Nach Virenbefall geht kaum noch was

Annie · 15.01.2009, 22:31

Hallo...
Ich weiß echt nicht mehr weiter.

Eigentlich war mit meinem PC alles in Ordnung, bis Antivir bei einer Überprüfung etwas mit Namen HEUR/Crypted fand, dass ich damit aber nicht löschen konnte. Der PC funktionierte aber einwandfrei.
Wollte diesen Virus oder was auch immer das ist nicht behalten, hab deshalb im Internet gesucht was man dagegen machen kann. Habe dann avast runtergeladen und das nen Systemcheck machen lassen und alles was es gefunden hat gelöscht.
Danach noch x-mal Prüfungen laufen lassen... Avast dauert Stunden und findet dann auch nochmal das eine oder andere, Antivir bleibt grade immer bei 3,5% hängen...

Jetzt geht aber kaum mehr was. Vorallem kann ich jetzt das Internet nicht mehr benutzen, wenn ich Firefox öffne geht es ganz kurz, wenn ich schnell bin schaff ich es eine neue Seite aufzurufen, dann hängt es sofort (keine rückmeldung). Beim IE dasselbe. Auch ICQ kann ich nicht starten, also jegliche Verbindung zum Internet will nicht...
Andere Sachen brauchen ewig bis sie sich öffnen, Bilder, Musik... funktionieren dann abermeist, bleiben aber auch mal hängen.

Ich hab von Virenbekämpfung usw gar keinen Plan, tut mir Leid... könnt ihr mir vielleicht irgendwie helfen?

Hier noch der HJT-Log:

Code:

ATTFilter

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:47, on 15.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
M:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.lycos.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h**p://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h**p://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Programme\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: InstaFinder_K - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\Programme\INSTAFINK\instafink.dll (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Programme\RXToolBar\sfcont.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Programme\RXToolBar\RXToolBar.dll (file missing)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Programme\Gemeinsame Dateien\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Keyboard Status] C:\PROGRA~1\Medion\KeyStat\KeyStat.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCMService] "C:\Programme\Home Cinema\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programme\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [XTIC] c:\programme\lg xtick2.91\xtick.exe sys_auto_run C:\Programme\LG XTICK2.91
O4 - HKLM\..\Run: [kdxgthkaab] C:\Programme\kdxgthkaab.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [HostManager] C:\Programme\Gemeinsame Dateien\AOL\1178739999\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programme\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Programme\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Programme\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [updateMgr] "C:\Programme\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Programme\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Programme\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Programme\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Search - http://kp.bar.need2find.com/KP/menusearch.html?p=KP
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com/
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - 
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - h**p://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1106843944468
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - h**p://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - G:\Player\__CDS2.dll (file missing)
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programme\RXToolBar\sfcont.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\GEMEIN~1\aol\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Programme\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour-Dienst (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Programme\Home Cinema\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programme\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--
End of file - 11778 bytes

Haengdichweg · 16.01.2009, 11:44

Moin Annie,

du solltest dich erstmal entscheiden welchen Virenscanner du benutzen möchtest. Du hast im Moment drei gleichzeitig laufen, das ist überhaupt nicht gut! Kein Virenscanner kann dadurch wirklich arbeiten.

Ich würde dir empfehlen Avast als einzigen zu nehmen.

Deinstalliere bitte:

Code:

ATTFilter

AntiVir PersonalEdition Classic
eTrust Antivirus

Mit HijackThis fixt du bittedie nachfolgenden Einträge:

Code:

ATTFilter

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Programme\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)
O2 - BHO: InstaFinder_K - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\Programme\INSTAFINK\instafink.dll (file missing)
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Programme\RXToolBar\sfcont.dll (file missing)
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\Programme\RXToolBar\RXToolBar.dll (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe (file missing)

Deine volle Aufmerksamkeit sollten dann aber dies hier haben. Bitte auch fixen:

Code:

ATTFilter

 
O8 - Extra context menu item: &Search - http://kp.bar.need2find.com/KP/menusearch.html?p=KP
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Programme\RXToolBar\sfcont.dll
O4 - HKLM\..\Run: [XTIC] c:\programme\lg xtick2.91\xtick.exe sys_auto_run 
O4 - HKLM\..\Run: [kdxgthkaab] C:\Programme\kdxgthkaab.exe

Windows-Explorer öffnen und unter => Extras => Ordneroptionen => im Reiter "Ansicht => Versteckte Dateien und Ordner: => alle Dateien und Ordner anzeigen aktivieren

Lade bitte die drei letzt genannten Dateien (sfcont.dll, xtick.exe, kdxgthkaab.exe) bei virustotal.com hoch und lass sie auswerten. Log bitte hier rein.

Lad dir bitte Malwarebytes runter und mach einen kompletten Scan. Log auch hier rein.

Annie · 17.01.2009, 23:48

Erst schonmal ein riesengroßes Dankeschön =)

Es funktioniert alles schon wieder viel besser, auch komme ich jetzt wieder ins Internet und muss nicht mehr alles über den andern PC jonglieren...

Virustotal.com:
xtick.exe

Code:

ATTFilter

Datei XTICK.exe empfangen 2009.01.17 00:02:04 (CET)
Status: Beendet 
Ergebnis: 0/37 (0.00%)

weitere Informationen 
File size: 311396 bytes
MD5...: 9c73142f9ef41b2f01590026b9eeb6a2 
SHA1..: 5a7a6b807e948f668207ad176bb4e737966d200e 
SHA256: 47ef2f2c179d495ccd3263cf36c1683f72dc383414609a802af4506dbe53448e SHA512: 65c42ebc91690f631c4a70997564659e847d27350fbc9b82e95a129321d49070
ae753eb343774c3eae38b1b6b4470dfc5672906848e208d2d8b8e6e344d56e50
ssdeep: 6144:Tow44INTqL9tn5ETrWOfjGuvA5T111J55Pxu3316Hx9f:Tow44INTqvnYr0
uvMuV6R1
PEiD..: Armadillo v1.71 
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%) 

PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41a2f4
timedatestamp.....: 0x40c7cd7f (Thu Jun 10 02:54:55 2004)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1b95e 0x1c000 6.29 8579ac2f399bb8b68e6de31052d80e72
.rdata 0x1d000 0x5b52 0x6000 4.64 bc2aa39c76c8c97aad4ef33c9b568129
.data 0x23000 0x2f48 0x3000 4.80 c3de6f9a1d25a70a14a0e8db54f78bc3
.rsrc 0x26000 0x254b8 0x26000 6.52 d8414dc98292d85ae81bf9496a980faa

( 14 imports ) 
> CFGMGR32.dll: CM_Get_DevNode_Status
> SETUPAPI.dll: SetupDiGetDeviceInterfaceDetailA, SetupDiEnumDeviceInterfaces, SetupDiEnumDeviceInfo, SetupDiGetClassDevsA, SetupDiDestroyDeviceInfoList, SetupDiSetClassInstallParamsA, SetupDiGetDeviceRegistryPropertyA, SetupDiSetDeviceRegistryPropertyA, SetupDiCallClassInstaller
> WINMM.dll: sndPlaySoundA
> MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT.dll: _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, exit, _XcptFilter, _exit, _onexit, __dllonexit, strcat, _setmbcp, strcmp, __CxxFrameHandler, _EH_prolog, _mbscmp, _controlfp, memcpy, free, malloc, memset, strcpy, memcmp, rand, srand, time, calloc, strlen, _strupr, strtok, printf, _ftol, atof, memmove, _mbsnbcmp, sprintf, _beginthread, strncpy, _endthread
> KERNEL32.dll: CreateToolhelp32Snapshot, GetModuleFileNameA, GetCurrentDirectoryA, Process32Next, LocalFree, GetVersion, FormatMessageA, GlobalLock, GlobalUnlock, GlobalAlloc, LoadResource, LockResource, FindResourceA, MulDiv, GetFileSize, SizeofResource, GetFileAttributesA, GetSystemTime, ReadFile, Sleep, CreateFileA, CloseHandle, DeviceIoControl, GetVersionExA, GetLastError, lstrcpynA, SleepEx, CreateThread, GetVolumeInformationA, GetTempPathA, GetLogicalDrives, TerminateProcess, CreateProcessA, GetDriveTypeA, WriteFile, OpenFile, GetStartupInfoA, DeleteFileA, GetModuleHandleA, GetWindowsDirectoryA, WaitForSingleObject, Process32First
> USER32.dll: KillTimer, GetSystemMetrics, DrawIcon, GetSystemMenu, AppendMenuA, GetDC, MessageBoxA, LoadBitmapA, MessageBoxExA, EqualRect, LoadIconA, MessageBeep, ClientToScreen, FillRect, OffsetRect, RedrawWindow, InvalidateRect, UpdateWindow, GetSysColor, IsIconic, GetDesktopWindow, GetWindowRect, SetTimer, GetParent, PostMessageA, SendMessageA, EnableWindow, GetNextDlgGroupItem, SetWindowRgn, WindowFromPoint, DrawEdge, SetCapture, GetWindowLongA, IsWindow, GetCursorPos, SetForegroundWindow, GetSubMenu, ReleaseCapture, GetCapture, SetCursor, GetClientRect, LoadMenuA, EnumWindows, DrawFocusRect
> GDI32.dll: BitBlt, CreateSolidBrush, DeleteObject, GetStockObject, CreateFontA, CreateFontIndirectA, GetViewportOrgEx, GetObjectA, CreateCompatibleBitmap, CreateCompatibleDC, Rectangle, DeleteDC, SelectObject, CreateBitmap, SetTextColor, SetBkColor, GetDeviceCaps, GetTextExtentPoint32A, StretchBlt, SelectClipRgn, CombineRgn, CreateRectRgn, GetPixel, SetViewportOrgEx
> ADVAPI32.dll: DeleteService, RegQueryValueExA, CreateServiceA, CloseServiceHandle, RegOpenKeyExA, OpenServiceA, RegCreateKeyExA, RegSetValueExA, RegCloseKey, OpenSCManagerA
> SHELL32.dll: ShellExecuteA, Shell_NotifyIconA
> COMCTL32.dll: _TrackMouseEvent
> ole32.dll: CreateStreamOnHGlobal, StgCreateDocfileOnILockBytes, CreateILockBytesOnHGlobal
> OLEPRO32.DLL: -
> SHLWAPI.dll: PathFindFileNameA

( 0 exports )

kdxgthkaab.exe

Code:

ATTFilter

Datei kdxgthkaab.exe empfangen 2009.01.17 00:09:29 (CET)
Status: Beendet 
Ergebnis: 0/39 (0.00%)

weitere Informationen 
File size: 405504 bytes 
MD5...: a722119e50752bab5bda996994449c6a 
SHA1..: ca1e1c5606333d49a40850948be6409eea0ba306 
SHA256: ab24d4f68fb80e778e362d92a185d5eee0c6783893a8920768357a1caab7a19f SHA512: 1ff9a39dadd82b62a913398efd1d410b86b25feba9be17fd83cfc7d8e2e3ff86
234b8cb5ce71f63c30aa01eb9ab52f773636fd556cc6239b8096bae51e44e664
ssdeep: 6144:xz8O6haek5aqd6XjVMVuZYXKGNxVVJKcQy5XU818tfOvqNZT6:Z16haeCaq
MXjOcZY9PJKiOSmtT6
PEiD..: InstallShield 2000 
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%) PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40bab0
timedatestamp.....: 0x42c2ccbc (Wed Jun 29 16:30:52 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x43b7e 0x44000 6.16 7b5608073bf78d9d0ba8c4faf5b99da7
.rdata 0x45000 0x81d4 0x9000 5.08 014fcb5456ef835b880305bc7d243eda
.data 0x4e000 0x13098 0x11000 5.46 ee31de3c10ac6ecd6168a4cee7bac3b4
.reloc 0x62000 0x3408 0x4000 5.74 8bfe625933eb0300e2850a9a44fa6b36

( 3 imports ) 
> KERNEL32.dll: WriteFile, DeleteFileA, GetLastError, Sleep, GetProcAddress, GetStartupInfoA, GetCommandLineA, GetVersionExA, RtlUnwind, IsBadWritePtr, IsBadReadPtr, HeapValidate, RaiseException, TerminateProcess, GetCurrentProcess, ExitProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, TlsAlloc, GetCurrentThreadId, TlsFree, TlsSetValue, TlsGetValue, SetLastError, GetCurrentThread, HeapDestroy, HeapCreate, HeapFree, VirtualFree, LCMapStringA, LCMapStringW, EnterCriticalSection, GetVolumeInformationA, DebugBreak, InterlockedDecrement, OutputDebugStringA, InterlockedIncrement, FatalAppExitA, HeapAlloc, HeapReAlloc, VirtualAlloc, SetUnhandledExceptionFilter, GetACP, GetOEMCP, GetCPInfo, InitializeCriticalSection, VirtualQuery, InterlockedExchange, GetTimeFormatA, GetDateFormatA, GetStringTypeA, GetStringTypeW, IsValidLocale, IsValidCodePage, GetLocaleInfoA, EnumSystemLocalesA, GetUserDefaultLCID, VirtualProtect, GetSystemInfo, SetConsoleCtrlHandler, SetStdHandle, FlushFileBuffers, SetFilePointer, IsBadCodePtr, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetTimeZoneInformation, SetEndOfFile, ReadFile, GetLocaleInfoW, CompareStringA, CompareStringW, SetEnvironmentVariableA, LoadLibraryA, GetModuleHandleA, DeviceIoControl, GetSystemDirectoryA, CreateFileA, SetFileTime, CloseHandle, FileTimeToSystemTime, SystemTimeToFileTime, GetWindowsDirectoryA, GetTempPathA, GetTickCount, FindFirstFileA, FindNextFileA, FindClose, LeaveCriticalSection, MultiByteToWideChar, FreeLibrary, WaitForSingleObject, CreateEventA
> ADVAPI32.dll: RegQueryValueExA, ControlService, QueryServiceConfigA, QueryServiceStatus, OpenSCManagerA, CreateServiceA, OpenServiceA, StartServiceA, DeleteService, CloseServiceHandle, RegEnumValueA, RegDeleteValueA, RegOpenKeyA, RegSetValueExA, RegCloseKey, RegOpenKeyExA
> USER32.dll: MessageBoxA

( 0 exports )

sfcont.dll konnte ich nichtmehr finden, es gibt in dem Ordner nur noch eine sfcont.bin-Datei.

Malwarebytes Scan Log:

Code:

ATTFilter

Malwarebytes' Anti-Malware 1.33
Datenbank Version: 1663
Windows 5.1.2600 Service Pack 3

17.01.2009 23:33:16
mbam-log-2009-01-17 (23-33-16).txt

Scan-Methode: Vollständiger Scan (C:\|D:\|E:\|)
Durchsuchte Objekte: 202750
Laufzeit: 1 hour(s), 2 minute(s), 7 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 11
Infizierte Registrierungswerte: 1
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 5
Infizierte Dateien: 30

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
HKEY_CLASSES_ROOT\rxresult.rxresultfilter (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxresult.rxresultfilter.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2ab289ae-4b90-4281-b2ae-1f4bb034b647} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d1c4e81-a32a-416b-bcdb-33b3ef3617d3} (Adware.Need2Find) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxtoolbar.tbinfo (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rxtoolbar.tbinfo.1 (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RXToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RX ToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055fd26d-3a88-4e15-963d-dc8493744b1d} (Adware.BHO) -> Quarantined and deleted successfully.

Infizierte Registrierungswerte:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p2p networking (Backdoor.Bot) -> Quarantined and deleted successfully.

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
C:\Programme\RXToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\HTML (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Icon (Adware.RXToolbar) -> Quarantined and deleted successfully.

Infizierte Dateien:
C:\Programme\RXToolBar\CacheCatalog.rx (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\rx.xml (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\rxtoolbar.cfg (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\rxwebsearches.xsl (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\sfcont.bin (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\yahoo.xsl (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache\CT (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache\CTwww_fanfiction_net_ (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache\CTwww_lycos_de (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache\CTwww_qklinkserver_com_activity_in_asp_bid=6900NC (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache\CTwww_srch-results_com_lm_imp_rxt_asp_si=19902&k=meet%20thereNC (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache\CTwww_thalerwald_de_forum_NC (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache\U953136 (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Cache\U953136_yahoo (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics\additional.gif (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics\additional_active.gif (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics\background.jpg (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics\blue_hr_horz.GIF (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics\gray_hr_horz.GIF (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics\thumbtack.gif (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics\thumbtack_active.gif (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\graphics\thumbtack_click.gif (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\HTML\content.htm (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\HTML\main.htm (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\Programme\RXToolBar\Icon\blake_prohosting_com_favicon_ico.ico (Adware.RXToolbar) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32a.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\smdat32m.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Programme\ICQToolbar\toolbaru.dll (Adware.BHO) -> Quarantined and deleted successfully.

Nach Virenbefall geht kaum noch was

Plagegeister aller Art und deren Bekämpfung: Nach Virenbefall geht kaum noch was