Hallo zusammen,

ich hoffe, mir kann jemand helfen. Vorweg, ich bin absoluter Laie! Das Problem: In meinem Taskmanager tauchen zuweilen 10 "iexplore. exe" auf. Dabei benutze ich den Windowsinternetexplorer gar nicht (dazu gehört die doch, oder?). Sämtliche Scans ("Anti-Malwarebytes", "Kasperski", "Spybot") ergaben keine Ergebnisse. Auf das Problem bin ich nur gestoßen, weil mein Internetverkehr über "Firefox" extrem langsam wurde. Nun gestaltet es sich so, dass die "iexplore.exe" nur auftaucht, wenn ich mit "Firefox" im Netz bin; lösche ich sie nicht augenblicklich, dann potenziert sie sich im Minutentakt. Da es hier wohl alle so handhaben, habe ich mal so einen Logfile erstellt - der folgendermaßen aussieht:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:28:46, on 23.09.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Programme\Internet Explorer\Iexplore.exe
C:\Programme\Internet Explorer\Iexplore.exe
C:\Programme\Internet Explorer\Iexplore.exe
C:\Programme\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Versatel\Versatel.exe
C:\Programme\Internet Explorer\Iexplore.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Internet Explorer\Iexplore.exe
C:\Programme\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Programme\Internet Explorer\Iexplore.exe
C:\Programme\Microsoft Office\Office12\WINWORD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar mit Pop-Up-Blocker - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AVP] "C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Hinzufügen zu Kaspersky Anti-Banner - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Statistik für Web-Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7FE3E1C-A6CD-44AB-94D0-43696B8262DE}: NameServer = 62.220.18.8 89.246.64.8
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Programme\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4920 bytes


Mir ist noch aufgefallen - keine Ahnung, ob das wichtig ist -, dass die exe. immer vom System ausgeführt wird, also nicht vom Benutzer. Wenn es sich vermeiden lässt, dann würde ich gerne ein Neuaufsetzen aussparen (hab ich nämlich erst kürzlich), weil das auf meiner Mühle nie so reibungslos funktioniert.

Viele Dank im Voraus,

Pygmalion

Halli hallo.

Erstelle bitte ein AVZ log:AVZ Anleitung

Hi,

vielen, vielen Dank dafür, dass du mir helfen willst.
Hier die geforderten Logs:

AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 24.09.2008 13:55:09
Database loaded: signatures - 188307, NN profile(s) - 2, microprograms of healing - 56, signature database released 23.09.2008 23:40
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 73357
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->7C884FEC
Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->7C884F9C
Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->7C884FB0
Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->7C884FD8
Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->7C884FC4
IAT modification detected: LoadLibraryA - 7C884F9C<>7C801D7B
IAT modification detected: GetProcAddress - 7C884FEC<>7C80AE30
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Function user32.dll:RegisterRawInputDevices (546) intercepted, method ProcAddressHijack.GetProcAddress ->7E3BCE0E->7EEA0080
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=083220)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 8055A220
KiST = 804E26A8 (284)
Function NtClose (19) intercepted (805678DD->B2E2A1E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtConnectPort (1F) intercepted (805879EB->B2E282F0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateKey (29) intercepted (8057065D->B2E1B750), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateProcess (2F) intercepted (805B135A->B2E29F10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateProcessEx (30) intercepted (8057FC60->B2E2A080), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateSection (32) intercepted (805652B3->B2E2AD00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateSymbolicLinkObject (34) intercepted (8059F509->B2E2A7B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtCreateThread (35) intercepted (8058E63F->B2E2B600), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDeleteKey (3F) intercepted (805952BE->B2E1B860), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDeleteValueKey (41) intercepted (80592D50->B2E1B8E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtDuplicateObject (44) intercepted (805715E0->B2E2A380), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtEnumerateKey (47) intercepted (80570D64->B2E1B990), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtEnumerateValueKey (49) intercepted (8059066B->B2E1BA40), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtFlushKey (4F) intercepted (805DC590->B2E1BAF0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtInitializeRegistry (5C) intercepted (805A8064->B2E1BB70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadDriver (61) intercepted (805A3AF1->B2E27E50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadKey (62) intercepted (805AED5D->B2E1C590), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtLoadKey2 (63) intercepted (805AEB9A->B2E1BB90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtNotifyChangeKey (6F) intercepted (8058A68D->B2E1BC70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenFile (74) intercepted (8056CD5B->F8555030), hook C:\WINDOWS\system32\Drivers\kl1.sys, driver recognized as trusted
Function NtOpenKey (77) intercepted (80568D59->B2E1BD50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenProcess (7A) intercepted (805717C7->B2E29D00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtOpenSection (7D) intercepted (80570FD7->B2E2AB20), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryKey (A0) intercepted (80570A6D->B2E1BE30), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryMultipleValueKey (A1) intercepted (8064E320->B2E1BEE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQuerySystemInformation (AD) intercepted (8057BC36->B2E2B2B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtQueryValueKey (B1) intercepted (8056A1F1->B2E1BF90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtReplaceKey (C1) intercepted (8064F0FA->B2E1C070), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->B2E28900), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtRestoreKey (CC) intercepted (8064EC91->B2E1C100), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtResumeThread (CE) intercepted (8058ECB2->B2E2B5B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSaveKey (CF) intercepted (8064ED92->B2E1C300), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetContextThread (D5) intercepted (8062DCDF->B2E2B940), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationFile (E0) intercepted (8057494A->B2E2BF60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetInformationKey (E2) intercepted (8064DE83->B2E1C390), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetSecurityObject (ED) intercepted (8059B19B->B2E26A10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetSystemInformation (F0) intercepted (805A7BDD->B2E2A9A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSetValueKey (F7) intercepted (80572889->B2E1C430), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSuspendThread (FE) intercepted (805E045E->B2E2B560), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtSystemDebugControl (FF) intercepted (80649CE3->B2E281B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtTerminateProcess (101) intercepted (805822E0->B2E2B150), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtUnloadKey (107) intercepted (8064D9FA->B2E1C550), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function NtWriteVirtualMemory (115) intercepted (8057E420->B2E2A240), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp B2E2C380 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp B2E2C880 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
Functions checked: 284, intercepted: 43, restored: 0
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 25
Analyzer: process under analysis is 1232 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1440 C:\WINDOWS\system32\svchost.exe
[ES]:Contains network functionality
[ES]:Listens on TCP ports !
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1600 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 1660 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 1828 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 880 C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer: process under analysis is 1580 C:\WINDOWS\System32\svchost.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Located in system folder
Analyzer: process under analysis is 3548 C:\Programme\Mozilla Firefox\firefox.exe
[ES]:Contains network functionality
[ES]:Loads RASAPI DLL - may use dialing ?
Analyzer: process under analysis is 2852 C:\PROGRA~1\Versatel\Versatel.exe
[ES]:Contains network functionality
[ES]:Trojan.PSW ?
[ES]:Application has no visible windows
[ES]:Loads RASAPI DLL - may use dialing ?
Number of modules loaded: 378
Scanning memory - complete
3. Scanning disks
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll --> Suspicion for Keylogger or Trojan DLL
C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
>> Abnormal REG files association
>> Service termination timeout is out of admissible values
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 403, extracted from archives: 0, malicious software found 0, suspicions - 0
Scanning finished at 24.09.2008 13:55:48
Time of scanning: 00:00:42
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete



Ohhhhhhh, wo ist denn der erste???? Ich habe ihn gespeichert...und nun ist er weg... Mache ihn nochmal. Momentchen.

Bezüglich HiJacktThis Log:

Zitat:

Kennen Sie die IP oder die Domäne '62.220.18.8 89.246.64.8' nicht, fixen.

Mich würde nach wie vor ein TCP View Log interessieren.

Hört sich nach einem Bot/Botnetz an oder Fremdeinfluss durch einen Trojaner.
Haste in letzter Zeit merkwürdige Datein geöffnet die nicht von seriösen Quellen (Webseiten) kamen?

Suche doch mal mit der Windowssuche nach iexplorer.exe und sage in welchen Verzeichnissen die entsprechenden Funde liegen.

Hier der Rest:

AVZ Antiviral Toolkit log; AVZ version is 4.30
Scanning started at 24.09.2008 14:21:53
Database loaded: signatures - 188307, NN profile(s) - 2, microprograms of healing - 56, signature database released 23.09.2008 23:40
Heuristic microprograms loaded: 370
SPV microprograms loaded: 9
Digital signatures of system files loaded: 73357
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 3 ; AVZ is launched with administrator rights
System Restore: enabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
Analysis: kernel32.dll, export table found in section .text
Function kernel32.dll:GetProcAddress (409) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AE30->7C884FEC
Hook kernel32.dll:GetProcAddress (409) blocked
Function kernel32.dll:LoadLibraryA (581) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D7B->7C884F9C
Hook kernel32.dll:LoadLibraryA (581) blocked
>>> Functions LoadLibraryA - preventing AVZ process from being intercepted by address replacement !!)
Function kernel32.dll:LoadLibraryExA (582) intercepted, method ProcAddressHijack.GetProcAddress ->7C801D53->7C884FB0
Hook kernel32.dll:LoadLibraryExA (582) blocked
>>> Functions LoadLibraryExA - preventing AVZ process from being intercepted by address replacement !!)
Function kernel32.dll:LoadLibraryExW (583) intercepted, method ProcAddressHijack.GetProcAddress ->7C801AF5->7C884FD8
Hook kernel32.dll:LoadLibraryExW (583) blocked
Function kernel32.dll:LoadLibraryW (584) intercepted, method ProcAddressHijack.GetProcAddress ->7C80AEDB->7C884FC4
Hook kernel32.dll:LoadLibraryW (584) blocked
IAT modification detected: LoadLibraryA - 7C884F9C<>7C801D7B
IAT address restored: LoadLibraryA
IAT modification detected: GetProcAddress - 7C884FEC<>7C80AE30
IAT address restored: GetProcAddress
Analysis: ntdll.dll, export table found in section .text
Analysis: user32.dll, export table found in section .text
Function user32.dll:RegisterRawInputDevices (546) intercepted, method ProcAddressHijack.GetProcAddress ->7E3BCE0E->7EEA0080
Hook user32.dll:RegisterRawInputDevices (546) blocked
Analysis: advapi32.dll, export table found in section .text
Analysis: ws2_32.dll, export table found in section .text
Analysis: wininet.dll, export table found in section .text
Analysis: rasapi32.dll, export table found in section .text
Analysis: urlmon.dll, export table found in section .text
Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
Driver loaded successfully
SDT found (RVA=083220)
Kernel ntoskrnl.exe found in memory at address 804D7000
SDT = 8055A220
KiST = 804E26A8 (284)
Function NtClose (19) intercepted (805678DD->B2E2A1E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtConnectPort (1F) intercepted (805879EB->B2E282F0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateKey (29) intercepted (8057065D->B2E1B750), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateProcess (2F) intercepted (805B135A->B2E29F10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateProcessEx (30) intercepted (8057FC60->B2E2A080), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSection (32) intercepted (805652B3->B2E2AD00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateSymbolicLinkObject (34) intercepted (8059F509->B2E2A7B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtCreateThread (35) intercepted (8058E63F->B2E2B600), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteKey (3F) intercepted (805952BE->B2E1B860), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDeleteValueKey (41) intercepted (80592D50->B2E1B8E0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtDuplicateObject (44) intercepted (805715E0->B2E2A380), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateKey (47) intercepted (80570D64->B2E1B990), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtEnumerateValueKey (49) intercepted (8059066B->B2E1BA40), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtFlushKey (4F) intercepted (805DC590->B2E1BAF0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtInitializeRegistry (5C) intercepted (805A8064->B2E1BB70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadDriver (61) intercepted (805A3AF1->B2E27E50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey (62) intercepted (805AED5D->B2E1C590), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtLoadKey2 (63) intercepted (805AEB9A->B2E1BB90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtNotifyChangeKey (6F) intercepted (8058A68D->B2E1BC70), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenFile (74) intercepted (8056CD5B->F8555030), hook C:\WINDOWS\system32\Drivers\kl1.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenKey (77) intercepted (80568D59->B2E1BD50), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenProcess (7A) intercepted (805717C7->B2E29D00), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtOpenSection (7D) intercepted (80570FD7->B2E2AB20), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryKey (A0) intercepted (80570A6D->B2E1BE30), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryMultipleValueKey (A1) intercepted (8064E320->B2E1BEE0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQuerySystemInformation (AD) intercepted (8057BC36->B2E2B2B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtQueryValueKey (B1) intercepted (8056A1F1->B2E1BF90), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtReplaceKey (C1) intercepted (8064F0FA->B2E1C070), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRequestWaitReplyPort (C8) intercepted (80576CE6->B2E28900), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtRestoreKey (CC) intercepted (8064EC91->B2E1C100), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtResumeThread (CE) intercepted (8058ECB2->B2E2B5B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSaveKey (CF) intercepted (8064ED92->B2E1C300), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetContextThread (D5) intercepted (8062DCDF->B2E2B940), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationFile (E0) intercepted (8057494A->B2E2BF60), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetInformationKey (E2) intercepted (8064DE83->B2E1C390), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSecurityObject (ED) intercepted (8059B19B->B2E26A10), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetSystemInformation (F0) intercepted (805A7BDD->B2E2A9A0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSetValueKey (F7) intercepted (80572889->B2E1C430), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSuspendThread (FE) intercepted (805E045E->B2E2B560), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtSystemDebugControl (FF) intercepted (80649CE3->B2E281B0), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (805822E0->B2E2B150), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtUnloadKey (107) intercepted (8064D9FA->B2E1C550), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function NtWriteVirtualMemory (115) intercepted (8057E420->B2E2A240), hook C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
>>> Hook code blocked
Function FsRtlCheckLockForReadAccess (80512919) - machine code modification Method of JmpTo. jmp B2E2C380 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
Function IoIsOperationSynchronous (804E875A) - machine code modification Method of JmpTo. jmp B2E2C880 \??\C:\WINDOWS\system32\drivers\klif.sys, driver recognized as trusted
>>> Function restored successfully !
Functions checked: 284, intercepted: 43, restored: 45
1.3 Checking IDT and SYSENTER
Analysis for CPU 1
Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
Checking not performed: extended monitoring driver (AVZPM) is not installed
Driver loaded successfully
1.5 Checking of IRP handlers
Checking - complete
2. Scanning memory
Number of processes found: 27
Number of modules loaded: 386
Scanning memory - complete
3. Scanning disks
Direct reading C:\Dokumente und Einstellungen\Besitzer\Lokale Einstellungen\Temp\~DFDD2.tmp
4. Checking Winsock Layered Service Provider (SPI/LSP)
LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll --> Suspicion for Keylogger or Trojan DLL
C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll>>> Behavioural analysis
Behaviour typical for keyloggers not detected
Note: Do NOT delete suspicious files, send them for analysis (see FAQ for more details), because there are lots of useful hooking DLLs
6. Searching for opened TCP/UDP ports used by malicious programs
Checking disabled by user
7. Heuristic system check
Latent loading of libraries through AppInit_DLLs suspected: "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"
Checking - complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed: TermService (Terminaldienste)
>> Services: potentially dangerous service allowed: SSDPSRV (SSDP-Suchdienst)
>> Services: potentially dangerous service allowed: Schedule (Taskplaner)
>> Services: potentially dangerous service allowed: RDSessMgr (Sitzungs-Manager für Remotedesktophilfe)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
Checking - complete
9. Troubleshooting wizard
>> Abnormal REG files association
>> Service termination timeout is out of admissible values
>> HDD autorun are allowed
>> Autorun from network drives are allowed
>> Removable media autorun are allowed
Checking - complete
Files scanned: 65277, extracted from archives: 42003, malicious software found 0, suspicions - 0
Scanning finished at 24.09.2008 14:46:58
!!! Attention !!! Recovered 45 KiST functions during Anti-Rootkit operation
This may affect execution of several programs, so it is strongly recommended to reboot
Time of scanning: 00:25:07
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
System Analysis - complete



Übrigens: Kaspersky meldet permanent den folgenden Befund:"24.09.2008 14:21:11 Die Anwendung IEXPLORE.EXE wurde verändert"

Zitat:

Übrigens: Kaspersky meldet permanent den folgenden Befund:"24.09.2008 14:21:11 Die Anwendung IEXPLORE.EXE wurde verändert"

Auch wenn du das Internet zu Testzwecken ausschaltest?

Nee, eigentlich hatte ich nichts auf meinem Rechner, d.h. keine komischen, unseriösen Datein. Bin sowieso vorsichtig geworden, weil ich ständig irgendwie befallen bin, obwohl ich nichts aus dem Netz lade... Arbeite kurz die Punkte ab. Ich glaube bei dem Port handelt es sich um versatel; überprüfe das gleich.

Nein, nur wenn ich mit Firerfox im Netz bin.

Zitat:

Zitat von Pygmalion

Nee, eigentlich hatte ich nichts auf meinem Rechner, d.h. keine komischen, unseriösen Datein. Bin sowieso vorsichtig geworden, weil ich ständig irgendwie befallen bin, obwohl ich nichts aus dem Netz lade... Arbeite kurz die Punkte ab. Ich glaube bei dem Port handelt es sich um versatel; überprüfe das gleich.

Ist deine Software up2date?
Sicherheitslücken in veralteter Software >>

Hier der tcpviewlog:

[System Process]:0 TCP nico-c43x98vb4o:1642 62.32.97.15:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1621 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1669 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1637 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1661 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1649 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1625 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1601 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1605 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1677 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1593 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1613 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1657 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1653 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1617 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1665 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1633 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1597 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1641 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1624 demdvip1.doubleclick.net:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1652 demdvip1.doubleclick.net:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1632 demegaadvip1.doubleclick.net:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1640 194.129.79.50:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1670 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1594 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1622 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1618 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1626 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1631 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1675 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1643 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1615 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1627 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1647 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1655 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1599 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1663 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1667 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1659 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1651 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1611 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1603 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1679 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1639 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1635 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1681 194.116.241.55:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1654 demegaadvip1.doubleclick.net:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1662 194.129.79.50:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1658 194.129.79.50:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1646 194.129.79.50:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1608 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1110 localhost:1668 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1680 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1604 localhost:1110 TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1682 194.116.241.55:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1678 194.116.241.52:http TIME_WAIT
[System Process]:0 TCP nico-c43x98vb4o:1623 demdvip1.doubleclick.net:http TIME_WAIT
alg.exe:2236 TCP nico-c43x98vb4o:1028 nico-c43x98vb4o:0 LISTENING
avp.exe:1340 TCP nico-c43x98vb4o:1684 downloads.sysinternals.com:http ESTABLISHED
avp.exe:1340 TCP nico-c43x98vb4o:1110 localhost:1683 ESTABLISHED
avp.exe:1340 TCP nico-c43x98vb4o:1110 nico-c43x98vb4o:0 LISTENING
firefox.exe:1928 TCP nico-c43x98vb4o:1038 localhost:1039 ESTABLISHED
firefox.exe:1928 TCP nico-c43x98vb4o:1040 localhost:1041 ESTABLISHED
firefox.exe:1928 TCP nico-c43x98vb4o:1041 localhost:1040 ESTABLISHED
firefox.exe:1928 TCP nico-c43x98vb4o:1039 localhost:1038 ESTABLISHED
firefox.exe:1928 TCP nico-c43x98vb4o:1683 localhost:1110 ESTABLISHED
iexplore.exe:1640 UDP nico-c43x98vb4o:1390 *:*
iexplore.exe:3284 UDP nico-c43x98vb4o:1387 *:*
iexplore.exe:3576 UDP nico-c43x98vb4o:1374 *:*
lsass.exe:1056 UDP nico-c43x98vb4o:isakmp *:*
lsass.exe:1056 UDP nico-c43x98vb4o:4500 *:*
svchost.exe:1440 TCP nico-c43x98vb4o:epmap nico-c43x98vb4o:0 LISTENING
svchost.exe:1600 UDP 192.168.0.1:bootps *:*
svchost.exe:1600 UDP nico-c43x98vb4o:1031 *:*
svchost.exe:1600 UDP 192.168.0.1:bootpc *:*
svchost.exe:1600 UDP nico-c43x98vb4o:1030 *:*
svchost.exe:1600 UDP 192.168.0.1:domain *:*
svchost.exe:1864 UDP 192.168.0.1:1900 *:*
svchost.exe:1864 UDP nico-c43x98vb4o:1900 *:*
svchost.exe:1864 UDP nico-c43x98vb4o:1900 *:*
System:4 TCP nico-c43x98vb4o:microsoft-ds nico-c43x98vb4o:0 LISTENING
System:4 TCP 192.168.0.1:netbios-ssn nico-c43x98vb4o:0 LISTENING
System:4 UDP 192.168.0.1:netbios-ns *:*
System:4 UDP 192.168.0.1:netbios-dgm *:*
System:4 UDP nico-c43x98vb4o:microsoft-ds *:*

Ja, eigentlich bemühe ich mich regelmäßig um alle Updates.
Hier die Ergebnisse zur iexplore.exe-Suche:
C:\Programme\InernetExplorer
C:\Windows\Prefetch
C:\Windows\ServicePackFiles\i386
C:\Windows\SoftwareDistribution\Download
C:\Windows\SoftwareDistribution\Download

Im TCP View Log konnte ich erstmal nichts Verdächtiges finden, demnach lässt sich fast komplett ausschließen, dass du einen gewöhnlichen Trojaner hast.

Wenn die ieexplore.exe trotz geschlossenem Internetexplorer dennoch im Taskmanager sind, ist dies dennoch merkwürdig.

Ich kann dir jetzt nur noch folgendes raten:

a-squared Free Scan ausführen
Bitte lade dir a-squared Free herunter. Führe ein Update aus und mache einen vollständigen Scan. Lösche am Ende noch keine Funde sondern liste alle Funde samt deren Fundort (Verzeichnis) hier auf. Dabei musst du die Tracking Cookies nicht nennen.

Und das die iexplore.exe bei folgenden Diensten überprüfen lässt:
Ps. Im Titel steht nicht iexplore sondern iexplorer war das ein Rechtschreibfehler oder welches der beiden wird im Taskmanager angezeigt.

Tests durchführen
1. Avira Labor
Sende die verdächtigen Datein ans Avira Labor und vergiss nicht für die Benachrichtigung eine gültige E-Mailadresse anzugeben.

2. Anubis
Lade die Datein einzelnt bei Anubis hoch und poste hier die Links zum aufrufen der Ergebnisse.

3. Virustotal
Lade die Datein bei Virustotal hoch und schreibe bei keinem Fund trotzdem zu dem Dateinamen den MD5 Hasg. Wenn etwas gefunden wurde, füge das ganze Log ein oder poste den Link zu der Ergebnisseite.

Eventuell kann dir dann noch undoreal weiterhelfen, wenn er deine AVZ Logs auswertet.

Vielen Dank, ich gehe die Punkte einzeln durch. Nein, das ist ein Fehler gewesen: Im Taskmanager steht iexplore. exe. Ich werde noch verrückt. Alle zwei Minuten kommt diese Kasperskymeldung....

Zitat:

Zitat von xonic

Tests durchführen
1. Avira Labor
Sende die verdächtigen Datein ans Avira Labor und vergiss nicht für die Benachrichtigung eine gültige E-Mailadresse anzugeben.

2. Anubis
Lade die Datein einzelnt bei Anubis hoch und poste hier die Links zum aufrufen der Ergebnisse.

3. Virustotal
Lade die Datein bei Virustotal hoch und schreibe bei keinem Fund trotzdem zu dem Dateinamen den MD5 Hasg. Wenn etwas gefunden wurde, füge das ganze Log ein oder poste den Link zu der Ergebnisseite.

Also entweder lässt du die Dateien von AVIRA und ANUBIS(?) testen, oder aber nur von Virustotal!
Denn beim hochladen bei VT werden die Dateien automatisch an alle Labore verschickt.
Man muss den Leuten ja nicht mehr Arbeit machen als sie schon haben.

Zitat:

Zitat von [GC]Sunny

Also entweder lässt du die Dateien von AVIRA und ANUBIS(?) testen, oder aber nur von Virustotal!
Denn beim hochladen bei VT werden die Dateien automatisch an alle Labore verschickt.
Man muss den Leuten ja nicht mehr Arbeit machen als sie schon haben.

Virustoal leitet die Datein an den Virenscannerherstellern weiter, aber nicht vorrangig. Wer es bei Avira direkt hochlädt wird bei der Auswertung bevorzugt.

Anbubis ist ein Dienst der Datein ausführt und genau anzeigt welche Aktivitäten in der Registry / File / Internet usw sie getätigt haben. Welche DLLS sie ausgelesen haben und noch vieles mehr.
Siehe Samples

Hat alles seine Gründe, das ich es so sage wie ich es sage