\\iTunes\\iTunes.exe"=
"C:\\Programme\\Skype\\Phone\\Skype.exe"=
"C:\\Programme\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Programme\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Programme\\Winamp Remote\\bin\\OrbStreamerClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5062:TCP"= 5062:TCP:ppLive
"6423:UDP"= 6423:UDP:ppLive

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 18:49]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-10-15 15:43]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-08-24 19:45]
R2 AWISp50;AWISp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\AWISp50.sys [2006-03-15 10:35]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2005-10-06 16:35]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2005-10-06 16:35]
R2 nhksrv;Netropa NHK Server;C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 14:41]
R2 NokiaSuite3;NokiaSuite3;C:\WINDOWS\system32\drivers\NokiaSuite3.sys [1998-09-12 09:59]
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [2007-02-10 02:04]
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys [2005-10-06 16:38]
S3 TUSB1150;devolo WLAN USB Stick;C:\WINDOWS\system32\DRIVERS\tusb1150.sys [2006-06-26 18:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b1c2eb90-d838-11d9-9de2-806d6172696f}]
\Shell\AutoRun\command - F:\autorun.exe
.
Inhalt des "geplante Tasks" Ordners

2008-08-22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Programme\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-09-08 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
- C:\Programme\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-03 00:59]

2007-12-30 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
- C:\Programme\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-01-03 00:59]
.
- - - - Entfernte verwaiste Registrierungseintr„ge - - - -

HKLM-Run-SMrhcjcgj0e155 - C:\Programme\rhcjcgj0e155\rhcjcgj0e155.exe
HKLM-Run-Anti-Blaxx Manager - (no file)
Notify-WgaLogon - (no file)


.
------- Zus„tzlicher Scan -------
.
FireFox -: Profile - C:\Dokumente und Einstellungen\Frank\Anwendungsdaten\Mozilla\Firefox\Profiles\misl0xrx.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.de/
FF -: plugin - C:\Programme\Google\Google Updater\2.2.1229.1533\npCIDetect11.dll
FF -: plugin - C:\Programme\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 19:30:02
Windows 5.1.2600 Service Pack 2 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Eintr„ge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
------------------------ Weitere, laufende Prozesse ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
C:\Programme\Miranda IM\miranda32.exe
C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2008-08-28 19:46:35 - PC wurde neu gestartet
ComboFix-quarantined-files.txt  2008-08-28 17:46:20

Pre-Run: 2,292,191,232 Bytes frei
Post-Run: 2,367,598,592 Bytes frei

268	--- E O F ---	2008-09-13 10:04:06
         

jetzt muss ich mal eben weg, nachschlag und der rest wird morgen früh oder später erledigt, aber erstmal schon vielen dank für deine mühe!

sooo...kommen wir zum rest

nachschlag.)

C:\WINDOWS\system32\retojajo.exe - nicht mehr aufem rechenr gefunden!


Datei pqnolorg.exe empfangen 2008.08.29 11:19:06 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 3/36 (8.34%)


Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.29 -
Authentium 5.1.0.4 2008.08.29 -
Avast 4.8.1195.0 2008.08.28 -
AVG 8.0.0.161 2008.08.29 -
BitDefender 7.2 2008.08.29 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.29 -
DrWeb 4.44.0.09170 2008.08.29 -
eSafe 7.0.17.0 2008.08.28 -
eTrust-Vet 31.6.6055 2008.08.29 -
Ewido 4.0 2008.08.28 -
F-Prot 4.4.4.56 2008.08.29 -
F-Secure 7.60.13501.0 2008.08.29 -
Fortinet 3.14.0.0 2008.08.29 W32/PolySmall.BP!tr
GData 19 2008.08.29 -
Ikarus T3.1.1.34.0 2008.08.29 -
K7AntiVirus 7.10.431 2008.08.29 -
Kaspersky 7.0.0.125 2008.08.29 -
McAfee 5372 2008.08.28 -
Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C
NOD32v2 3397 2008.08.28 -
Norman 5.80.02 2008.08.28 -
Panda 9.0.0.4 2008.08.29 -
PCTools 4.4.2.0 2008.08.28 -
Prevx1 V2 2008.08.29 -
Rising 20.59.41.00 2008.08.29 -
Sophos 4.33.0 2008.08.29 Mal/EncPk-DG
Sunbelt 3.1.1592.1 2008.08.29 -
Symantec 10 2008.08.29 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.29 -
VBA32 3.12.8.4 2008.08.29 -
ViRobot 2008.8.29.1355 2008.08.29 -
VirusBuster 4.5.11.0 2008.08.28 -
Webwasher-Gateway 6.6.2 2008.08.29 -
weitere Informationen
File size: 98304 bytes
MD5...: ee77874cbb34d165127e2aa161778b7b
SHA1..: cc0a138335844142b85bb8c93c7180c3e835d063
SHA256: d342875a0640d76d4cfc57ac6e2b0d0f7d82ec3a2babf2cee64721a3bb1be4b3
SHA512: e66df658b2a31dab79089ad06f9dc645013946a92b391fe919b262637ddddc7e
8782b162541b75eda1096e0002d785bb5db6cf32ad59b40e08bd53433f2eac83
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404a3b
timedatestamp.....: 0x48b63155 (Thu Aug 28 05:02:13 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.fldi 0x1000 0x14a92 0x15000 6.85 7c3f73e38f84ec43da7e48e12c1ee1e1
.vefh 0x16000 0x6cc 0x1000 2.82 5a5cda55eb1a110aab00b16427c8af0f
.jchf 0x17000 0x59f4 0x1000 0.55 6ddb3dfa7e3b38c8ee97c031149034e8

( 4 imports )
> KERNEL32.dll: GetCurrentProcess, WideCharToMultiByte, MoveFileW, FindFirstChangeNotificationW, GlobalUnlock, GlobalDeleteAtom, SetLastError, GetUserDefaultLangID, GetModuleFileNameW, GetLastError, GetModuleHandleW, LoadLibraryA, SetThreadPriority, CreateEventW, FindNextChangeNotification, FindNextFileW, GetSystemTime, SetFilePointer, WriteFile, FreeLibrary, GlobalAlloc, FileTimeToSystemTime, GetLocalTime, GetProcAddress, VirtualFree, CreateFileW, GetTickCount, WaitForSingleObject, CloseHandle
> USER32.dll: CreatePopupMenu, wsprintfW, RedrawWindow, ReleaseCapture, SetLayeredWindowAttributes, SendDlgItemMessageW, SetCursor, TrackPopupMenu, OffsetRect, GetWindowRect, SystemParametersInfoW, ReleaseDC, EnableWindow, PostThreadMessageW, VkKeyScanW, RegisterHotKey, LoadImageW, GetClassNameW, DialogBoxParamW, DefWindowProcW, GetParent, EndDialog
> GDI32.dll: SetTextColor, SelectObject, GetClipBox, GetObjectW, DeleteObject, CreateDCW, Rectangle, CreateBitmap, SetDIBits
> ADVAPI32.dll: RegSetValueExW, RegCloseKey

( 0 exports )


bei C:\WINDOWS\system32\toxcvgzi.exe kommt, dass die datei bereits geprüft wurde und dieser bericht:

Datei pqnolorg.exe empfangen 2008.08.29 11:19:06 (CET)
Status: Beendet
Ergebnis: 3/36 (8.33%)
Filter Filter

Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.29 -
Authentium 5.1.0.4 2008.08.29 -
Avast 4.8.1195.0 2008.08.28 -
AVG 8.0.0.161 2008.08.29 -
BitDefender 7.2 2008.08.29 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.29 -
DrWeb 4.44.0.09170 2008.08.29 -
eSafe 7.0.17.0 2008.08.28 -
eTrust-Vet 31.6.6055 2008.08.29 -
Ewido 4.0 2008.08.28 -
F-Prot 4.4.4.56 2008.08.29 -
F-Secure 7.60.13501.0 2008.08.29 -
Fortinet 3.14.0.0 2008.08.29 W32/PolySmall.BP!tr
GData 19 2008.08.29 -
Ikarus T3.1.1.34.0 2008.08.29 -
K7AntiVirus 7.10.431 2008.08.29 -
Kaspersky 7.0.0.125 2008.08.29 -
McAfee 5372 2008.08.28 -
Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C
NOD32v2 3397 2008.08.28 -
Norman 5.80.02 2008.08.28 -
Panda 9.0.0.4 2008.08.29 -
PCTools 4.4.2.0 2008.08.28 -
Prevx1 V2 2008.08.29 -
Rising 20.59.41.00 2008.08.29 -
Sophos 4.33.0 2008.08.29 Mal/EncPk-DG
Sunbelt 3.1.1592.1 2008.08.29 -
Symantec 10 2008.08.29 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.29 -
VBA32 3.12.8.4 2008.08.29 -
ViRobot 2008.8.29.1355 2008.08.29 -
VirusBuster 4.5.11.0 2008.08.28 -
Webwasher-Gateway 6.6.2 2008.08.29 -
weitere Informationen
File size: 98304 bytes
MD5...: ee77874cbb34d165127e2aa161778b7b
SHA1..: cc0a138335844142b85bb8c93c7180c3e835d063
SHA256: d342875a0640d76d4cfc57ac6e2b0d0f7d82ec3a2babf2cee64721a3bb1be4b3
SHA512: e66df658b2a31dab79089ad06f9dc645013946a92b391fe919b262637ddddc7e
8782b162541b75eda1096e0002d785bb5db6cf32ad59b40e08bd53433f2eac83
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x404a3b
timedatestamp.....: 0x48b63155 (Thu Aug 28 05:02:13 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.fldi 0x1000 0x14a92 0x15000 6.85 7c3f73e38f84ec43da7e48e12c1ee1e1
.vefh 0x16000 0x6cc 0x1000 2.82 5a5cda55eb1a110aab00b16427c8af0f
.jchf 0x17000 0x59f4 0x1000 0.55 6ddb3dfa7e3b38c8ee97c031149034e8

( 4 imports )
> KERNEL32.dll: GetCurrentProcess, WideCharToMultiByte, MoveFileW, FindFirstChangeNotificationW, GlobalUnlock, GlobalDeleteAtom, SetLastError, GetUserDefaultLangID, GetModuleFileNameW, GetLastError, GetModuleHandleW, LoadLibraryA, SetThreadPriority, CreateEventW, FindNextChangeNotification, FindNextFileW, GetSystemTime, SetFilePointer, WriteFile, FreeLibrary, GlobalAlloc, FileTimeToSystemTime, GetLocalTime, GetProcAddress, VirtualFree, CreateFileW, GetTickCount, WaitForSingleObject, CloseHandle
> USER32.dll: CreatePopupMenu, wsprintfW, RedrawWindow, ReleaseCapture, SetLayeredWindowAttributes, SendDlgItemMessageW, SetCursor, TrackPopupMenu, OffsetRect, GetWindowRect, SystemParametersInfoW, ReleaseDC, EnableWindow, PostThreadMessageW, VkKeyScanW, RegisterHotKey, LoadImageW, GetClassNameW, DialogBoxParamW, DefWindowProcW, GetParent, EndDialog
> GDI32.dll: SetTextColor, SelectObject, GetClipBox, GetObjectW, DeleteObject, CreateDCW, Rectangle, CreateBitmap, SetDIBits
> ADVAPI32.dll: RegSetValueExW, RegCloseKey

( 0 exports )


Datei xgjqrgtc.exe empfangen 2008.08.29 11:25:50 (CET)
Status: Laden ... Wartend Warten Überprüfung Beendet Nicht gefunden Gestoppt
Ergebnis: 3/36 (8.34%)


Antivirus Version letzte aktualisierung Ergebnis
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.29 -
Authentium 5.1.0.4 2008.08.29 -
Avast 4.8.1195.0 2008.08.28 -
AVG 8.0.0.161 2008.08.29 -
BitDefender 7.2 2008.08.29 -
CAT-QuickHeal 9.50 2008.08.26 -
ClamAV 0.93.1 2008.08.29 -
DrWeb 4.44.0.09170 2008.08.29 -
eSafe 7.0.17.0 2008.08.28 -
eTrust-Vet 31.6.6055 2008.08.29 -
Ewido 4.0 2008.08.28 -
F-Prot 4.4.4.56 2008.08.29 -
F-Secure 7.60.13501.0 2008.08.29 -
Fortinet 3.14.0.0 2008.08.29 W32/PolySmall.BP!tr
GData 19 2008.08.29 -
Ikarus T3.1.1.34.0 2008.08.29 -
K7AntiVirus 7.10.431 2008.08.29 -
Kaspersky 7.0.0.125 2008.08.29 -
McAfee 5372 2008.08.28 -
Microsoft 1.3807 2008.08.25 TrojanDownloader:Win32/FakeAlert.C
NOD32v2 3397 2008.08.28 -
Norman 5.80.02 2008.08.28 -
Panda 9.0.0.4 2008.08.29 -
PCTools 4.4.2.0 2008.08.28 -
Prevx1 V2 2008.08.29 -
Rising 20.59.41.00 2008.08.29 -
Sophos 4.33.0 2008.08.29 Mal/EncPk-DG
Sunbelt 3.1.1592.1 2008.08.29 -
Symantec 10 2008.08.29 -
TheHacker 6.3.0.6.064 2008.08.27 -
TrendMicro 8.700.0.1004 2008.08.29 -
VBA32 3.12.8.4 2008.08.29 -
ViRobot 2008.8.29.1355 2008.08.29 -
VirusBuster 4.5.11.0 2008.08.28 -
Webwasher-Gateway 6.6.2 2008.08.29 -
weitere Informationen
File size: 94208 bytes
MD5...: 6bc76b5d70467fd161fe927e65819a80
SHA1..: 8e9ce09f0ff35b8c21f514f3e1a2a6dc13357a13
SHA256: eb51f6f8e921306f72cc27fa78fd04350b149773af7ddb0e1429bba1c61a2876
SHA512: fa2946acdfe93a840959c72fc16f2ef28ffe812a320868a6c67798dee593ffb2
d745b815d15e3daa8d9b90e4e745837d4f74b722815faae66095669e9ec488b3
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40be40
timedatestamp.....: 0x48b6afeb (Thu Aug 28 14:02:19 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.ypwrwx 0x1000 0x13cd6 0x14000 6.91 5363b54e27f4abd63f11f39edc228dce
.alvkf 0x15000 0x5b8 0x1000 2.42 b8ee401881580a493f32748dd4c70106
.ydmoy 0x16000 0x59e8 0x1000 0.55 573b19e9ef242c8b4aab2eee6aa92c38

( 4 imports )
> KERNEL32.dll: WritePrivateProfileStringW, LoadResource, ReadFile, GetLogicalDrives, GlobalUnlock, MulDiv, SetLastError, GetProcAddress, CreateWaitableTimerW, GetLastError, QueryDosDeviceW, GetTickCount, Sleep, InterlockedIncrement, GetFileAttributesExW, FileTimeToSystemTime, GetLocalTime, lstrcpyW, LoadLibraryA, SetWaitableTimer, SetFilePointer, CreateThread, VirtualAlloc, VirtualFree
> USER32.dll: SetLayeredWindowAttributes, InvalidateRect, SetCursorPos, AppendMenuW, LoadIconW, GetDlgItem, LoadImageW, SetDlgItemTextW, PostMessageW, PostQuitMessage, RegisterWindowMessageW, DestroyMenu, SetForegroundWindow, SetWindowPos, SystemParametersInfoW, FillRect, ReleaseCapture, SendMessageW
> GDI32.dll: Rectangle, LineTo, BitBlt, DeleteObject, SetBkColor, GetObjectW, GetStockObject, CreateCompatibleBitmap
> ADVAPI32.dll: StartServiceW

( 0 exports )


7.) http://www.file-upload.net/download-1075677/listing.txt.html


soooo, hoffe das war so halbwegs richtig und alles gewünschte...
nochmal danke,
gruss
frank

So, da müssen einige Dateien weg:

Anleitung Avenger (by swandog46)

Lade dir das Tool Avenger und speichere es auf dem Desktop:

• Doppelklick auf das Avenger-Symbol

• Kopiere nun folgenden Text in das weiße Feld bei -> "input script here"

Code: Alles auswählenAufklappen

ATTFilter

folders to delete:
C:\Programme\ghgyctc
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep

files to delete:
c:\windows\system32\xgjqrgtc.exe
c:\windows\system32\vsconfig.xml
c:\windows\system32\toxcvgzi.exe
c:\windows\system32\zstcjqzg.exe
c:\windows\system32\pqnolorg.exe
c:\windows\system32\edahahix.exe
C:\WINDOWS\system32\retojajo.exe
C:\WINDOWS\system32\lphcncgj0e155.exe
C:\WINDOWS\system32\mtqrqncz.exe
C:\WINDOWS\system32\lphcncgj0e155.exe
         

• Schliesse nun alle Programme und Browser-Fenster

• Um den Avenger zu starten klicke auf -> Execute
• Dann bestätigen mit "Yes" das der Rechner neu startet

• Nachdem das System neu gestartet ist, findest du einen Report vom Avenger unter -> C:\avenger.txt

• Öffne die Datei mit dem Editor und kopiere den gesamten Text in deinen Beitrag hier am Trojaner-Board.

Mach auch ein neues Hijackthis-Logfile, nimm dazu diese umbenannte hijackthis.exe

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Programme\ghgyctc" deleted successfully.
Folder "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep" deleted successfully.
File "c:\windows\system32\xgjqrgtc.exe" deleted successfully.
File "c:\windows\system32\vsconfig.xml" deleted successfully.
File "c:\windows\system32\toxcvgzi.exe" deleted successfully.
File "c:\windows\system32\zstcjqzg.exe" deleted successfully.
File "c:\windows\system32\pqnolorg.exe" deleted successfully.
File "c:\windows\system32\edahahix.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\retojajo.exe" not found!
Deletion of file "C:\WINDOWS\system32\retojajo.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\lphcncgj0e155.exe" deleted successfully.
File "C:\WINDOWS\system32\mtqrqncz.exe" deleted successfully.

Error: file "C:\WINDOWS\system32\lphcncgj0e155.exe" not found!
Deletion of file "C:\WINDOWS\system32\lphcncgj0e155.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:22:17, on 29.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programme\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\A4Tech\Mouse\Amoumain.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programme\rhcjcgj0e155\rhcjcgj0e155.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\enyhinqb.exe
C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
C:\Programme\Miranda IM\miranda32.exe
C:\Programme\iPod\bin\iPodService.exe
C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\system32\pphcncgj0e155.exe
C:\Dokumente und Einstellungen\Frank\Desktop\qlketzd(2).com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://htw.www.pherrex.com/pub.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=134.106.148.1:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programme\Crawler\ctbr.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programme\Crawler\ctbr.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [lphcncgj0e155] C:\WINDOWS\system32\lphcncgj0e155.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SMrhcjcgj0e155] C:\Programme\rhcjcgj0e155\rhcjcgj0e155.exe
O4 - HKCU\..\Run: [actdb] C:\WINDOWS\system32\mtqrqncz.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [DscSmartCom] C:\WINDOWS\system32\edahahix.exe
O4 - HKCU\..\Run: [mondsc] C:\WINDOWS\system32\pqnolorg.exe
O4 - HKCU\..\Run: [SetCfg] C:\WINDOWS\system32\toxcvgzi.exe
O4 - HKCU\..\Run: [infowinstr] C:\WINDOWS\system32\xgjqrgtc.exe
O4 - HKCU\..\Run: [procgen] C:\WINDOWS\system32\enyhinqb.exe
O4 - HKLM\..\Policies\Explorer\Run: [s2jhJy1dxR] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe
O4 - Startup: .security
O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe
O4 - Startup: Mousometer.lnk = C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: .security
O4 - Global Startup: Arcor Wlan-Monitor 1.0.lnk = C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Winamp Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0AA0BE9-B014-4039-BCB5-718334205073}: NameServer = 134.106.148.205,134.106.168.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programme\Crawler\ctbr.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: dbstr - {40A5A3F3-51D4-A2C2-6999-0BDD7FE78860} - C:\Programme\ghgyctc\dbstr.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programme\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9765 bytes

Da sind ein paar Objekte wieder aufgetaucht - fixe zuerst mal diese Einträge mit Hijackthis:

Code: Alles auswählenAufklappen

ATTFilter

O4 - HKLM\..\Run: [lphcncgj0e155] C:\WINDOWS\system32\lphcncgj0e155.exe
O4 - HKLM\..\Run: [SMrhcjcgj0e155] C:\Programme\rhcjcgj0e155\rhcjcgj0e155.exe
O4 - HKCU\..\Run: [actdb] C:\WINDOWS\system32\mtqrqncz.exe
O4 - HKCU\..\Run: [DscSmartCom] C:\WINDOWS\system32\edahahix.exe
O4 - HKCU\..\Run: [mondsc] C:\WINDOWS\system32\pqnolorg.exe
O4 - HKCU\..\Run: [SetCfg] C:\WINDOWS\system32\toxcvgzi.exe
O4 - HKCU\..\Run: [infowinstr] C:\WINDOWS\system32\xgjqrgtc.exe
O4 - HKCU\..\Run: [procgen] C:\WINDOWS\system32\enyhinqb.exe
O4 - HKLM\..\Policies\Explorer\Run: [s2jhJy1dxR] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep\wtyrepkz.exe
O21 - SSODL: dbstr - {40A5A3F3-51D4-A2C2-6999-0BDD7FE78860} - C:\Programme\ghgyctc\dbstr.dll (file missing)
         

Geh danach wieder mit dem Avenger vor wie vorhin, aber benutze diesmal dieses script:

Code: Alles auswählenAufklappen

ATTFilter

folders to delete:
C:\Programme\rhcjcgj0e155
C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep
C:\Programme\ghgyctc

files to delete:
C:\WINDOWS\system32\enyhinqb.exe
C:\WINDOWS\system32\pphcncgj0e155.exe
c:\windows\system32\xgjqrgtc.exe
c:\windows\system32\vsconfig.xml
c:\windows\system32\toxcvgzi.exe
c:\windows\system32\zstcjqzg.exe
c:\windows\system32\pqnolorg.exe
c:\windows\system32\edahahix.exe
C:\WINDOWS\system32\retojajo.exe
C:\WINDOWS\system32\lphcncgj0e155.exe
C:\WINDOWS\system32\mtqrqncz.exe
C:\WINDOWS\system32\lphcncgj0e155.exe
         

Wieder das Avenger-Log nach dem Reboot posten.
Mach erneut für nen Abgleich ein neues Hijackthis-Logfile mit der umbenannten Datei und zusätzlich eins mit silentrunners (siehe Signatur).

Poste die Logfiles bitte mit Codetags umschlossen (#-Button) also so:

HTML-Code:

[code] Hier das Logfile rein! [/code]

Code: Alles auswählenAufklappen

ATTFilter

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Folder "C:\Programme\rhcjcgj0e155" deleted successfully.

Error:  folder "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep" not found!
Deletion of folder "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\evipojep" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  folder "C:\Programme\ghgyctc" not found!
Deletion of folder "C:\Programme\ghgyctc" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\WINDOWS\system32\enyhinqb.exe" deleted successfully.
File "C:\WINDOWS\system32\pphcncgj0e155.exe" deleted successfully.

Error:  file "c:\windows\system32\xgjqrgtc.exe" not found!
Deletion of file "c:\windows\system32\xgjqrgtc.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\windows\system32\vsconfig.xml" not found!
Deletion of file "c:\windows\system32\vsconfig.xml" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\windows\system32\toxcvgzi.exe" not found!
Deletion of file "c:\windows\system32\toxcvgzi.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\windows\system32\zstcjqzg.exe" not found!
Deletion of file "c:\windows\system32\zstcjqzg.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\windows\system32\pqnolorg.exe" not found!
Deletion of file "c:\windows\system32\pqnolorg.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "c:\windows\system32\edahahix.exe" not found!
Deletion of file "c:\windows\system32\edahahix.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\retojajo.exe" not found!
Deletion of file "C:\WINDOWS\system32\retojajo.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\lphcncgj0e155.exe" not found!
Deletion of file "C:\WINDOWS\system32\lphcncgj0e155.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\mtqrqncz.exe" not found!
Deletion of file "C:\WINDOWS\system32\mtqrqncz.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\lphcncgj0e155.exe" not found!
Deletion of file "C:\WINDOWS\system32\lphcncgj0e155.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.
         

Code: Alles auswählenAufklappen

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43:14, on 29.08.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programme\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\A4Tech\Mouse\Amoumain.exe
C:\Programme\Java\jre1.6.0_07\bin\jusched.exe
C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programme\Winamp\winampa.exe
C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
C:\Programme\Spyware Terminator\sp_rsser.exe
C:\Programme\Miranda IM\miranda32.exe
C:\WINDOWS\system32\svchost.exe
C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Dokumente und Einstellungen\Frank\Desktop\qlketzd(2).com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://htw.www.pherrex.com/pub.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=134.106.148.1:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Programme\Crawler\ctbr.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Programme\Winamp Toolbar\winamptb.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Programme\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Programme\Winamp Toolbar\winamptb.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Programme\Crawler\ctbr.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Programme\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: .security
O4 - Startup: Miranda IM.lnk = C:\Programme\Miranda IM\miranda32.exe
O4 - Startup: Mousometer.lnk = C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: .security
O4 - Global Startup: Arcor Wlan-Monitor 1.0.lnk = C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Winamp Search - C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Programme\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programme\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0AA0BE9-B014-4039-BCB5-718334205073}: NameServer = 134.106.148.205,134.106.168.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programme\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Programme\Crawler\ctbr.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programme\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Programme\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Programme\Spyware Terminator\sp_rsser.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8806 bytes
         

Code: Alles auswählenAufklappen

ATTFilter

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Programme\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"WheelMouse" = "C:\Programme\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]
"SunJavaUpdateSched" = ""C:\Programme\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"avgnt" = ""C:\Programme\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"QuickTime Task" = ""C:\Programme\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Programme\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"Adobe Reader Speed Launcher" = ""C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]
"WinampAgent" = "C:\Programme\Winamp\winampa.exe" [null data]
"SpywareTerminator" = ""C:\Programme\Spyware Terminator\SpywareTerminatorShield.exe"" ["Crawler.com"]
"ZoneAlarm Client" = ""C:\Programme\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Programme\Crawler\ctbr.dll" ["Crawler.com"]
{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar Loader"
  -> {HKLM...CLSID} = "Winamp Toolbar Loader"
                   \InProcServer32\(Default) = "C:\Programme\Winamp Toolbar\winamptb.dll" ["AOL LLC."]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
  -> {HKLM...CLSID} = "AVG Safe Search"
                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
                   \InProcServer32\(Default) = "C:\Programme\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"
  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
"{F367BD78-D2B5-459A-B775-9C14E06FCC3D}" = "Miranda Contact"
  -> {HKLM...CLSID} = "Send to Miranda contact"
                   \InProcServer32\(Default) = "C:\Programme\Miranda IM\Plugins\shellfilesend.dll" [empty string]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook-Dateisymbolerweiterung"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
  -> {HKLM...CLSID} = "iTunes"
                   \InProcServer32\(Default) = "C:\Programme\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{BD88A479-9623-4897-8546-BC62B9628F44}" = "SPTHandler"
  -> {HKLM...CLSID} = "SPTHandler"
                   \InProcServer32\(Default) = "C:\Programme\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<<!>> ("msapsspc.dllschannel.dlldigest.dllmsnsspc.dll" [file not found]) "SecurityProviders" = "msapsspc.dllschannel.dlldigest.dllmsnsspc.dll"

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]| [file not found]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
  -> {HKLM...CLSID} = "SPTHandler"
                   \InProcServer32\(Default) = "C:\Programme\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Programme\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Programme\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
  -> {HKLM...CLSID} = "SPTHandler"
                   \InProcServer32\(Default) = "C:\Programme\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Programme\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]
SPTContMenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"
  -> {HKLM...CLSID} = "SPTHandler"
                   \InProcServer32\(Default) = "C:\Programme\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoDispBackgroundPage" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Control Panel|Display|
Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Grüne Idylle.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\system32\phcncgj0e155.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\blphcncgj0e155.scr" [file not found]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Programme\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

MPCPlayCDAudioOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayCDAudio"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""C:\Programme\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"]

MPCPlayDVDMovieOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayDVDMovie"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""C:\Programme\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"]

MPCPlayMusicFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayMusicFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""C:\Programme\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

MPCPlayVideoFilesOnArrival\
"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayVideoFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""C:\Programme\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]

VLCPlayCDAudioOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.CDAudio"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file cdda:%1" ["VideoLAN Team"]

VLCPlayDVDMovieOnArrival\
"Provider" = "VideoLAN VLC media player"
"InvokeProgID" = "VLC.DVDMovie"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = "C:\Programme\VideoLAN\VLC\vlc.exe --started-from-file dvd:%1" ["VideoLAN Team"]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:\Programme\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Programme\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
  -> {HKLM...CLSID} = (no title provided)
                   \LocalServer32\(Default) = ""C:\Programme\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "Frank" & "All Users" startup folders:
-------------------------------------------------------

C:\Dokumente und Einstellungen\Frank\Startmenü\Programme\Autostart
<<!>> ".security" [null data]
"Miranda IM" -> shortcut to: "C:\Programme\Miranda IM\miranda32.exe "frank"" [" "]
"Mousometer" -> shortcut to: "C:\Dokumente und Einstellungen\Frank\Desktop\mousometer.exe" [null data]
"Yahoo! Widget Engine" -> shortcut to: "C:\Programme\Yahoo!\WidgetEngine\YahooWidgetEngine.exe" ["Yahoo! Inc."]

C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart
<<!>> ".security" [null data]
"Arcor Wlan-Monitor 1.0" -> shortcut to: "C:\Programme\Arcor\Arcor Wlan-Monitor 1.0\ArcorWlanUtility.exe -T" ["Arcor AG & Co. KG"]
"Microsoft Office" -> shortcut to: "C:\Programme\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Programme\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"Uniblue SpeedUpMyPC Nag" -> launches: "C:\Programme\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" ["Uniblue Software"]
"Uniblue SpeedUpMyPC" -> launches: "C:\Programme\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" ["Uniblue Software"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}"
  -> {HKLM...CLSID} = "&Crawler Toolbar"
                   \InProcServer32\(Default) = "C:\Programme\Crawler\ctbr.dll" ["Crawler.com"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar"
  -> {HKLM...CLSID} = "Winamp Toolbar"
                   \InProcServer32\(Default) = "C:\Programme\Winamp Toolbar\winamptb.dll" ["AOL LLC."]
"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" = (no title provided)
  -> {HKLM...CLSID} = "&Crawler Toolbar"
                   \InProcServer32\(Default) = "C:\Programme\Crawler\ctbr.dll" ["Crawler.com"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Konsole"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
                   \InProcServer32\(Default) = "C:\Programme\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{3AD14F0C-ED16-4E43-B6D8-661B03F6A1EF}\
"ButtonText" = "PokerStars"
"Exec" = "C:\Programme\PokerStars\PokerStarsUpdate.exe" ["PokerStars"]

{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\
"ButtonText" = "PartyPoker.com"
"MenuText" = "PartyPoker.com"
"Exec" = "C:\Programme\PartyGaming\PartyPoker\RunApp.exe" [empty string]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "tbr:res?id=tabs&rep=1" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AntiVir PersonalEdition Classic Guard, AntiVirService, "C:\Programme\AntiVir PersonalEdition Classic\avguard.exe" ["Avira GmbH"]
AntiVir PersonalEdition Classic Planer, AntiVirScheduler, "C:\Programme\AntiVir PersonalEdition Classic\sched.exe" ["Avira GmbH"]
Apple Mobile Device, Apple Mobile Device, ""C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Free8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG Free8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Google Updater Service, gusvc, ""C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
Lavasoft Ad-Aware Service, aawservice, "C:\Programme\Lavasoft\Ad-Aware\aawservice.exe" ["Lavasoft"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Netropa NHK Server, nhksrv, "C:\Programme\Netropa\Multimedia Keyboard\nhksrv.exe" [null data]
Spyware Terminator Realtime Shield Service, sp_rssrv, ""C:\Programme\Spyware Terminator\sp_rsser.exe"" ["Crawler.com"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "msikbd2k" ["Netropa Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]


---------- (launch time: 2008-08-29 16:52:17)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 192 seconds, including 18 seconds for message boxes)
         

Kurzer Einwurf, das letzte Avenger-Log scheint nicht vollständig zu sein...

ups, sorry!
geändert!

Die Dateien dürften nun gelöscht sein, Hijackthis Log ist auch okay.

Code: Alles auswählenAufklappen

ATTFilter

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
         

Das solltest Du nun unbedingt ändern, spiel das SP3 und den IE7 ein!

Mach zum Abschluss mal ein neues Filelisting...