FakeAlert Trojan-Spy.Win32.GreenScreen etc.

rladmin · 15.09.2008, 20:18

Guten Abend,

heute Nachmittag habe ich mir ein Trojaner eingefangen und erhalte seit dem diverse Warnmeldungen ( Windows Firewall has detected activity of harmful software[...] Trojan-Spy.Win32.GreenScreen, Trojan-Clicker.Win32Tiny.h, Trojan-Spy.Win32.Keylogger.aa, Trojan-Spy.HTML.Bankfraud.dq ).

Zunächst habe ich mit dem Programm "Malware" einige Probleme behoben bzw. in Quarantäne gesetzt. Mein Virenscanner Avira AntiVir hat ebenfalls etwas entfernt, jedoch bekomme ich diese Fakealerts nicht geregelt.

Ich habe ein HJT durchgeführt, werde daraus allerdings nicht schlau. Vielleicht kann mir hier jemand weiterhelfen.

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01:40, on 15.09.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16711)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ieconfig_1und1_svc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\ProgramData\DscDb\kfohkhod.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = go.1und1.de/links/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_DE&c=71&bd=Pavilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=DE_DE&c=71&bd=Pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hxxp://go.1und1.de/suchbox/1und1suche?su=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer bereitgestellt von 1&1 Internet AG
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Anmelde-Hilfsprogramm - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: 1&&1 Internet AG Browser Configuration by mquadr.at - {D48FF4B4-E68F-47D1-8E25-81A0F0EEB341} - C:\Windows\System32\ieconfig_1und1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DscDb] C:\ProgramData\DscDb\kfohkhod.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - hxxp://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: IEConfig 1und1 Edition (serviceIEConfig) - Unknown owner - C:\Windows\System32\ieconfig_1und1_svc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11576 bytes

Ich hoffe mir kann jemand genauere Informationen geben damit das Problem behoben werden kann.

Danke

myrtille · 16.09.2008, 01:18

Hi,

starte den Rechner bitte neu. Arbeite dann bitte folgendes ab:

ComboFix Ein Leitfaden und Tutorium zur Nutzung von ComboFix

Lade dir das Tool hier herunter auf den Desktop -> KLICK

Das Programm jedoch noch nicht starten sondern zuerst folgendes tun:

Schliesse alle Anwendungen und Programme, vor allem deine Antiviren-Software und andere Hintergrundwächter, sowie deinen Internetbrowser. Vermeide es auch explizit während das Combofix läuft die Maus und Tastatur zu benutzen.

Dann folgende Anleitung durchlesen und abarbeiten -> CCleaner Systembereinigung

Starte nun die combofix.exe von deinem Desktop aus, bestätige die Warnmeldungen und lass dein System durchsuchen.

Im Anschluss öffnet sich automatisch eine combofix.txt, diesen Inhalt bitte abkopieren und in deinen Beitrag einfügen. Das log findest du außerdem unter: C:\ComboFix.txt.

Wichtiger Hinweis:

Combofix darf ausschließlich ausgeführt werden wenn ein Kompetenzler dies ausdrücklich empfohlen hat! Es sollte nie auf eigene Initiative hin ausgeführt werden! Eine falsche Benutzung kann ernsthafte Computerprobleme nach sich ziehen und eine Bereinigung der Infektion noch erschweren.

Hinweis: Combofix verhindert die Autostart Funktion aller CD / DVD und USB - Laufwerken um so eine Verbeitung einzudämmen. Wenn es hierdurch zu Problemen kommt, diese im Thread posten.

lg myrtille

rladmin · 16.09.2008, 08:54

Guten Morgen,

Danke für die Hilfe. Ich habe combofix nun durchgeführt. Hier die Log:

ComboFix 08-09-15.02 - HP 2008-09-16 9:44:32.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.397 [GMT 2:00]
ausgeführt von:: C:\Users\HP\Desktop\ComboFix.exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

((((((((((((((((((((((( Dateien erstellt von 2008-08-16 bis 2008-09-16 ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 18:40 5,822 ----a-w C:\Windows\System32\tmp.reg
2008-09-15 18:36 34,916 ----a-w C:\Users\HP\AppData\Roaming\nvModes.dat
2008-09-15 18:32 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-15 18:01 --------- d-----w C:\Program Files\Trend Micro
2008-09-15 17:38 --------- d---a-w C:\ProgramData\TEMP
2008-09-15 15:32 --------- d-----w C:\ProgramData\ylapqnqf
2008-09-15 15:21 --------- d-----w C:\Users\HP\AppData\Roaming\Malwarebytes
2008-09-15 15:21 --------- d-----w C:\ProgramData\Malwarebytes
2008-09-15 15:21 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-15 14:39 --------- d-----w C:\ProgramData\DscDb
2008-09-14 14:07 --------- d-----w C:\Users\HP\AppData\Roaming\uTorrent
2008-09-11 05:48 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-11 05:45 --------- d-----w C:\Program Files\Microsoft Works
2008-09-09 22:04 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-08-27 13:55 --------- d-----w C:\Users\HP\AppData\Roaming\Roxio
2008-08-27 13:54 --------- d-----w C:\ProgramData\Sonic
2008-08-24 17:49 --------- d-----w C:\Program Files\DSL Speed
2008-08-24 15:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-24 15:34 --------- d-----w C:\Users\HP\AppData\Roaming\InstallShield
2008-08-24 15:34 --------- d-----w C:\Program Files\CIB software GmbH
2008-08-24 14:01 --------- d-----w C:\Program Files\Common Files\XPressUpdate
2008-08-24 14:00 --------- d-----w C:\Program Files\PDF Editor 2
2008-08-24 13:41 73,216 ----a-w C:\Windows\cadkasdeinst01.exe
2008-08-24 13:35 --------- d-----w C:\Users\HP\AppData\Roaming\PixelPlanet
2008-08-24 13:35 --------- d-----w C:\ProgramData\PixelPlanet
2008-08-21 13:48 --------- d-----w C:\Program Files\MediaMonkey
2008-08-20 16:24 --------- d-----w C:\ProgramData\Apple Computer
2008-08-20 16:02 --------- d-----w C:\Users\HP\AppData\Roaming\Apple Computer
2008-08-20 16:01 --------- d-----w C:\Program Files\QuickTime
2008-08-20 16:01 --------- d-----w C:\Program Files\Bonjour
2008-08-20 15:59 --------- d-----w C:\Program Files\Apple Software Update
2008-08-20 15:58 --------- d-----w C:\ProgramData\Apple
2008-08-20 15:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-19 10:37 --------- d-----w C:\Program Files\EPSON
2008-08-19 10:30 --------- d-----w C:\ProgramData\EPSON
2008-08-18 20:04 --------- d-----w C:\Users\HP\AppData\Roaming\vlc
2008-08-18 18:29 --------- d-----w C:\Program Files\VideoLAN
2008-08-17 19:31 --------- d-----w C:\Users\HP\AppData\Roaming\Winamp
2008-08-17 19:28 --------- d-----w C:\Program Files\Winamp
2008-08-17 18:19 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-17 18:18 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-16 13:18 --------- d-----w C:\Program Files\ElcomSoft
2008-08-14 13:01 --------- d-----w C:\Program Files\Windows Mail
2008-08-13 10:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-13 10:43 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-13 10:20 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-13 10:20 --------- d-----w C:\Users\HP\AppData\Roaming\DAEMON Tools
2008-08-13 09:27 --------- d-----w C:\Program Files\uTorrent
2008-08-13 01:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-12 20:24 --------- d-----w C:\Users\HP\AppData\Roaming\DivX
2008-08-12 20:24 --------- d-----w C:\Program Files\DivX
2008-08-12 15:50 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-12 15:50 --------- d-----w C:\Program Files\Windows Live Favorites
2008-08-12 15:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-12 15:48 --------- d-----w C:\Program Files\Windows Live
2008-08-12 15:41 --------- d-----w C:\ProgramData\WLInstaller
2008-08-12 12:38 --------- d-----w C:\Users\HP\AppData\Roaming\HP
2008-08-12 12:38 --------- d-----w C:\ProgramData\HP
2008-08-07 10:35 174 --sha-w C:\Program Files\desktop.ini
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Defender
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Calendar
2008-08-07 05:21 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-08-07 05:21 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-08-07 05:21 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-08-07 05:19 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-08-07 05:19 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-08-07 05:18 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-08-07 05:18 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-08-07 05:13 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-08-07 05:13 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-08-07 05:13 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-08-07 05:12 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-08-07 05:12 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-08-07 05:12 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-08-07 05:12 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-08-07 05:11 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-08-07 05:11 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-08-07 05:11 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-08-07 05:11 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-08-07 05:11 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-08-07 05:11 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-08-07 05:11 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-08-07 05:11 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-08-07 05:11 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-08-07 05:09 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-08-07 05:09 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-08-07 05:09 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-08-07 05:09 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-08-07 05:09 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-08-07 05:09 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-08-07 05:09 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-08-07 05:09 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-08-07 05:08 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-08-07 05:08 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-08-07 05:08 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-08-07 05:06 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-08-07 05:06 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-08-07 05:06 22,016 ----a-w C:\Windows\System32\netiougc.exe
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-08-07 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
"DscDb"="C:\ProgramData\DscDb\kfohkhod.exe" [2008-09-15 90112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-01-19 77824]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-07 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-07 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-07 81920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 222208]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
" Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-09-10 1253040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-08 44128]

C:\Users\HP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader - Schnellstart.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 17:02 490952 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 01:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A48C03BA-2FCB-43FE-8E68-D5C07EB45395}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{EA52B341-D4A2-41F2-9D55-C39BCE58F04D}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{56D9FC57-F549-4B58-B626-0E69F28B3D5B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7564B209-912E-4E0E-9D17-A0475A2A1733}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7D5356AC-6305-4466-A573-2427115203C3}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{37DD6216-2589-47A3-99FF-CACC63B97270}"= UDP:39329:Torrent
"{2408813C-86CC-4557-BCD8-66207E6C7853}"= TCP:39329:TorrentUDP
"{BCDD89CD-1840-4F4F-A964-7176E8B8F6EA}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{18123142-A12D-42E9-96E3-CB72430BE11F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2F09A5A4-43D5-4C79-97E2-DD6F2E244E88}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{148C9506-6CD8-4871-87A8-1687B13AC50E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{EECDED33-E68F-4F04-9A55-742DB6F228AD}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 serviceIEConfig;IEConfig 1und1 Edition;C:\Windows\System32\ieconfig_1und1_svc.exe [2008-08-05 1053848]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Inhalt des "geplante Tasks" Ordners
.
.
------- Zusätzlicher Scan -------
.
FireFox -: Profile - C:\Users\HP\AppData\Roaming\Mozilla\Firefox\Profiles\p00m5sdj.default\
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava11.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava12.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava13.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava14.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjava32.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
FF -: plugin - C:\Program Files\Java\jre1.6.0\bin\npoji610.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-16 09:48:46
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

C:\Users\HP\AppData\Local\Temp\~DFCFA0.tmp 16384 bytes
C:\Users\HP\AppData\Local\Temp\~DFCFA5.tmp 512 bytes

Scan erfolgreich abgeschlossen
versteckte Dateien: 2

**************************************************************************
.
Zeit der Fertigstellung: 2008-09-16 9:50:41
ComboFix-quarantined-files.txt 2008-09-16 07:50:19

Pre-Run: Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
Post-Run: 19 Verzeichnis(se), 110,241,026,048 Bytes frei

217 --- E O F --- 2008-09-13 09:06:30

myrtille · 16.09.2008, 12:16

Hi,

befolge bitte folgendes:

Scripten mit Combofix

Öffne den Editor ( Start -> Zubehör -> Editor ) kopiere nun folgenden Text in das weiße Feld:

Code:

ATTFilter

folder::
C:\ProgramData\ylapqnqf
C:\ProgramData\DscDb
registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DscDb"=-

Speichere diese Datei nun auf dem Desktop unter -> cfscript.txt

Nun die Datei cfscript.txt mit der rechten Maustaste auf das Sysmbol von Combofix ziehen!

Danach das Combofix nochmal ausführen, das System neu starten und das Log von Combofix posten

Hinweis: Das obige Script ist nur für diesen einen User in dieser Situtation erstellt worden. Es ist auf keinen anderen Rechner portierbar und darf nicht anderweitig verwandt werden, da es das System nachhaltig schädigen kann

Lg myrtille

rladmin · 17.09.2008, 13:01

dabei kam das heraus:

ComboFix 08-09-15.02 - HP 2008-09-17 13:52:36.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1031.18.412 [GMT 2:00]
ausgeführt von:: C:\Users\HP\Desktop\ComboFix.exe
Command switches used :: C:\Users\HP\Desktop\cfscript.txt
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\DscDb
C:\ProgramData\DscDb\kfohkhod.exe
C:\ProgramData\ylapqnqf

.
((((((((((((((((((((((( Dateien erstellt von 2008-08-17 bis 2008-09-17 ))))))))))))))))))))))))))))))
.

Keine neuen Dateien erstellt in diesem Zeitraum

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-16 20:07 34,916 ----a-w C:\Users\HP\AppData\Roaming\nvModes.dat
2008-09-15 18:40 5,822 ----a-w C:\Windows\System32\tmp.reg
2008-09-15 18:32 --------- d-----w C:\Program Files\Enigma Software Group
2008-09-15 18:01 --------- d-----w C:\Program Files\Trend Micro
2008-09-15 17:38 --------- d---a-w C:\ProgramData\TEMP
2008-09-15 15:21 --------- d-----w C:\Users\HP\AppData\Roaming\Malwarebytes
2008-09-15 15:21 --------- d-----w C:\ProgramData\Malwarebytes
2008-09-15 15:21 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 14:07 --------- d-----w C:\Users\HP\AppData\Roaming\uTorrent
2008-09-11 05:48 --------- d-----w C:\ProgramData\Microsoft Help
2008-09-11 05:45 --------- d-----w C:\Program Files\Microsoft Works
2008-09-09 22:04 38,528 ----a-w C:\Windows\system32\drivers\mbamswissarmy.sys
2008-09-09 22:03 17,200 ----a-w C:\Windows\system32\drivers\mbam.sys
2008-08-27 13:55 --------- d-----w C:\Users\HP\AppData\Roaming\Roxio
2008-08-27 13:54 --------- d-----w C:\ProgramData\Sonic
2008-08-24 17:49 --------- d-----w C:\Program Files\DSL Speed
2008-08-24 15:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-24 15:34 --------- d-----w C:\Users\HP\AppData\Roaming\InstallShield
2008-08-24 15:34 --------- d-----w C:\Program Files\CIB software GmbH
2008-08-24 14:01 --------- d-----w C:\Program Files\Common Files\XPressUpdate
2008-08-24 14:00 --------- d-----w C:\Program Files\PDF Editor 2
2008-08-24 13:41 73,216 ----a-w C:\Windows\cadkasdeinst01.exe
2008-08-24 13:35 --------- d-----w C:\Users\HP\AppData\Roaming\PixelPlanet
2008-08-24 13:35 --------- d-----w C:\ProgramData\PixelPlanet
2008-08-21 13:48 --------- d-----w C:\Program Files\MediaMonkey
2008-08-20 16:24 --------- d-----w C:\ProgramData\Apple Computer
2008-08-20 16:02 --------- d-----w C:\Users\HP\AppData\Roaming\Apple Computer
2008-08-20 16:01 --------- d-----w C:\Program Files\QuickTime
2008-08-20 16:01 --------- d-----w C:\Program Files\Bonjour
2008-08-20 15:59 --------- d-----w C:\Program Files\Apple Software Update
2008-08-20 15:58 --------- d-----w C:\ProgramData\Apple
2008-08-20 15:58 --------- d-----w C:\Program Files\Common Files\Apple
2008-08-19 10:37 --------- d-----w C:\Program Files\EPSON
2008-08-19 10:30 --------- d-----w C:\ProgramData\EPSON
2008-08-18 20:04 --------- d-----w C:\Users\HP\AppData\Roaming\vlc
2008-08-18 18:29 --------- d-----w C:\Program Files\VideoLAN
2008-08-17 19:31 --------- d-----w C:\Users\HP\AppData\Roaming\Winamp
2008-08-17 19:28 --------- d-----w C:\Program Files\Winamp
2008-08-17 18:19 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-17 18:18 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-16 13:18 --------- d-----w C:\Program Files\ElcomSoft
2008-08-14 13:01 --------- d-----w C:\Program Files\Windows Mail
2008-08-13 10:57 --------- d-----w C:\Program Files\Microsoft.NET
2008-08-13 10:43 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-08-13 10:20 717,296 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-08-13 10:20 --------- d-----w C:\Users\HP\AppData\Roaming\DAEMON Tools
2008-08-13 09:27 --------- d-----w C:\Program Files\uTorrent
2008-08-13 01:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-08-12 20:24 --------- d-----w C:\Users\HP\AppData\Roaming\DivX
2008-08-12 20:24 --------- d-----w C:\Program Files\DivX
2008-08-12 15:50 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-08-12 15:50 --------- d-----w C:\Program Files\Windows Live Favorites
2008-08-12 15:48 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-12 15:48 --------- d-----w C:\Program Files\Windows Live
2008-08-12 15:41 --------- d-----w C:\ProgramData\WLInstaller
2008-08-12 12:38 --------- d-----w C:\Users\HP\AppData\Roaming\HP
2008-08-12 12:38 --------- d-----w C:\ProgramData\HP
2008-08-07 10:35 174 --sha-w C:\Program Files\desktop.ini
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Defender
2008-08-07 05:24 --------- d-----w C:\Program Files\Windows Calendar
2008-08-07 05:21 87,040 ----a-w C:\Windows\System32\msoert2.dll
2008-08-07 05:21 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2008-08-07 05:21 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2008-08-07 05:19 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-08-07 05:19 110,080 ----a-w C:\Windows\system32\drivers\mrxdav.sys
2008-08-07 05:18 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2008-08-07 05:18 376,320 ----a-w C:\Windows\System32\winsrv.dll
2008-08-07 05:13 414,208 ----a-w C:\Windows\System32\msscp.dll
2008-08-07 05:13 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
2008-08-07 05:13 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-08-07 05:12 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2008-08-07 05:12 7,680 ----a-w C:\Windows\System32\spwmp.dll
2008-08-07 05:12 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2008-08-07 05:12 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2008-08-07 05:11 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2008-08-07 05:11 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2008-08-07 05:11 61,952 ----a-w C:\Windows\System32\cmifw.dll
2008-08-07 05:11 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2008-08-07 05:11 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2008-08-07 05:11 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2008-08-07 05:11 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2008-08-07 05:11 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2008-08-07 05:11 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2008-08-07 05:09 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-08-07 05:09 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-08-07 05:09 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-08-07 05:09 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-08-07 05:09 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-08-07 05:09 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-08-07 05:09 15,928 ----a-w C:\Windows\system32\drivers\pciide.sys
2008-08-07 05:09 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-08-07 05:08 2,048 ----a-w C:\Windows\System32\msxml3r.dll
2008-08-07 05:08 104,448 ----a-w C:\Windows\System32\DWWIN.EXE
2008-08-07 05:08 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2008-08-07 05:06 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-08-07 05:06 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-08-07 05:06 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-08-07 05:06 216,632 ----a-w C:\Windows\system32\drivers\netio.sys
2008-08-07 05:06 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-16_ 9.49.32.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-16 07:15:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-09-17 11:37:00 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-09-16 07:15:36 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-09-17 11:37:00 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-09-16 07:17:11 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-17 11:38:36 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-09-17 11:38:36 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-09-16 07:17:06 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-09-17 11:38:31 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-09-16 07:15:36 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-09-17 11:39:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-09-16 07:15:36 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-09-17 11:39:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-09-16 07:15:36 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-09-17 11:39:09 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-09-16 07:20:47 116,706 ----a-w C:\Windows\System32\perfc007.dat
+ 2008-09-17 11:41:50 116,706 ----a-w C:\Windows\System32\perfc007.dat
- 2008-09-16 07:20:47 103,924 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-09-17 11:41:50 103,924 ----a-w C:\Windows\System32\perfc009.dat
- 2008-09-16 07:20:47 641,344 ----a-w C:\Windows\System32\perfh007.dat
+ 2008-09-17 11:41:50 641,344 ----a-w C:\Windows\System32\perfh007.dat
- 2008-09-16 07:20:47 610,142 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-09-17 11:41:50 610,142 ----a-w C:\Windows\System32\perfh009.dat
- 2008-09-16 07:17:22 6,426 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566919658-3297028333-1099947430-1000_UserData.bin
+ 2008-09-17 11:38:48 6,426 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2566919658-3297028333-1099947430-1000_UserData.bin
- 2008-09-16 07:17:22 65,474 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-09-17 11:38:48 66,026 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-09-16 07:17:21 34,712 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-09-17 11:38:46 34,784 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-08-07 1232896]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 125440]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-12-03 167936]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 159744]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2006-12-04 46704]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2006-10-18 317152]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2006-10-18 472800]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-01-19 77824]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-12-07 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-12-07 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-12-07 81920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 262401]
"MSConfig"="C:\Windows\system32\msconfig.exe" [2006-11-02 222208]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
" Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-09-10 1253040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="C:\Windows\SMINST\launcher.exe" [2006-11-08 44128]

C:\Users\HP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader - Schnellstart.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\Windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 17:02 490952 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-08-04 01:02 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{A48C03BA-2FCB-43FE-8E68-D5C07EB45395}"= UDP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{EA52B341-D4A2-41F2-9D55-C39BCE58F04D}"= TCP:C:\Program Files\HP\QuickPlay\QP.exe:QP
"{56D9FC57-F549-4B58-B626-0E69F28B3D5B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7564B209-912E-4E0E-9D17-A0475A2A1733}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{7D5356AC-6305-4466-A573-2427115203C3}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{37DD6216-2589-47A3-99FF-CACC63B97270}"= UDP:39329:Torrent
"{2408813C-86CC-4557-BCD8-66207E6C7853}"= TCP:39329:TorrentUDP
"{BCDD89CD-1840-4F4F-A964-7176E8B8F6EA}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{18123142-A12D-42E9-96E3-CB72430BE11F}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2F09A5A4-43D5-4C79-97E2-DD6F2E244E88}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{148C9506-6CD8-4871-87A8-1687B13AC50E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{EECDED33-E68F-4F04-9A55-742DB6F228AD}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 serviceIEConfig;IEConfig 1und1 Edition;C:\Windows\System32\ieconfig_1und1_svc.exe [2008-08-05 1053848]
.
Inhalt des "geplante Tasks" Ordners
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-17 13:57:48
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-09-17 13:59:36
ComboFix-quarantined-files.txt 2008-09-17 11:59:11
ComboFix2.txt 2008-09-16 07:50:42

Pre-Run: Das System hat keinen Meldungstext für die Meldungsnummer 0x2379 in der Meldungsdatei Application gefunden.
Post-Run: 19 Verzeichnis(se), 108,865,503,232 Bytes frei

238 --- E O F --- 2008-09-17 07:47:48

LG

myrtille · 17.09.2008, 17:26

Das sieht ganz gut aus. Wie gehts dem Rechner?

lg myrtille

rladmin · 18.09.2008, 14:34

Ich glaube die Probleme sind behoben. Jedenfalls hab ich nun seit längeren keine Alerts mehr bekommen...vielen vielen Dank für die unterstützung hierbei!

lg

myrtille · 18.09.2008, 19:14

Hi,

dann räumen wir zum schluss noch ein wenig auf:

Deinstalliere bitte Combofix in dem du unter Start->Ausführen-> "%userprofile%\Desktop\Combofix.exe" /u eingibst.

Deinstallier bitte über Start->Systemsteuerung->Software alle installierten Javaversionen und lade dir danach, wenn nötig, die neueste Javaversion von Sun herunter.

Besuche Secunia und überprüfe bitte ob deine Software aktuell ist.

lg myrtille

scauril · 18.09.2008, 19:43

Hallo myrtille.

Wie ich lese wird einem hier wirklich gut geholfen. Auch ich habe mir den Trojan-Spy.Win32.GreenScreen bzw. Keylogger Trojaner eingefangen.

Bis jetzt habe ich alle im Thread gegebenen Anweisungen befolgt. (HJT+CCleaner+Combofix) Leider bekomme ich immer noch die Fake-Alarmmeldungen. Was nun?

Hier ist mein aktuelles HJT-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:35:06, on 18.09.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\IPSSVC.EXE
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\khgtypgv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Chris\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {58FD052A-6E6D-90DE-2C7B-02D68CE61637} - C:\Program Files\ofkewpe\ActMnt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AwaySch] C:\Program Files\Lenovo\AwayTask\AwaySch.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AMSG] C:\Program Files\ThinkVantage\AMSG\Amsg.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SysGen] C:\WINDOWS\system32\khgtypgv.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\VPN Client\vpngui.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.de/scan_de/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167849134800
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: ACU Configuration Service (acs) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: AntiVir PersonalEdition Classic Planer (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\VPN Client\cvpnd.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 8312 bytes

Und hier mein aktuelles Combofix-log:

ComboFix 08-09-16.05 - Chris 2008-09-18 20:19:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.647 [GMT 2:00]
Running from: C:\Documents and Settings\Chris\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Chris\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-08-18 to 2008-09-18 )))))))))))))))))))))))))))))))
.

2008-09-18 19:54 . 2008-09-18 19:54 <DIR> d-------- C:\Program Files\CCleaner
2008-09-17 00:27 . 2008-09-17 00:28 <DIR> d-------- C:\TEMP
2008-09-16 23:26 . 2008-09-17 00:17 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-09-14 00:29 . 2008-09-14 00:29 <DIR> d-------- C:\Program Files\ofkewpe
2008-09-14 00:29 . 2008-09-14 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\lqdgdcnw
2008-09-14 00:28 . 2008-09-14 00:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\lopmhwvq
2008-09-14 00:28 . 2008-09-14 00:28 94,208 --a------ C:\WINDOWS\system32\khgtypgv.exe
2008-09-07 14:26 . 2008-09-07 14:28 <DIR> d-------- C:\Program Files\Winamp
2008-09-07 14:26 . 2008-09-07 14:31 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\Winamp
2008-09-05 21:23 . 2008-09-07 23:15 <DIR> d-------- C:\Documents and Settings\Chris\Application Data\dvdcss
2008-09-03 18:07 . 2008-09-04 16:00 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-17 23:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2008-09-07 17:45 --------- d-----w C:\Documents and Settings\Elisabeth\Application Data\AdobeUM
2008-09-07 16:03 --------- d-----w C:\Documents and Settings\Chris\Application Data\AdobeUM
2008-08-31 19:11 --------- d-----w C:\Documents and Settings\Chris\Application Data\DNA
2008-08-31 18:06 --------- d-----w C:\Program Files\DNA
2008-08-19 13:16 --------- d-----w C:\Program Files\VPN Client
2008-07-30 11:02 --------- d-----w C:\Documents and Settings\Chris\Application Data\BitTorrent
2008-07-18 20:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 20:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 20:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 20:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 20:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 20:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 20:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 20:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 15:03 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 15:38 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58FD052A-6E6D-90DE-2C7B-02D68CE61637}]
2008-09-14 00:29 122880 --a------ C:\Program Files\ofkewpe\ActMnt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"SysGen"="C:\WINDOWS\system32\khgtypgv.exe" [2008-09-14 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"ACTray"="C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-08-26 409600]
"ACWLIcon"="C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-08-26 110592]
"PSQLLauncher"="C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" [2006-04-26 31232]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"AwaySch"="C:\Program Files\Lenovo\AwayTask\AwaySch.EXE" [2006-10-19 69632]
"TPHOTKEY"="C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-10-02 94208]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-15 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-15 512000]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-23 81920]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]
"AMSG"="C:\Program Files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-16 270336]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"PWRMGRTR"="C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2006-05-26 151552]
"BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2006-05-26 208896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 286720]
"FreePDF Assistant"="C:\Program Files\FreePDF_XP\fpassist.exe" [2007-06-27 312320]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-08-04 36352]
"TpShocks"="TpShocks.exe" [2006-03-16 C:\WINDOWS\system32\TpShocks.exe]
"TP4EX"="tp4ex.exe" [2005-10-17 C:\WINDOWS\system32\TP4EX.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\VPN Client\vpngui.exe [2007-02-07 1425424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-10-19 12:08 49152 C:\Program Files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ACNotify]
2006-08-26 10:17 32768 C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 05:20 40448 C:\WINDOWS\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-06 09:45 28672 C:\WINDOWS\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-12-01 06:16 24576 C:\WINDOWS\system32\tphklock.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ansys Inc\\v81\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=
"C:\\Program Files\\Ansys Inc\\v81\\ANSYS\\bin\\intel\\ANSYS.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2006-03-16 88576]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS [2005-11-08 11520]
R1 IBMTPCHK;IBMTPCHK;C:\WINDOWS\system32\Drivers\IBMBLDID.sys [2006-01-13 6016]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2005-06-20 4736]
R1 TPPWRIF;TPPWRIF;C:\WINDOWS\system32\drivers\Tppwrif.sys [2006-05-26 4442]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2003-07-08 659456]
R2 smihlp;SMI helper driver;C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys [2006-04-26 3456]
R3 WSIMD;wsimd Service;C:\WINDOWS\system32\DRIVERS\wsimd.sys [2006-07-20 54432]
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-18 20:20:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\ThinkPad\ConnectUtilities\ACGina.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACHelper.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcSvcStub.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\AcLocSettings.dll
-> C:\Program Files\ThinkPad\ConnectUtilities\ACNotify.dll
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-09-18 20:21:26
ComboFix-quarantined-files.txt 2008-09-18 18:21:24
ComboFix2.txt 2008-09-18 18:10:31

Pre-Run: 57,846,140,928 bytes free
Post-Run: 57,833,529,344 bytes free

133 --- E O F --- 2008-09-11 22:34:25

Ich würde mich sehr freuen, wenn Ihr mir helfen könntet. Danke!

lg
scauril

17.09.2008, 17:26	#6
myrtille /// TB-Ausbilder	FakeAlert Trojan-Spy.Win32.GreenScreen etc. Das sieht ganz gut aus. Wie gehts dem Rechner? lg myrtille __________________ --> FakeAlert Trojan-Spy.Win32.GreenScreen etc.

FakeAlert Trojan-Spy.Win32.GreenScreen etc.

Plagegeister aller Art und deren Bekämpfung: FakeAlert Trojan-Spy.Win32.GreenScreen etc.